Cable providers want to do more than just service the dumb pipe that shuttles information and content to and from your home. One way of expanding their reach is to provide online home automation and home security systems, as cable giant Comcast does with its wireless Xfinity Home offering. But that system is apparently easy to undermine, reports cybersecurity firm Rapid7, which claims that it had difficulty reaching Comcast to alert it to the vulnerability. Comcast says it is looking into the claims, adding that Rapid7 didn't make much of an effort to alert it to the purported vulnerability.
The bug that Rapid7 announced today is a long-standing vulnerability that allows a cheap radio-jamming device to disable the Xfinity security system. Xfinity Home consists of door and window sensors, motion detectors, and cameras using a wireless communications standard called ZigBee, which runs on the same 2.4GHz frequency band as Wi-Fi but saves power because it transmits less data. That allows battery-powered devices, like the Xfinity sensors and hub, to run longer; and ZigBee provides plenty of bandwidth for the relative trickle of information transmitted by home security sensors.
As anyone who's ever used a wireless device knows, connections sometimes drop. The first problem with Xfinity security, says Rapid7, is that the sensors can take a long time to reconnect to the hub—up to three hours. The second problem: All the while they are disconnected, the system defaults to thinking that it is in a safe state, with the doors and windows closed and no movement around the house. According to a statement from Rapid7, the system continues to report, "All sensors are intact and all doors are closed. No motion is detected." The third problem: Even after the sensors reconnect, they aren't able to tell the hub if there was any unusual activity during the radio silence.
Jamming wireless networks is a trivial affair, as they are designed to be extremely polite, allowing all devices a chance to jump on. A wireless jammer takes advantage of this by flooding the network with noise so that no other device has a chance to get in.
"The news isn't that these things can be jammed," says Tod Beardsley, Rapid7's principal security manager. "The news is, they can be jammed, and there's no way to tell they've been jammed." He suggests two fixes: to have the base station issue an "Amber alert" when it loses connection to the sensors, and a log on the sensor to report what happened while the connection was down. The apparent lack of warning mechanisms is "the most surprising part of the problem," says Beardsley. Rapid7 claims that there is no workaround that a user can implement to fix the bug and that a software or firmware update is required to enable the kind of alerts suggested by Beardsley.
In response to the claims, Comcast told Ars Technica: " We are reviewing this research and will proactively work with other industry partners and major providers to identify possible solutions that could benefit our customers and the industry."
There's another communications failure here—between Rapid7 and Comcast. The security firm says that it attempted to contact Comcast, on November 2, 2015; but it never received a reply. On November 23, says Rapid7, it reported the vulnerability to CERT, the institute at Carnegie Mellon University that serves as the national clearinghouse for tracking security vulnerabilities. (It coordinates closely with the Department of Homeland Security.) CERT also attempted to contact Comcast, says Beardsley.
But a spokesman for Comcast insists that it never heard from Rapid7. The company told Ars Technica that Rapid7 should have sent an email to email@example.com. Rapid7 instead used firstname.lastname@example.org (as well as email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org).
The whole scenario raises a few questions. Why doesn't Comcast have forwarding set up for any permutation of a security-related email address? And why did Rapid7 exert so little effort in alterting a huge corporation to a purportedly major flaw in its security product? Couldn't Rapid7 pick up the phone, contact Comcast's corporate office and ask to talk to someone who handles security?
"We tend to try to email them," says Beardsley. "Some bounced, some didn't." Rapid7 prefers email, he says, because it can use PGP encrypted messages to ensure the information gets to the right person. "I never know who I'm talking to on the phone," says Beardsley. "I never know if I'm talking to a real employee or a contractor or an employee who's going to be quitting in a month."
But couldn't he go to Comcast's About page and look up the name of the CTO? "I suppose, yes, we could," says Beardsley. (I was able to find the bio for CTO Tony G. Werner in about 60 seconds.) "I think we're going to start cc-ing…public relations people," he says. "They seem to be pretty responsive. "And at least from there we might be able to find a reasonable security contact."