Comcast XFINITY flaw sounds Internet of Things security alarm

The recently discovered flaws in Comcast's XFINITY smart home technology was met with the comment that yes, but everyone else is just as bad. Why should this be true of IoT devices?

The Internet of Things home
The Internet of Things home

Security researchers at Rapid7 have revealed how a security flaw in Comcast XFINITY smart home technology could help robbers disable entry alarms.

As well as being bad news for high tech homeowners, it's also ringing alarm bells as the Internet of Things carries on regardless – regardless of security considerations that is.

The research found that a vulnerability in the Comcast XFINITY home security system could effectively disable the protection before offered.

Causing a simple failure condition in the 2.4GHz radio frequency band used by the system, such as with a commercially available radio jammer, left the alarm silent and the system thinking everything was fine.

Whereas you'd expect it to fail in a 'closed' state which assumes it is being attacked, it actually failed 'open' meaning that it continued to report all doors as closed and all sensors intact with no motion detected.

Worse yet, the system could take up to three hours to re-establish communications between the jammed sensor and the base station, leaving plenty of time for an intruder to rob the joint.

Even worse yet, Rapid7 says there are no practical mitigations and a software or firmware update will be required to fix it, something that has yet to be announced by Comcast. The company did imply, via a statement to WIRED magazine, that all home security systems have the same problem.

If that's the case then burglars must be rubbing their hands with glee, especially as jamming equipment can be bought cheaply or constructed following readily available plans online.

The IT security industry, meanwhile, has been quick to point out that this is actually just one more example of how what we broadly call the Internet of Things (IoT) is at best not as secure as it could be and at worst being built without any real thought being given to security.

With analysts predicting more than 10 billion connected devices by the end of this year, it's a problem that isn't going to go away. A survey by Accenture entitled "Igniting Growth in Consumer Technology" reveals that 47 percent quote privacy risks and security concerns as a barrier to IoT adoption. So the consumer tech industry needs to take note, and fast.

As Rob Miller, head of smart energy at MWR InfoSecurity, told SCMagazineUK.com, "There is a belief in the IoT community that using a wireless protocol such as ZigBee means that the device is secure". ZigBee is used in the XFINITY system.

While ZigBee does have a number of very effective security features such as encryption of communications, it's not a silver bullet, he warned: "Developers of IoT need to consider the unique security risks of their products rather than assuming that they have already been solved for them.”

So is the kind of sensor failure displayed in the XFINITY case indicative of a wider problem with Internet of Things devices?

Stephen Coty, chief security evangelist at Alert Logic, certainly thinks so. "Most people who develop these products look more at functionality vs. security," he told us, continuing: "They should include security researchers into the development of IoT products to look for vulnerabilities and create patches." 

Page 1 of 3