Slashdot Mirror
Comcast's Xfinity Home Security Flaw Leaves Doors Open (rapid7.com)
itwbennett writes: Researchers at Rapid7 have disclosed vulnerabilities in Comcast's Xfinity Home Security offerings that prevent the system from alerting homeowners to unsecured doors or windows and would also fail to sense an intruder's motion in the home. The root cause of the problem can be found in the ZigBee-based protocol used by Comcast's system to operate over the 2.4 GHz frequency band. Rapid7's Phil Bosco discovered that the Xfinity Home Security system does not fail closed with an assumption of an attack if radio communications are disrupted. Instead, the system fails open, reporting that all sensors are intact, doors are closed, and no motion is detected.
This is what happens when a company strays too far out of its core (in)competency.
I would imagine that since it operates in the 2.4 spectrum that there are many situations where radio communication is interrupted and would thus trigger an alarm. More then likely this would happen several times a day, making the alarm useless as people would then not actually think there was an issue but just the system acting up again. So Comcast in their infinite wisdom probably "fixed" the issue by not having it set off the alarm.
I have done some development (albeit limited) using a Zigbee stack, and this failure has nothing to do with the Zigbee protocol, per se. That "explanation" sounds like some of the project-engineers trying to pull the wool over the eyes of Comcast's management (and Customers).
i thought their only purpose was so that your home insurance company will cover your home
ADT for life
This is why wireless is such a bad idea in many situations... wired allows for so much more tamper proofing and overall security.
[The Universe] has gone offline.
Why would you trust your fscking cable company to be your security alarm? What makes you think they have any expertise in this field?
I find this stuff to be mostly self-inflicted stupidity on behalf of consumers.
Every week we see yet another story indicating that consumer electronics have absolute garbage security, and are rushed out the door by people do don't give a crap about your security.
All this smart home crap, and all of this home monitoring crap pushed by your cable company? It's stuff being rushed to market by assholes in marketing. They either don't do security at all, or they do it incompetently.
Until companies bear some legal liability, which their lobbyists will ensure they never do, there's only one sensible option: Assume every damned Internet of Shit product which comes along is so massively insecure as to be dangerous.
Because in all likelihood it is.
This shit is more about selling you product and gathering marketing and analytics data than it is about your damned home security. Just because some idiot slapped on a shoddy wifi connection and wrote an app for your phone doesn't mean they're selling you anything other than snake oil.
You want an alarm? Go with a proper alarm company with actual experience in the field.
Every single day I'm forced to conclude the internet of stuff and the appification of the world is a bloody waste of time and money. And they have an EULA which basically says "we're not responsible no matter how grossly incompetent we are".
Now, get off my damned lawn as I continue to keep most of my things in the analog world and not give a shit if you get hacked or not.
Lost at C:>. Found at C.
You need to look at the rate of false positives vs. false negatives. If they took the fail-alert approach, for every true security breach, Comcast would be responding to thousands of "my microwave interrupts my WiFi when it runs" etc. This would further impact response times to true security breaches due to cry wolf issues. So is it secure? Yeah not really. Is this the correct business choice for Comcast? Probably.
Just because I can hook a shark from a boat, I do no offer to wrestle it in the water.
http://www.inquisitr.com/15151...
My backdoor, Slashdot brethren VIOLATE MY ANUS
It's positioned as "home monitoring" not "home security".
I doubt any insurance company would consider this as home security being discount worthy.
Rogers in the great white north of Canuickstan has the same scam, but uses cellular protocols/gsm and bills you up the wazoo.
We've had them for years for cable, phone & internet. Then we dropped our land line, and they actually wanted to increase our phone bill when we wanted the service stopped! They said we paid less for all 3 services because of the "triple play discount", so it cost more for cable & internet than it cost for cable, internet & telephone. It wasn't until I threatened to leave that they took that off of our service and dropped our bill by $10. Then, to save more money, we got rid of our extra cable boxes ($10 each) and replaced them with digital converters for our upstairs TVs ($ each). After I installed them, they didn't work. So I called, the tech fixed it on their end, so we could watch TV in bed. Of course, when they "fixed" that problem, they "accidentally" turned off my DVR service. Then we got a notice saying we were not being billed correctly, and they boosted the price back up to $10 for each converter. Called & argued with them again. They fixed the price. Then the devices stopped working again. Called again, and now neither the converters OR the DVR is working. So now I have to have a tech come to my house. I almost have to believe they are doing it on purpose at this point, but WOW !!! I wonder how much Comcast wastes per year fixing things they screwed up on the previous tech support call? In some instances above, I did use chat, which is a semi-improvement, but only by a little. <\rant>
Taking guns away from the 99% gives the 1% 100% of the power.
