New-generation alarm systems that send real-time text alerts and other digital notifications if an intruder tries to breach a property offer homeowners a great sense of security. Except when thieves can easily undermine the system to trick homeowners into thinking they’re protected when they’re not.
Philip Bosco, a security researcher at Rapid7, found vulnerabilities in Comcast’s Xfinity Home Security system that would cause it to falsely report that a property’s windows and doors are closed and secured even if they’ve been opened; it could also fail to sense an intruder’s motion.
The system uses a ZigBee-based protocol to communicate and operate over the 2.4 GHz radio frequency band. All a thief has to do is use radio jamming equipment to block the signals that pass from a door, window, or motion sensor to the home’s baseband hub, according to Tod Beardsley, security research manager for Rapid7. The system fails to recognize when communication is halted and also “fails positive” instead of alerting the homeowner to a negative condition—that is, it will continue reporting that all sensors are intact and that windows and doors are secured even if they’re not, instead of warning homeowners to check the window or door.
Once the jamming ceases, it can take the sensors anywhere from a few minutes to three hours to re-establish communication with the hub. And once they do, the base station hub, which has a digital readout, provides no indication that conditions changed during that period.
Comcast gives its home security system customers a sign to put on their lawn indicating that Xfinity systems secure their homes—making them easy targets for thieves who know about the vulnerabilities.
“There’s no indicator to the user that something bad happened or something unusual—that it was being jammed for 20 minutes or whatever, ” says Beardsley. “The sensor says ‘everything is cool, everything is cool, ’ and then it stops talking, and the base station says ‘I guess everything is [still] cool’.”
And once the sensor for a door or window comes back online, “There’s no clue to let the base station know, ‘While you weren’t acknowledging any of my signals, I was open.'”