Comcast's Xfinity Home Security vulnerable, fail open flaw leaves homes exposed

Researchers say flaws would prevent system from alerting homeowners to unsecured doors or windows

Researchers at Rapid7 have disclosed vulnerabilities in Comcast's Xfinity Home Security offerings. The flaws cause the system to falsely report that a home's windows and doors are closed and secured, even if they've been opened.

Comcast's Xfinity Home Security system is one of the many next-generation alarm systems that are app controlled and promise to deliver real-time alerts and notifications to homeowners.

However, researchers at Rapid7 have discovered flaws that would cause Comcast's system to falsely report that a home's doors and windows are closed and properly secured, even if they've been opened. In addition, the flaws also mean that Comcast's system would fail to sense an intruder's motion in the home.

Rapid7's Phil Bosco discovered the flaws last September.

The root cause of the problem can be found in the ZigBee-based protocol used by Comcast's system to operate over the 2.4 GHz frequency band.

Bosco discovered that the Xfinity Home Security system does not fail closed with an assumption of an attack if radio communications are disrupted. Instead, the system fails open, reporting that all sensors are intact, doors are closed, and no motion is detected.

During a demonstration, Bosco placed a paired window/door sensor in tin foil shielding while the system was in an armed state. Bosco then removed the magnet from the sensor and opened the monitored entrance.

Once the magnet was removed, the sensor was unwrapped and placed within a few inches of the base station hub that controls the alarm system. The system continued to report that it was in armed state.

"Rapid7 has determined that there are any number of techniques that could be used to cause interference or de-authentication of the underlying ZigBee-based communications protocol, such as commodity radio jamming equipment and software-based de-authentication attacks on the ZigBee protocol itself," a security brief from Rapid7 explains.

"There does not appear to be a limit to the duration of the failure in order to trigger a warning or other alert. In addition, when Rapid7 demonstrated the issue, they determined that the amount of time it takes for the sensor to re-establish communications with the base station and correctly report is in an open state can range from several minutes to up to three hours."

There are no practical mitigations to the issue, Rapid7 says. A fix would require a software or firmware update to the base station to determine tolerance levels for radio failure conditions.

Comcast was notified about the vulnerability, but the company didn't respond to Rapid7 according to disclosure notes. CERT was made aware of the issue in November; they're expected to publish a technical note about the issue later today.

"I hope that during the CES hoopla this week, vendors take notice of these kinds of failure conditions and apply some basic security design to address them. IoT devices tend to be designed with the happy path in mind, and often don’t consider an active adversary," Rapid7's Tod Beardsley said in a statement to CSO.

"In any home automation solution, including security products like the Xfinity line, I would expect at least some kind of logging to be happening in the event of a failure. You don’t want these radio devices alerting every time they get a hiccup on transmission, but if there’s a prolonged outage, I would expect this condition to be anticipated and handled by the vendors of these devices."

Join the CSO newsletter!

Error: Please check your email address.

More about CSORapid7

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steve Ragan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place