Comcast's Xfinity Home Security Flaw Leaves Doors Open
No, people leave doors open. Xfinity just sucks at warning you about it.
systemd is Roko's Basilisk.
That's all the BS consumer pricing plan crap they all pull - AT&T does the same. And the introductory rate bullshit is done by all.
And the other shitty thing is that you're lock into a 2 year or more agreement but if the give you shitty service or none at all, well fuck you pay me! Don't pay? Well, fuck you off to collections! Try to sue? Well, fuck you off to industry stacked forced binding arbitration that will rule in their favor.
They are unethical mother fuckers and I do as little business as I can with those fuckers. we need a Teleco version of teh Consumer Financial Protection Bureau because the FTC and FCC are bought and paid for by the ISPs and Telcos..
Wireless communications are prone to failure. That's the nature of wireless. The alternative here is to report a bunch of false alarms whenever connectivity is lost. Is that really a good security system?
So they chose to ignore sensors that go offline. It's pretty reasonable for a home security system to not protect against sophisticated attackers willing to jam wireless signals. It's not like you're trying to protect 640 million in bearer bonds. I'm not saying it takes a genius to jam a wireless home security system. But try to realize that people who rob houses are generally not too bright.
Pardon my ignorance, but could you or someone else please explain the difference between a "cable box" and a "digital converter"?
Everyone seems to be jumping on the bash comcast band wagon here but did comcast really cause this kind of problem? The article didn't mention but the sensor check-in message will get missed by the control panel (think heartbeat) and report comm fail. So why would a wireless sensor communication failure triggering a false alarm be a GOOD thing? If you consider the fees some local governments charge for false alarms, the strict federal regulations preventing false alarms, how these systems handle sensor communication failures, and how obviously unrealistic a 24/7 uptime is on a wireless sensor, then this "vulnerability" seems a bit silly. RF is hard, and add to that limitations on size, output power, and battery life. If this were a wired sensor and the line was cut without an immediate effect, then I'd be concerned... but with wireless, I'd rather not pay hundreds of dollars on false alarm fees.
I spent some time as an installer for a local security company at one point in time.
I don't know what Comcast is using, but most security systems (wired or wireless) can be configured to be Normally Open, or Normally Closed. Also, some can be configured to fail open or fail safe.
This could in part be a configuration issue.
But I also didnt read the article. Just speculating... haha
Because the damn thing would be non stop false alarms if they did. Zigbee is NOT reliable enough for an alarm system.
Do not look at laser with remaining good eye.
Pardon my ignorance, but could you or someone else please explain the difference between a "cable box" and a "digital converter"?
A cable box decodes both HD & SD signals and sends them to your TV. A digital converter basically only decoded the SD signals. It's also much smaller and doesn't have digital numbers for the channel on it. That's the practical differences, not the technical, but that's all I'm concerned about. From my understanding, the digital converters COULD handle up to 4k transmissions, but we still can't get our HD channels because Comcast.
Taking guns away from the 99% gives the 1% 100% of the power.
you're lock into a 2 year or more agreement
I have no contract, I'm month-to-month. It allows me to make changes fairly easily. Oh, I forgot that the most recent thing I did was buy my own Netgear N600 Wifi Cable Modem Router. It cost me $95, but will save me $10 a month, so it pays for itself in under a year. Of course, getting that set up was another ordeal. I followed the instructions, got a success message on Comcast's page, and still had to call tech support. Couldn't do chat, because the only time I could connect to the internet was by going through the Comcast modem setup page. It was literally the only page that worked. Took a half-hour phone call to get it working correctly.
Taking guns away from the 99% gives the 1% 100% of the power.
Comcast voted the 2014 "Worst Company In America".
When there is a lot of abuse, people make distracting comments, rather than trying to stop the abuse.
Welcome to the IoaYTGS - Internet of all Your Things Got Stolen.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
https://www.youtube.com/watch?v=eF4Hcr7XX3c
I hate the triple play package... its a trap.
$600 to exit contract when they fail to deliver satisfactory service... ADP is soooooo much better and easier.
Most of the newer alarm system offerings have switched over to wireless sensors vs the old school method of hard-wiring them.
