Researchers at security vendor Rapid7 say they have discovered a concerning flaw in Comcast’s home security system that could allow criminals to break into homes undetected, by simply using radio jamming equipment. Rapid7 says they altered Comcast of the flaw over two months ago and received zero response from the company, however since the release of information Comcast claims that the researchers emailed the wrong address.
Primary known for their less-than stellar Internet and cable TV services, Comcast also offers home security systems. Researcher Phil Bosco found the flaw within Comcast’s implementation of the ZigBee wireless protocol. He found with low-level radio jamming equipment one can “cause interference or deauthentication of the underlying ZigBee-based communications protocol.” Once the jamming occurs all sensors that detect any type of motion, open doors, or open windows are unable to communicate with the base station to alert the user or sound the alarm.
Rapid7 published details on the Comcast home security flaw in an advisory Tuesday, in accordance with the responsible disclosure policy, giving companies at least 60 days to respond before making the security flaw public. Rapid7 did wait the 60 days and even reached out to Comcast on multiple occasions.
If an attacker were to jam Comcast’s security system, the system would continue to report that all sensors are active and that all doors are closed. No alarm will sound nor will the homeowner receive any text or email alert that a doors or window is open. To demonstrate, Bosco explained in his report how he was able to exploit Comcast security systems by putting a paired window and door sensor in an armed state in tin foil shielding. He then removed the sensor’s magnet, simulating a jamming attack, and then opening the door that was supposed to be monitored by the Comcast sensor.
“Once the magnet is removed from the sensor, the sensor was unwrapped and placed within a few inches from the base station hub that controls the alarm system. The system continued to report that it is in ARMED state,” Bosco wrote. “The amount of time it takes for the sensor to re establish communications with the base station and correctly report is in an open state can range from several minutes to up to three hours.”
In the advisory Rapid7 said attackers could also use “software-based deauthentication attacks on the ZigBee protocol itself” in order to jam the sensor, causing the same issue.
Since the public release of information Comcast has said they are working with other companies to identify a solution. However no timeline or implementation process was released by the company, meaning a viable patch could be several months or just days away.
“There’s no indicator to the user that something bad happened or something unusual—that it was being jammed for 20 minutes or whatever,” Tom Beardsley, Rapid7 Security Research Manager said in an interview with Wired. “The sensor says ‘everything is cool, everything is cool,’ and then it stops talking, and the base station says ‘I guess everything is [still] cool.”
After the jamming stops and the sensors can reestablish a connection with the base station, “there’s no clue to let the base station know, ‘While you weren’t acknowledging any of my signals, I was open,’” Beardsley continued.
Currently there are no proactive steps consumers can take to protect themselves from the problem, meaning Comcast needs to issue a software or firmware update “in order for the base station to determine how much and how long a radio failure condition should be tolerated and how quickly sensors can re-establish communications with the base station,” Rapid7 explained.
Rapid7 said they contacted Comcast under various email addresses listed on the website and were met with no response. Following responsible disclosure Rapid7 waited 60 days and contacted CERT, who too was unsuccessful at reaching the company. Comcast has since blamed researchers for emailing the @xfinity.com address when they should have been emailing an @comcast.com address. It seems Comcast customer support isn’t only bad for consumers, but when it comes to severe security issues as well.