Slashdot Mirror
Comcast's Xfinity Home Security Flaw Leaves Doors Open (rapid7.com)
itwbennett writes: Researchers at Rapid7 have disclosed vulnerabilities in Comcast's Xfinity Home Security offerings that prevent the system from alerting homeowners to unsecured doors or windows and would also fail to sense an intruder's motion in the home. The root cause of the problem can be found in the ZigBee-based protocol used by Comcast's system to operate over the 2.4 GHz frequency band. Rapid7's Phil Bosco discovered that the Xfinity Home Security system does not fail closed with an assumption of an attack if radio communications are disrupted. Instead, the system fails open, reporting that all sensors are intact, doors are closed, and no motion is detected.
This is what happens when a company strays too far out of its core (in)competency.
I have done some development (albeit limited) using a Zigbee stack, and this failure has nothing to do with the Zigbee protocol, per se. That "explanation" sounds like some of the project-engineers trying to pull the wool over the eyes of Comcast's management (and Customers).
i thought their only purpose was so that your home insurance company will cover your home
This is why wireless is such a bad idea in many situations... wired allows for so much more tamper proofing and overall security.
[The Universe] has gone offline.
I would imagine that since it operates in the 2.4 spectrum that there are many situations where radio communication is interrupted and would thus trigger an alarm. More then likely this would happen several times a day, making the alarm useless as people would then not actually think there was an issue but just the system acting up again. So Comcast in their infinite wisdom probably "fixed" the issue by not having it set off the alarm.
Good point about the 2.4 GHz "pollution" problem, and the fact that the system could NOT be designed to interpret simple loss-of-signal as an intrusion. In fact, the whole idea of wireless sensors in this particular application (at 2.4 GHz, at least) is a mighty dubious one, for this VERY reason.
You need to look at the rate of false positives vs. false negatives. If they took the fail-alert approach, for every true security breach, Comcast would be responding to thousands of "my microwave interrupts my WiFi when it runs" etc. This would further impact response times to true security breaches due to cry wolf issues. So is it secure? Yeah not really. Is this the correct business choice for Comcast? Probably.
Just because I can hook a shark from a boat, I do no offer to wrestle it in the water.
It depends on how long of a loss of signal, a few ms sure a few seconds sure, get to 30 seconds and well you have a problem. And thats assuming that it's a missed poll. Polling a battery powered devices is a battery trade off. Mind you the zigbee wireless is a hell of a lot more secure than what ADT is putting in for wireless. Think remotes that can disarm the system without even rolling key aka 1980's garage door opener.
No sir I dont like it.
http://www.inquisitr.com/15151...
All the development methodologies of the last few decades have been primarily focused on how to get software out the door quicker: Agile, RAD, Extreme Programming, etc are focused on faster (of course, there are exceptions: NASA for example always tries to make things more reliable, other researchers have looked at that too, but the mainline software industry has mostly ignored reliability).
The reality is, if you want secure software, every programmer needs to be thinking about security. It's not something you can bolt on after the software is written. You can't have a "Red Team" who tries to fix things later (although that can be a secondary layer of security). Companies don't think about security until they are big enough to be a target, which is obviously a problem.
We need a new development methodology based on security.....instead of RAAD call it RAADT after a certain contentious developer......
"First they came for the slanderers and i said nothing."
It depends on how long of a loss of signal, a few ms sure a few seconds sure, get to 30 seconds and well you have a problem. And thats assuming that it's a missed poll. Polling a battery powered devices is a battery trade off. Mind you the zigbee wireless is a hell of a lot more secure than what ADT is putting in for wireless. Think remotes that can disarm the system without even rolling key aka 1980's garage door opener.
So, how long do YOU want to wait before deciding that someone has indeed broken-in?
And oh yes, don't get me started on the whole insecurity of PIC Keeloq-based security. I developed a keyless-entry system for use with Delivery trucks (think UPS), and I originally started with Keeloq; but quickly changed to using AES-128, once I started reading about the weakness of Keeloq.
Well, I will say the general issue here is people are willing to accept shit security for a shiny bauble. And that's their own damned problem.
Until companies bear real legal liability for being incompetent at implementing security, I am going to assume that every new product which wants to connect to the internet is a steaming pile of shit I have no interest in.
If you can open your door from your cell phone, someone else can too. And there's a very good chance it's so damned trivial to bypass that it would be scary.
You won't see a culture of development as being highly focused on security until corporations bear legal liability for it. As long as they don't, you pretty much have to assume there is pretty much no security at all.
