Researchers Find Comcast Xfinity Home Security Vulnerable to Hacking

A cybersecurity firm reports the system’s radio can be hacked and tricked into reporting that ‘All sensors are intact and all doors are closed. No motion is detected.’

This vulnerability doesn’t come as a complete surprise. Security researchers have consistently warned of the security implications in connected devices because getting a functioning device to market often precedes security considerations. Beyond providing a satisfying technology experience, developers need to also build in cybersecurity procedures, Beardsley says.

Responding to a report about vulnerabilities to its Xfinity Home security system, Comcast stated it is “reviewing this research and will proactively work with other industry partners and major providers to identify possible solutions that could benefit our customers and the industry.”

To prove his findings, Rapid7 researcher Phil Bosco simulated a radio jamming attack on one of his system’s armed window sensors. While jamming the sensor’s signal, he opened a monitored window. The sensor said it was armed, but it failed to detect anything out of the ordinary. But perhaps even more worrisome than the active intrusion itself is that the sensor had no memory of it happening and took anywhere from several minutes to three hours to come back online and reestablish communication with its home base.

The attack plays off a fundamental vulnerability in wireless devices. Anything that relies on wireless communication can be taken offline by a jamming attack. But Rapid7 was surprised by how poorly the Xfinity system responded in the aftermath of such an attack.

“Something designed for [physical] security should anticipate an active attacker because that’s the whole point of it,” Tod Beardsley, security research manager at Rapid7, told The Verge. “The fact that they don’t do that is concerning.”

This vulnerability doesn’t come as a complete surprise, The Verge writes. Security researchers have consistently warned of the security implications in connected devices because getting a functioning device to market often precedes security considerations. Beyond providing a satisfying technology experience, developers need to also build in cybersecurity procedures, Beardsley says.

“Devices should recognize these fail conditions like we expect laptops and PCs [to] do,” Beardsley says. “Something like a security system should be able to anticipate a mildly sophisticated attack like this.”

Comcast said in a comment to The Verge that its system uses the “same advanced, industry-standard technology as the nation’s top home security providers,” and that this issue is being raised by “all home security systems that use wireless connectivity for door, window, and other sensors to communicate.” The company said it’s “reviewing this research and will proactively work with other industry partners and major providers to identify possible solutions that could benefit our customers and the industry.”

Meanwhile, Carnegie Mellon University’s Computer Emergency Response Team (CERT) released a vulnerability notification Monday and said it did not know of any practical solutions to the issue.

If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!

Security Is Our Business, Too

For professionals who recommend, buy and install all types of electronic security equipment, a free subscription to Commercial Integrator + Security Sales & Integration is like having a consultant on call. You’ll find an ideal balance of technology and business coverage, with installation tips and techniques for products and updates on how to add to your bottom line.

A FREE subscription to the top resource for security and integration industry will prove to be invaluable.

Subscribe Today!

Get Our Newsletters