Although the smart home security field is garnering increasing consumer interest, one of the major players in the space is facing a cybersecurity issue that could have a chilling effect on the market. A vulnerability in Comcast XFINITY’s Home Security System could open the door—literally—to intruders.
The US cable giant’s home security offering is a remote-enabled home security system, consisting of a battery-powered base station and one or more battery-powered sensors, all using the open standard ZigBee wireless communication protocol to communicate with each other. The Rapid7 team has uncovered a flaw that could cause the security system to fail to sense an intruder’s motion, meaning that home owners wouldn’t be alerted when doors or windows are opened.
By causing a failure condition in the 2.4 GHz radio frequency band, the security system does not fail closed with an assumption that an attack is underway. Instead, the system fails open, and the security system continues to report that "All sensors are intact and all doors are closed. No motion is detected."
To demonstrate the issue, Phil Bosco, researcher from Rapid7, placed a paired window/door sensor in tin foil shielding while the system is in an “armed” state. While armed, the researcher removed the magnet from the sensor, simulating a radio jamming attack and opening the monitored door or window.
Once the magnet is removed from the sensor, the sensor was unwrapped and placed within a few inches from the base station hub that controls the alarm system. The system continued to report that it is in “armed” state.
“Rapid7 has determined that there are any number of techniques that could be used to cause interference or de-authentication of the underlying ZigBee-based communications protocol, such as commodity radio jamming equipment and software-based de-authentication attacks on the ZigBee protocol itself,” explained Tod Beardsley, principal security manager from Rapid7.
Further, once that failure condition is triggered, there is no fallback safety mechanism. There does not appear to be a limit to the duration of the failure in order to trigger a warning or other alert. And, the amount of time it takes for the sensor to re-establish communications with the base station and correctly report can range from several minutes to up to three hours.
Worse, Rapid7 has determined that there are no practical mitigations to this issue.
“A software/firmware update appears to be required in order for the base station to determine how much and how long a radio failure condition should be tolerated and how quickly sensors can re-establish communications with the base station,” Beardsley said.
Comcast has made no statement on the issue, and Rapid7 said that it “attempted to contact the vendor” before reporting the issue to CERT.
Photo © Cafe Racers