Me, I simply don't give a damn about products which want to connect to the internet so I can access them from my phone. Because I see no reason to control my entire life from my phone or the internet.
What everyone else does ... not my damned problem.
I'm just simply not going to act like I have any sympathy anymore. What the world needs right now is a lot more bitter old men giving their best Nelson "Ha ha!" when this shit happens. Maybe shame will finally work where trying to explain the problem has failed.
Lost at C:>. Found at C.
We've had them for years for cable, phone & internet. Then we dropped our land line, and they actually wanted to increase our phone bill when we wanted the service stopped! They said we paid less for all 3 services because of the "triple play discount", so it cost more for cable & internet than it cost for cable, internet & telephone. It wasn't until I threatened to leave that they took that off of our service and dropped our bill by $10. Then, to save more money, we got rid of our extra cable boxes ($10 each) and replaced them with digital converters for our upstairs TVs ($ each). After I installed them, they didn't work. So I called, the tech fixed it on their end, so we could watch TV in bed. Of course, when they "fixed" that problem, they "accidentally" turned off my DVR service. Then we got a notice saying we were not being billed correctly, and they boosted the price back up to $10 for each converter. Called & argued with them again. They fixed the price. Then the devices stopped working again. Called again, and now neither the converters OR the DVR is working. So now I have to have a tech come to my house. I almost have to believe they are doing it on purpose at this point, but WOW !!! I wonder how much Comcast wastes per year fixing things they screwed up on the previous tech support call? In some instances above, I did use chat, which is a semi-improvement, but only by a little. <\rant>
Taking guns away from the 99% gives the 1% 100% of the power.
Comcast's Xfinity Home Security Flaw Leaves Doors Open
No, people leave doors open. Xfinity just sucks at warning you about it.
systemd is Roko's Basilisk.
It has to work this way. Otherwise your alarm would be going off every time you turned on the microwave oven. Wireless security systems are inherently secure. I refuse to use them in my house.
Everyone seems to be jumping on the bash comcast band wagon here but did comcast really cause this kind of problem? The article didn't mention but the sensor check-in message will get missed by the control panel (think heartbeat) and report comm fail. So why would a wireless sensor communication failure triggering a false alarm be a GOOD thing? If you consider the fees some local governments charge for false alarms, the strict federal regulations preventing false alarms, how these systems handle sensor communication failures, and how obviously unrealistic a 24/7 uptime is on a wireless sensor, then this "vulnerability" seems a bit silly. RF is hard, and add to that limitations on size, output power, and battery life. If this were a wired sensor and the line was cut without an immediate effect, then I'd be concerned... but with wireless, I'd rather not pay hundreds of dollars on false alarm fees.
I spent some time as an installer for a local security company at one point in time.
I don't know what Comcast is using, but most security systems (wired or wireless) can be configured to be Normally Open, or Normally Closed. Also, some can be configured to fail open or fail safe.
This could in part be a configuration issue.
But I also didnt read the article. Just speculating... haha
Because the damn thing would be non stop false alarms if they did. Zigbee is NOT reliable enough for an alarm system.
Do not look at laser with remaining good eye.
Pardon my ignorance, but could you or someone else please explain the difference between a "cable box" and a "digital converter"?
A cable box decodes both HD & SD signals and sends them to your TV. A digital converter basically only decoded the SD signals. It's also much smaller and doesn't have digital numbers for the channel on it. That's the practical differences, not the technical, but that's all I'm concerned about. From my understanding, the digital converters COULD handle up to 4k transmissions, but we still can't get our HD channels because Comcast.
Taking guns away from the 99% gives the 1% 100% of the power.
Development methodologies focus on speed of the development as well as producing the right thing for the right job. If security is part of what "the right thing" is, then the methodology will produce it. If it's not, then it won't.
Nope. You can tell what from the name what they are focused on. "Agile" is focused on quickly responding to customers, RAD is focused on Rapid application development, for example.
Every development methodology claims to "produce the right thing," even teams without any methodology, even waterfall claims that. That is not unique to any methodology, they all do that.
"First they came for the slanderers and i said nothing."
The problem isn't that it won't report a problem while interference has the radio links down (that is an issue with any wireless system). The problem is that once the interference clears up, it will continue to believe all's well for some time after.
you're lock into a 2 year or more agreement
I have no contract, I'm month-to-month. It allows me to make changes fairly easily. Oh, I forgot that the most recent thing I did was buy my own Netgear N600 Wifi Cable Modem Router. It cost me $95, but will save me $10 a month, so it pays for itself in under a year. Of course, getting that set up was another ordeal. I followed the instructions, got a success message on Comcast's page, and still had to call tech support. Couldn't do chat, because the only time I could connect to the internet was by going through the Comcast modem setup page. It was literally the only page that worked. Took a half-hour phone call to get it working correctly.
Taking guns away from the 99% gives the 1% 100% of the power.
Welcome to the IoaYTGS - Internet of all Your Things Got Stolen.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Most of the newer alarm system offerings have switched over to wireless sensors vs the old school method of hard-wiring them.
( Hard wire is the way to go, but you really need to do it as the home is being built. Trying to retrofit a wired system after is a major undertaking. )
I'm curious to know if the other vendors using wireless sensors also suffer from the same vulnerabilities as the Xfinity one does. ( ADT, AT&T Digital Life, etc. )
This would be the same Comcast that makes your cableco-provided wireless modem/router combo broadcast a second public wi-fi network by default? Sounds like Comcast will cause open back doors in the both physical and metaphorical sense.
The bigger problem is relying on a security system that can be disabled by snipping a cable either in front of the house or several houses down (for example the cable box in front of my house serves 4 houses). Now, I don't know the current details on Xfinity home - cutting the cable line may well still allow the alarm to activate. But it certainly isn't going to notify anyone (Comcast's monitoring office, the police, the home owner) that there was a break in. Other systems use (for example) Verizon's cell network to report so that they cannot be disabled so easily.
Cutting the broadband cable won't do anything for you.
The Xfinity flavor ( as well as most others ) contain a cellular backup within the unit to utilize in the event the broadband connection dies.
Broadband connectivity is determined via periodic heartbeat packets coming and going to the monitoring system.
So, while you can cut the cable, you'll also need a cellular jammer based on whatever flavor of cellular they're utilizing. Most homes using this level of alarm tech aren't worth going through all this trouble to break into to begin with.
ADT for life
FYI, even ADT has switched to wireless sensor setups. My parents house is outfitted with them.
Constant checking in will kill battery life, but the problem is that they don't remain in the alarm state. That would also cause battery wear, but only in the event of a break in.
A wired system is more secure but not always practical as a retrofit. Of course, most home alarms depend on most criminals being dumb.
I just read this story which suggests that consumers are starting to avoid IoT stuff because of security concerns. So that might cheer you up (a bit) on a rainy, dreary morning.
"First they came for the slanderers and i said nothing."
That's the company that sends me e-mail notifications for someone's alarm system. The notifications contain the person's first name, street address, a timestamp and what the action was (alarm armed, disarmed, armed stay, alarm, etc.). There only return address is unmonitored and xfinity.com doesn't seem to have any contact information.
Seems like a legit operation.
I use wired zones for my perimeter, I have some wireless motion but thats more belt and suspenders for the security side and drives the HA system.
This is all about getting something dirt cheap to install and maintain to meet the requirements for the homeowners policy discount.
No sir I dont like it.
Loyal, protective dogs, big ones...
It depends on how long of a loss of signal, a few ms sure a few seconds sure, get to 30 seconds and well you have a problem.
Then someone turns on the microwave for 10 minutes to cook a frozen pizza......
"First they came for the slanderers and i said nothing."
Reading quickly through this thread, with all the comments about whiners wanting something for nothing, it seems to me that most are missing the real story here. The Binge-on plan is supposed to be about getting certain content without it counting against a data cap, that certain providers have worked out a deal with T-Mobile allowing their streams to be “optimized” in exchange for users getting unlimited access. But it turns out that everyone‘s content is being treated the same: it’s all throttled. So what exactly is the point of having only some content providers participate? A select few companies have allowed their names to be used, and have theoretically signed on to the scheme, but those providers' data isn’t being treated any differently then anyone else’s, the data is ALL being throttled! Think about it, all video data on the internet is being treated the same, but only some companies are being given the opportunity to serve up unlimited amounts of video. Why? Why just them? I have read that other streaming providers can opt in for free, which if true just makes the unequal treatment worse. By default, T-Mobile is treating video data as if the provider has already agreed to the plan, but only a select few companies are reaping the benefits. From an engineering standpoint, participating companies are doing ABSOLUTELY NOTHING differently than non-participating companies. WTF? Bottom line: ALL VIDEO CONTENT IS BEING THROTTLED, SO ALL VIDEO CONTENT PROVIDERS SHOULD REAP THE BENEFITS! Anything else is a flat out violation of net neutrality. And that’s the real story here.
If you alarm is armed away who would be running a microwave?
