Flaw in Comcast’s home security system lets burglars in without triggering alarm

Rapid7 researcher Phil Bosco has discovered a crucial flaw in the Comcast XFINITY Home Security system, which can be easily exploited by burglars to enter homes without triggering the alarm, and for which there is currently no mitigation and no patch.

The Comcast XFINITY Home Security system, which consists of a battery-powered base station and one or more battery-powered sensors, alerts owners if a door or window is opened, and allows them to monitor visually their entire home in real-time.

The base station and sensors use the ZigBee protocol over a 2.4 GHz radio frequency band to communicate.

“By causing a failure condition in the 2.4 GHz radio frequency band, the security system does not fail closed with an assumption that an attack is underway,” Tod Beardsley, Security Research Manager at Rapid7, explained in a blog post. “Instead, the system fails open, and the security system continues to report that ‘All sensors are in-tact and all doors are closed. No motion is detected.'”

“In addition, sensors take an inordinate amount of time to re-establish communications with the base station, even if their ‘closed’ state is switched to ‘open’ during the failure event,” he added.

This security vulnerability can be easily exploited by attackers to disrupt wireless communications between the systems’ components in order to avoid triggering Home Security alarm events.

“There are any number of techniques that could be used to cause interference or deauthentication of the underlying ZigBee-based communications protocol, such as commodity radio jamming equipment and software-based deauthentication attacks on the ZigBee protocol itself,” Beardsley pointed out.

The researchers have attempted to contact Comcast in November 2015 in order to let them know about the flaw, but the company didn’t acknowledge (or fix) the problem.

Comcast told Ars Technica that the researchers used the wrong emails to try to contact them, that the Zigbee protocol is an industry-standard technology, and that they will “proactively work with other industry partners and major providers to identify possible solutions that could benefit our customers and the industry.”

Rapid7 said that, as the company offers no guidance on where security issues should be reported, they did their best to find a likely address. They also pointed out that after they disclosed the issue to CERT, the organization also tried and failed to get in touch with Xfinity.