( Hard wire is the way to go, but you really need to do it as the home is being built. Trying to retrofit a wired system after is a major undertaking. )
I'm curious to know if the other vendors using wireless sensors also suffer from the same vulnerabilities as the Xfinity one does. ( ADT, AT&T Digital Life, etc. )
This would be the same Comcast that makes your cableco-provided wireless modem/router combo broadcast a second public wi-fi network by default? Sounds like Comcast will cause open back doors in the both physical and metaphorical sense.
That's the company that sends me e-mail notifications for someone's alarm system. The notifications contain the person's first name, street address, a timestamp and what the action was (alarm armed, disarmed, armed stay, alarm, etc.). There only return address is unmonitored and xfinity.com doesn't seem to have any contact information.
Seems like a legit operation.
Loyal, protective dogs, big ones...
Alarm systems don't really work -- the response time from breach to cops arriving is way too long to catch anyone. All the burglars caught in our neighborhood are done in by neighbors who follow the burglars when they leave their friends/neighbors house, and the cops then are able to catch them on the road. I used to live in a house with an alarm, and it had a grandfathered 130dB horn in the attic and a loud bell on the outside of the house (nowadays, almost all cities require silent alarms). Everyone on the block knows when the alarm goes off. House was broken into repeatedly. Every time the cops arrived but every time the crooks got away, except the one time the neighbor followed the pickup because he knew it wasn't ours. Buy insurance and keep documents hidden in a safe that is too heavy to move w/o equipment.
Reading quickly through this thread, with all the comments about whiners wanting something for nothing, it seems to me that most are missing the real story here. The Binge-on plan is supposed to be about getting certain content without it counting against a data cap, that certain providers have worked out a deal with T-Mobile allowing their streams to be “optimized” in exchange for users getting unlimited access. But it turns out that everyone‘s content is being treated the same: it’s all throttled. So what exactly is the point of having only some content providers participate? A select few companies have allowed their names to be used, and have theoretically signed on to the scheme, but those providers' data isn’t being treated any differently then anyone else’s, the data is ALL being throttled! Think about it, all video data on the internet is being treated the same, but only some companies are being given the opportunity to serve up unlimited amounts of video. Why? Why just them? I have read that other streaming providers can opt in for free, which if true just makes the unequal treatment worse. By default, T-Mobile is treating video data as if the provider has already agreed to the plan, but only a select few companies are reaping the benefits. From an engineering standpoint, participating companies are doing ABSOLUTELY NOTHING differently than non-participating companies. WTF? Bottom line: ALL VIDEO CONTENT IS BEING THROTTLED, SO ALL VIDEO CONTENT PROVIDERS SHOULD REAP THE BENEFITS! Anything else is a flat out violation of net neutrality. And that’s the real story here.
Why didn't such bugs come to light when Comcast tested the device for potential security vulnerabilities. They did test that a home security device was immune to conventional jamming. Either way I wouldn't trust product from them in the future.
It is important to note that Comcast is not the manufacturer of these devices. They are also most likely not creating the software for them either. The alarm system is sold by an OEM that several different alarm companies use, including other cable companies.
The system also isn't just using ZigBee for communication, it is using the ZigBee Home Automation standard. ZigBee has defined how they want home security and automation products to communicate over their ZigBee radio standard. So this isn't just related to Comcast. I would think that just about every other system out there using ZigBee for home security would have the same problem. So this is a bigger problem than just Comcast users.
I would think a software update could be pushed to the base station that would detect active signal jamming. It could be as simple as checking of the signal level is peaked on all channels with no valid data being detected. It could also be a lot more sophisticated and look at actual received data to determine if it was from a jamming device or possibly matches signatures of known devices that can cause interference.
I think an ideal solution is adding a beacon that is not dependent on power usage. This beacon would transmit on regular intervals (every second or so). If this signal is not received for a period of time (plus may some other detected conditions), then the system can trigger the desired alarm.
A "digital converter" lets you view a digital signal on an old analog TV. A "cable box" is a bullshit tactic that adds DRM to your cable signal (all it does is replace the functionality of the QAM tuner your TV already has, because the cable company intentionally broke it by encrypting the signal) and inflates the cost by giving the cable company a flimsy excuse to charge extra per-TV fees on top of the already-overpriced subscription itself.
Cable boxes are an attack on consumers and the FCC should never have allowed them to exist in the first place, especially in light of the Carterfone decision (the principles of which should have been applied to cable TV service just as much as to phone service).
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
Damn, I screwed up the link. (Actually, it wasn't my fault; Firefox has suddenly stopped including the "http://" in the address bar for non-HTTPS URLs for some reason. WTF, Firefox?) Here's the correct one: http://arstechnica.com/tech-policy/2008/06/carterfone-40-years/
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz