New-generation alarm systems that send real-time text alerts and other digital notifications if an intruder tries to breach a property offer homeowners a great sense of security. Except when thieves can easily undermine the system to trick homeowners into thinking they’re protected when they’re not.

Security researchers at Rapid7 have found vulnerabilities in Comcast’s Xfinity Home Security system that would cause it to falsely report that a property’s windows and doors are closed and secured even if they’ve been opened; it could also fail to sense an intruder’s motion.

The system uses a ZigBee-based protocol to communicate and operate over the 2.4 GHz radio frequency band. All a thief has to do is use radio jamming equipment to block the signals that pass from a door, window, or motion sensor to the home’s baseband hub, according to Tod Beardsley, security research manager for Rapid7. The system fails to recognize when communication is halted and also “fails positive” instead of alerting the homeowner to a negative condition—that is, it will continue reporting that all sensors are intact and that windows and doors are secured even if they’re not, instead of warning homeowners to check the window or door.

Once the jamming ceases, it can take the sensors anywhere from a few minutes to three hours to re-establish communication with the hub. And once they do, the base station hub, which has a digital readout, provides no indication that conditions changed during that period.

“There’s no indicator to the user that something bad happened or something unusual—that it was being jammed for 20 minutes or whatever,” says Beardsley. “The sensor says ‘everything is cool, everything is cool,’ and then it stops talking, and the base station says ‘I guess everything is [still] cool’.”

And once the sensor for a door or window comes back online, “There’s no clue to let the base station know, ‘While you weren’t acknowledging any of my signals, I was open.’”

It makes sense for the system to ignore minor communication breaks, because “you don’t want these to alert and go off every time you turn on the microwave,” Beardsley notes. “But this kind of device should fail ‘closed’ rather than ‘open’ and at least have some kind of amber light on them [to signal that] something is wrong.”

The fact that it can take hours for the sensors to re-establish communication after a break is also a failure, Beardsley says. “I would expect several seconds to minutes offline-ness built in, but many minutes to hours seems like a bunch of software failures are colliding here,” he says.

Even more problematic, Comcast gives its home security system customers a sign to put on their lawn indicating that an Xfinity system is securing their property—making them an easy target for thieves who know about the vulnerabilities. “The sign that is designed to deter attackers can now become a sign that invites attackers,” Beardsley says.

Homeowners can’t take any practical measures to mitigate their risk of an attack. But the vendor could easily fix the problem with a firmware patch that would instruct the system to send alerts when something is not okay with it. It’s unclear, however, if Comcast plans to issue a patch. Rapid7 sent email to Comcast on November 2 to report the problem, but despite emailing several Xfinity addresses set up to receive security reports, the researchers received no reply. The researchers also notified US-CERT of the issue in late November. US-CERT, a division of DHS that helps coordinate information about cybersecurity issues to government agencies and the private sector, told WIRED that it contacted the vendor November 24 and again December 10 but also got no response.

Comcast did not respond to a request for comment from WIRED either, but did reach out to US-CERT after learning a story was in the works.

Comcast Xfinity offers customers a number of home security packages, some of which include surveillance cameras that can provide an additional method of checking for the presence of intruders.

The basic Home-Secure 300 package, which costs about $40 a month and locks homeowners into a two-year agreement, comes with three door or window sensors. The Home-Secure 350 system costs about $50 a month and includes a motion sensor, two lighting controllers, and two indoor/outdoor cameras. But Beardsley notes that if the cameras are broadcasting over the same 2.4 GHz radio frequency band, a thief could block those signals as well.

Thieves can purchase radio jamming equipment on eBay or make their own with about $130 in parts and do-it-yourself instructions published on the internet.

The Xfinity system’s security issue is just another in a long line of common security issues in Internet of Things devices.

“We see these kinds of design decisions, these failure conditions, not really getting tested in Internet of Things devices [before they’re sold]” Beardsley says. “We see things come up thematically over and over again. CES is coming up [this week], and I expect to see tons and tons of devices—and probably very few of them have had security testing.”

Read this article: 

Xfinity’s Security System Flaws Open Homes to Thieves