Comcast’s XFINITY Home Security System can be readily exploited so it registers that doors and windows in customers’ homes are closed when they are actually open, Rapid7 has discovered.
Fixing the problem requires a software or firmware upgrade, Rapid7 says. Comcast hasn’t responded to Rapid7s November notifications about the flaw, the company says.
SHOCKER! Cape Cod cops find iPhone stun gun
Comcast hasn’t responded to an email asking for comment, but this story will be updated when it does.
The security system consists of a sensor placed at windows, doors and other locations to detect motion, and a base station. When the sensor is triggered, it notifies the base station, which alarms that there is an intrusion.
Rapid 7 researcher Phil Bosco removed the magnet from a sensor, which should have made it register that an intrusion had occurred. Instead, the system reported that the sensor was armed, meaning it was working and that no breach had happened.
In his research, Bosco wrapped the sensor in metal foil to block its 2.4 GHz radio frequency band signal that the base station picks up. While it was blocked, he removed the magnet without triggering an alarm, then removed the foil. It should have synched with the base station and reported that the system was open – meaning an open door or window or motion had been detected.
It takes from several minutes up to three hours to properly synch and accurately report a breach, Rapid7 says.
Rather than using foil to block a sensor, attackers could use off-the-shelf radio-jamming gear or deauthentication attacks against the ZigBee protocol that the system uses to communicate, the researchers say. Burglars could then open an alarmed door or window without being detected by the system.
“A software/firmware update appears to be required in order for the base station to determine how much and how long a radio failure condition should be tolerated and how quickly sensors can reestablish communications with the base station,” the company says.
Rapid7 says Bosco discovered the flaw last Sept. 28, and the company tried to contact Comcast Nov. 2. On Nov. 23, it disclosed the details to US-CERT.