Published on January 6th, 2016 📆 | 2326 Views ⚑


Comcast Home Security System Vulnerable to Attack

Researchers at Rapid7 today disclosed the issue after fruitless attempts to contact and report the problem to Comcast dating back to Nov. 2; Rapid7 did disclose the vulnerability to CERT, which is expected to issue an advisory today.

The problem, which was discovered by Rapid7 researcher Phil Bosco, occurs when an attacker is able to jam the 2.4 GHz radio frequency band used by window and door sensors to communicate with the system’s base station. The base station does not record, nor does it alert homeowners to the interruption, Rapid7 said. It continues to report, for example, that windows and doors are shut, when in fact they may be open, and that no motion is detected.

“Someone jams the radio, opens doors or windows, commits a crime, closes the doors and windows and stops jamming the radio, and there’s no record of the jamming even happening,” said Rapid7 principal security research manager Tod Beardsley. “You would expect the base station to notice something was amiss.”

“Our home security system uses the same advanced, industry-standard technology as the nation’s top home security providers. The issue being raised is technology used by all home security systems that use wireless connectivity for door, window and other sensors to communicate,” Comcast said in a statement “We are reviewing this research and will proactively work with other industry partners and major providers to identify possible solutions that could benefit our customers and the industry.”

[adsense size='1']

While such jamming equipment is illegal and not for sale in the United States, there are plenty of dark web sites where it can be purchased, and there are also online tutorials that demonstrate how to build one.

Beardsley said that given the 2.4 GHz radio frequency, some interference is normal and expected from outside sources; the system communicates over the ZigBee wireless communication protocol. But sustained interference should trigger an alert, Beardsley said.

“Someone is running a jammer at that point,” he said. “Most security systems design for failure conditions. The design of these devices doesn’t take into account an active attacker.”

Rapid7 also noted that the sensors take too long to reconnect to the base station, even if the sensors’ state is switched to “open” during the interruption.

Bosco explained in a report published by Rapid7 that he was able to exploit the issue by putting a paired window and door sensor in an armed state in tin foil shielding. He removed the sensor’s magnet, simulating a jamming attack, and opened the door that was supposed to be monitored by the sensor.

“Once the magnet is removed from the sensor, the sensor was unwrapped and placed within a few inches from the base station hub that controls the alarm system. The system continued to report that it is in ARMED state,” Rapid7 wrote. “The amount of time it takes for the sensor to re­ establish communications with the base station and correctly report is in an open state can range from several minutes to up to three hours.”

[adsense size='2']

Bosco, who subscribes to the Xfinity Home Security System, found the issue on Sept. 28. After a period of internal review, Rapid7 tried to contact Comcast on Nov. 2 to no avail. It reached out to CERT on Nov. 23.

“We’ve had no luck,” Beardsley said, adding that a firmware update would likely be required to address the problem. “It seems to have fallen on deaf ears. We don’t even known if they have procedures for accepting bug reports.”


Comments are closed.