Photo by Matt Cardy/Getty Images
New-generation alarm systems that send real-time text alerts and other digital notifications if an intruder tries to breach a property offer homeowners a great sense of security. Except when thieves can easily undermine the system to trick homeowners into thinking they’re protected when they’re not.
Security researchers at Rapid7 have found vulnerabilities in Comcast’s Xfinity Home Security system that would cause it to falsely report that a property’s windows and doors are closed and secured even if they’ve been opened; it could also fail to sense an intruder’s motion.
The system uses a ZigBee-based protocol to communicate and operate over the 2.4 GHz radio frequency band. All a thief has to do is use radio-jamming equipment to block the signals that pass from a door, window, or motion sensor to the home’s baseband hub, according to Tod Beardsley, security research manager for Rapid7. The system fails to recognize when communication is halted and also “fails positive” instead of alerting the homeowner to a negative condition—that is, it will continue reporting that all sensors are intact and that windows and doors are secured even if they’re not, instead of warning homeowners to check the window or door.
Once the jamming ceases, it can take the sensors anywhere from a few minutes to three hours to re-establish communication with the hub. And once they do, the base station hub, which has a digital readout, provides no indication that conditions changed during that period.
“There’s no indicator to the user that something bad happened or something unusual—that it was being jammed for 20 minutes or whatever, ” says Beardsley. “The sensor says ‘everything is cool, everything is cool, ’ and then it stops talking, and the base station says ‘I guess everything is [still] cool.’ ”
And once the sensor for a door or window comes back online, “There’s no clue to let the base station know, ‘While you weren’t acknowledging any of my signals, I was open.’ ”
It makes sense for the system to ignore minor communication breaks, because “you don’t want these to alert and go off every time you turn on the microwave, ” Beardsley notes. “But this kind of device should fail ‘closed’ rather than ‘open’ and at least have some kind of amber light on them [to signal that] something is wrong.”
The fact that it can take hours for the sensors to re-establish communication after a break is also a failure, Beardsley says. “I would expect several seconds to minutes offline-ness built in, but many minutes to hours seems like a bunch of software failures are colliding here, ” he says.
Even more problematic, Comcast gives its home security system customers signs to put on their lawns indicating that an Xfinity system is securing their property—making them easy targets for thieves who know about the vulnerabilities. “The sign that is designed to deter attackers can now become a sign that invites attackers, ” Beardsley says.
Homeowners can’t take any practical measures to mitigate their risk of an attack. But the vendor could easily fix the problem with a firmware patch that would instruct the system to send alerts when something is not OK with it. It’s unclear, however, if Comcast plans to issue a patch. Rapid7 sent email to Comcast on Nov. 2 to report the problem, but despite emailing several Xfinity addresses set up to receive security reports, the researchers received no reply. The researchers also notified CERT of the issue in late November. CERT, a cybersecurity research division of Carnegie Mellon University’s Software Engineering Institute, works with the Department of Homeland Security and the private sector on security issues. Art Manion, senior vulnerability analyst with CERT, told Wired that his group contacted the vendor Nov. 24 and again Dec. 10 but also got no response.
Comcast did not respond to a request for comment from Wired. But after our story published, a representative sent a statement saying, “Our home security system uses the same advanced, industry-standard technology as the nation’s top home security providers. The issue being raised is technology used by all home security systems that use wireless connectivity for door, window and other sensors to communicate.”