Comcast Xfinity home security system vulnerability lets a hacker become a thief

The home security system fails "open," tricking it into thinking everything is fine.
Written by Zack Whittaker, Contributor
(Image: Comcast)

Security researchers have found a flaw in Comcast's Xfinity home security products, allowing an attacker to trick the system into thinking that doors and windows are secured -- even when they're not.

The security system, which Comcast markets as a "total home security and automation solution," offers alerts and warnings when doors and windows are opened, and real-time visual monitoring of an entire home. The service integrates with existing smart home products, like Nest cameras and Lutron lighting controls.

But security firm Rapid7 on Tuesday said the system suffered from a fundamental flaw that could trick the security system into a false sense of security, by not detecting if an intruder is in a home.

Rapid7's Phil Bosco, who discovered the flaw, explained that the problem is rooted in how the ZigBee wireless communications protocol, which the Xfinity system uses.

When the security system's wireless base station -- running at the common household band of 2.4 Ghz -- loses communications with the smart sensors around the house, the system fails "open," which doesn't assume an attack is under way and continues to maintain its reporting that "no motion is detected" -- even when an intruder is in the house.

Security systems are typically designed to fail "closed," which takes the worst-case-scenario and assumes an attack is under way, alert the home owner to a problem. It's also why most alarm systems will sound when there's a power-cut in the neighborhood.

Bosco said he simulated a radio jamming attack, which confirmed the issue.

The security firm, which privately reported the flaw to Comcast in late-November, said in a blog post the security system can stay in an open state "from several minutes to up to three hours."

Details of the flaw were published Tuesday in line with Rapid7's public disclosure policy, which aims to privately alert companies of issues in order to fix security flaws in a timely fashion.

An advisory posted by Carnegie Mellon University's public vulnerability database (CERT) confirmed that there was no "practical solution" to the problem. Bosco said that Comcast would likely have to roll out a firmware update in order to fix the flaw.

A Rapid7 spokesperson confirmed the company attempted to privately report the vulnerability to Comcast at multiple email addresses, but the cable and media giant did not respond.

Tod Beardsley, research manager at Rapid7, said in an email highlighted the wider issue of flaws in Internet of Things devices, even those which are designed to be security products.

"As a habitual discloser of vulnerability information, Rapid7 understands that receiving bad news can be uncomfortable, and we try to do what we can to help vendors through the process of modern and mature vulnerability disclosure handling processes; we also work with CERT, relying on their years of experience in this area," said Beardsley. "Between Rapid7 and CERT, we often are able to find someone to report sensitive security issues to, but occasionally, our efforts don't pan out."

A Comcast spokesperson confirmed the vulnerability in a statement:

"Our home security system uses the same advanced, industry-standard technology as the nation's top home security providers," said the spokesperson. "The issue being raised is technology used by all home security systems that use wireless connectivity for door, window and other sensors to communicate."

Comcast added: "We are reviewing this research and will proactively work with other industry partners and major providers to identify possible solutions that could benefit our customers and the industry."

Editorial standards