Home intruders no longer need to come in through the kitchen window. Instead, they can waltz right in through the front door, even when a home is protected by an internet-connected alarm system. A vulnerability in Comcast’s Xfinity Home Security System could allow attackers to open protected doors and windows without triggering alarms, researchers with cybersecurity firm Rapid7 wrote in a blog post today.
The security bug relates back to the way in which the system’s sensors communicate with their home base station. Comcast’s system uses the popular ZigBee protocol, but doesn’t maintain the proper checks and balances, allowing a given sensor to go minutes or even hours without checking in. The biggest hurdle in exploiting the vulnerability is finding or building a radio jammer, which are illegal under federal law. Attackers can also circumvent alarms with a software-based de-authentication attack on the ZigBee protocol itself, although that method requires more expertise. Attackers would also need to know a house was using the Xfinity system before attempting to break in, a major hurdle in exploiting the finding.
The sensor had no memory of the break-in happening
To prove his findings, Rapid7 researcher Phil Bosco simulated a radio jamming attack on one of his system’s armed window sensors. While jamming the sensor's signal, he opened a monitored window. The sensor said it was armed, but it failed to detect anything out of the ordinary. But perhaps even more worrisome than the active intrusion itself is that the sensor had no memory of it happening and took anywhere from several minutes to three hours to come back online and reestablish communication with its home base.
The attack plays off a fundamental vulnerability in wireless devices. Anything that relies on wireless communication can be taken offline by a jamming attack. But Rapid7 was surprised by how poorly the Xfinity system responded in the aftermath of such an attack.
"Something designed for [physical] security should anticipate an active attacker because that’s the whole point of it, " Tod Beardsley, security research manager at Rapid7, told The Verge. "The fact that they don't do that is concerning."
This vulnerability doesn’t come as a complete surprise. Security researchers have consistently warned of the security implications in connected devices because getting a functioning device to market often precedes security considerations. Beyond providing a satisfying technology experience, developers need to also build in cybersecurity procedures, Beardsley says.