Security researchers at Rapid7 have found vulnerabilities in Comcast’s Xfinity Home Security system that would cause it to falsely report that a property’s windows and doors are closed and secured even if they’ve been opened. It could also fail to sense an intruder’s motion.
The system uses a ZigBee-based protocol to communicate and operate over the 2.4 GHz radio frequency band. All a thief has to do is use radio-jamming equipment to block the signals that pass from a door, window, or motion sensor to the home’s baseband hub, according to Tod Beardsley, security research manager for Rapid7.
The system fails to recognize when communication is halted and also “fails positive” instead of alerting the homeowner to a negative condition—that is, it will continue reporting that all sensors are intact and that windows and doors are secured even if they’re not, instead of warning homeowners to check the window or door.
Once the jamming ceases, it can take the sensors anywhere from a few minutes to three hours to re-establish communication with the hub. And once they do, the base station hub, which has a digital readout, provides no indication that conditions changed during that period.
Fixing the problem requires a software or firmware upgrade, Rapid7 says. Homeowners can’t take any practical measures to mitigate their risk of an attack. But the vendor could easily fix the problem with a firmware patch that would instruct the system to send alerts when something is not OK with it.
It’s unclear, however, if Comcast plans to issue a patch. Rapid7 sent email to Comcast on Nov. 2 to report the problem, but despite emailing several Xfinity addresses set up to receive security reports, the researchers received no reply.
The researchers also notified CERT of the issue in late November. CERT, a cybersecurity research division of Carnegie Mellon University’s Software Engineering Institute, works with the Department of Homeland Security and the private sector on security issues. Art Manion, senior vulnerability analyst with CERT, told Wired that his group contacted the vendor Nov. 24 and again Dec. 10 but also got no response.