No sir I dont like it.
Mind you the zigbee wireless is a hell of a lot more secure than what ADT is putting in for wireless.
Personally; I think a Keyfob is crappy security, regardless of the system used ---- unless its functions are essentially limited to "Force Arm" and "Panic".
Keyfobs can be lost, misplaced, stolen, or a criminal can forcibly take it from you, or force you to disarm using it.
Combinations do not suffer from these security issues; and if forced to disarm, modern panels allow durress codes to be pre-programmed.
Last I check; ADT is just using rebadged Honeywell/VISTA Ademco panels, which they rebadge, and possibly use custom firmware on.
The Honeywell 5883H security panel RF module is capable of supporting secure two-way wireless keyfobs, and the Honeywell 5834-4 is a high-security keyfob that uses two-way radio and encrypted challenge+response, and can check current arming status.
It is important to note that Comcast is not the manufacturer of these devices. They are also most likely not creating the software for them either. The alarm system is sold by an OEM that several different alarm companies use, including other cable companies.
The system also isn't just using ZigBee for communication, it is using the ZigBee Home Automation standard. ZigBee has defined how they want home security and automation products to communicate over their ZigBee radio standard. So this isn't just related to Comcast. I would think that just about every other system out there using ZigBee for home security would have the same problem. So this is a bigger problem than just Comcast users.
I would think a software update could be pushed to the base station that would detect active signal jamming. It could be as simple as checking of the signal level is peaked on all channels with no valid data being detected. It could also be a lot more sophisticated and look at actual received data to determine if it was from a jamming device or possibly matches signatures of known devices that can cause interference.
I think an ideal solution is adding a beacon that is not dependent on power usage. This beacon would transmit on regular intervals (every second or so). If this signal is not received for a period of time (plus may some other detected conditions), then the system can trigger the desired alarm.
A pizza should never be cooked by microwaves. Now, if the "microwave" happens to be a combination unit also supporting, perhaps, convection cooking, it is okay to use the "microwave" to cook the thing. The bonus of cnvection cooking is that having a slice or three doesn't have to come at the expense of a home security system failure between the press of start and the ding heard once the timer has counted down.
.
Landfill Mining Co.
Managing the (Un)natural Resources of Tomorrow
What your not supposed to program the disarm button to disarm and send the silent alarm?
No sir I dont like it.
What your not supposed to program the disarm button to disarm and send the silent alarm?
This is technically feasible but not recommended. One of the troubles with keyfobs is you put them in your pocket, and the buttons accidentally get pushed: also if the alarm is silent, then you won't know you have accidentally triggered it until the cops show up.
BTW, the presentation at BlackHat about serious flaws in ADT's security was pulled due to legal pressure from vendors: Two more talks pulled from Black Hat hacking conference
The paper, however, may be found here
If your children ever found out how lame you are, they'd murder you in your sleep
There are wireless bands reserved for alarms in Europe, and presumably the US too but I have not checked. Cheap systems don't use them because they need certification to ensure that they don't interfere with other alarms.
Using 2.4ghz is beyond dumb. Then again the UK is trying to use it for meter reading too, and unsurprisingly it doesn't work very well.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Well for me in a small town thats not a big deal grew up with most of them, might have to produce some decent coffee. Being on a keychain they are not hitting a pocket till I'm parked and well out of range.
No sir I dont like it.
I was with you up to this point. While I wish I could ignore all the shitty decisions other people make, it still affects me because the good choices I want to make become more difficult or impossible. For example, it's probably no longer possible to buy a new car that doesn't spy on you. Even if I keep driving antique cars myself, sooner or later that fact would make me stand out enough that I become trackable anyway.
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
A "digital converter" lets you view a digital signal on an old analog TV. A "cable box" is a bullshit tactic that adds DRM to your cable signal (all it does is replace the functionality of the QAM tuner your TV already has, because the cable company intentionally broke it by encrypting the signal) and inflates the cost by giving the cable company a flimsy excuse to charge extra per-TV fees on top of the already-overpriced subscription itself.
Cable boxes are an attack on consumers and the FCC should never have allowed them to exist in the first place, especially in light of the Carterfone decision (the principles of which should have been applied to cable TV service just as much as to phone service).
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
Damn, I screwed up the link. (Actually, it wasn't my fault; Firefox has suddenly stopped including the "http://" in the address bar for non-HTTPS URLs for some reason. WTF, Firefox?) Here's the correct one: http://arstechnica.com/tech-policy/2008/06/carterfone-40-years/
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz