Comcast XFINITY flaw sounds Internet of Things security alarm

News by Davey Winder

The recently discovered flaws in Comcast's XFINITY smart home technology was met with the comment that yes, but everyone else is just as bad. Why should this be true of IoT devices?

Security researchers at Rapid7 have revealed how a security flaw in Comcast XFINITY smart home technology could help robbers disable entry alarms.

As well as being bad news for high tech homeowners, it's also ringing alarm bells as the Internet of Things carries on regardless – regardless of security considerations that is.

The research found that a vulnerability in the Comcast XFINITY home security system could effectively disable the protection before offered.

Causing a simple failure condition in the 2.4GHz radio frequency band used by the system, such as with a commercially available radio jammer, left the alarm silent and the system thinking everything was fine.

Whereas you'd expect it to fail in a 'closed' state which assumes it is being attacked, it actually failed 'open' meaning that it continued to report all doors as closed and all sensors intact with no motion detected.

Worse yet, the system could take up to three hours to re-establish communications between the jammed sensor and the base station, leaving plenty of time for an intruder to rob the joint.

Even worse yet, Rapid7 says there are no practical mitigations and a software or firmware update will be required to fix it, something that has yet to be announced by Comcast. The company did imply, via a statement to WIRED magazine, that all home security systems have the same problem.

If that's the case then burglars must be rubbing their hands with glee, especially as jamming equipment can be bought cheaply or constructed following readily available plans online.

The IT security industry, meanwhile, has been quick to point out that this is actually just one more example of how what we broadly call the Internet of Things (IoT) is at best not as secure as it could be and at worst being built without any real thought being given to security.

With analysts predicting more than 10 billion connected devices by the end of this year, it's a problem that isn't going to go away. A survey by Accenture entitled "Igniting Growth in Consumer Technology" reveals that 47 percent quote privacy risks and security concerns as a barrier to IoT adoption. So the consumer tech industry needs to take note, and fast.

As Rob Miller, head of smart energy at MWR InfoSecurity, told, "There is a belief in the IoT community that using a wireless protocol such as ZigBee means that the device is secure". ZigBee is used in the XFINITY system.

While ZigBee does have a number of very effective security features such as encryption of communications, it's not a silver bullet, he warned: "Developers of IoT need to consider the unique security risks of their products rather than assuming that they have already been solved for them.”

So is the kind of sensor failure displayed in the XFINITY case indicative of a wider problem with Internet of Things devices?

Stephen Coty, chief security evangelist at Alert Logic, certainly thinks so. "Most people who develop these products look more at functionality vs. security," he told us, continuing: "They should include security researchers into the development of IoT products to look for vulnerabilities and create patches." 

Grayson Milbourne, intelligence director at Webroot, agrees that it appears to be an indicator of a wider problem with IoT devices. He told SC that it is true security is not placed at the right priority to ensure these devices are secure. "IoT systems are growing in complexity, particularly as the physical and digital worlds collide," he said.  

Paul McEvatt, senior cyber threat intelligence manager UK & Ireland at Fujitsu, points out that it's really a combination of factors at play, the primary one being a lack of understanding of security, whether that's shipping devices with default credentials that allow them to be compromised, or leaving open services for the devices to be targeted. "With the likes of Shodan and Censys being used as online services to look for vulnerable IoT devices," McEvatt warns, "they can become an easy target for low level cyber-criminals."

Which leads on to asking why is inadequate security testing such an apparent problem with IoT devices? Is it a rush-to-market scenario, a cost cutting exercise, something that comes with the 'smaller, smaller, smaller' territory many IoT devices occupy or a combination of all of the above?

Chris Oakley, managing principal security consultant at Nettitude, explains that IoT devices are still an emerging technology which occupy an active and low margin market. "The reality is that most consumers value features over security," he admits.

And while the IoT consumer endgame is all about making the things around us smarter, it's also often about making things smaller as Mary Beth Hall, director of product management and development at Verizon, says. "Many sensors, especially those embedded in assets, must be frugal," she told SC. "Limitations on space mean that processing power and battery life are often limited. This means that many sensors aren't capable of running the endpoint protection capabilities we're used to seeing in more sophisticated assets like laptops."

Indeed, the devices are getting smaller but the attack surface is growing. For example, a legacy device in your kitchen with a simple circuit board and micro switches will now be a 'smart' device with multiple circuit boards, a CPU, operating system, user interface, communications interfaces and an app with cloud storage – often from different vendors.

Alex Farrant, senior security researcher with Context Information Security, warns that the attack surface and risk has "increased exponentially for the benefit of a modest increase in useful functionality". Farrant told SC how Context had assessed IoT products recently where the hardware was made by one company, the firmware by another and the app by another.

The product was then branded and sold by a fourth big name company which increases risk and dilutes responsibility. "When we reported multiple serious security issues with the device's firmware," Farrant explained, "we were quickly redirected to the company that make the app who had little influence over the firmware development which was performed by a different company in a different country."

For small IoT companies looking to cobble something together quickly, this global workforce pattern has advantages, but for testing, rectifying security defects and taking responsibility it is definitely a disadvantage.

"Thorough testing is required to improve the state of IoT security," Farrant insists, concluding, "This means not just the obligatory functional testing where a button is pressed on an app and something happens but independent security testing which is expensive." 


So, what can and should be done to improve IoT security? Achim Kraus, EMEA technical leader at Vectra Networks, is clear on the answer. While stopping every unknown exploit against a non-PC device is impossible, devices on the growing IoT map pose a potential IT security threat.

"Using behaviour-based analysis," Kraus says, "if any of these devices begin scanning the network, spreading malware or creating covert connections out to hacker sites to funnel data, that activity immediately generates alerts."

Of course, the real problem is that the IoT has proven to have many more attack vectors than companies are accustomed to. "Instead of the traditional attack vectors aimed at the data centre, there are now multiple attack points that did not require additional attention in the past," advises Reiner Kappenberger, global product management at HPE Security. "These are obviously the IoT device itself and the remote control device (such as a cell phone)."

And it is easily forgotten that there are other elements as well – such as the home network. So traditional approaches are not enough to cover the security needs for IoT.

It means that protocols need to be suitable for IoT devices and don't come with backdoors, that encryption using TLS should be performed for all and any communication between IoT devices and the backend, with proper authentication, that the device should be suitably hardened and that long-term security sustainability is built in.

Mary Beth Hall at Verizon adds that just as with any other IT system, organisations should regularly assess the risk, apply appropriate security measures and test their effectiveness. Perhaps the most important being effective patch management practices.

"The 2015 DBIR [Data Breach Investigations Report by Verizon] found that most attacks exploited known vulnerabilities where a patch has been available for months, often years," Hall explains. "You don't want to have to rely on manual methods to keep hundreds or thousands of devices up to date. Investigate secure methods to deploy updates automatically."

The most interesting, and controversial, viewpoint laid before us came from Lawrence Munro, director of EMEA & APAC at Trustwave. "I feel that there is a lack of embarrassment for IoT vendors when their systems (however ubiquitous) are compromised," he told SC.

He argues that there only seems to be coverage in the tech and security specific press, which doesn't help raise the profile of these incidents and ultimately exert pressure on vendors to improve their products. "The typical IoT device consumer has shifted guise from your typical tech or gadget geek and now the man-on-the-street is a target demographic," Munro continues. "This has meant that the consumers of IoT devices care less about how they work and more about how they look and the often superfluous and flashy feature-set than ever before."

Essentially, the vendors are being given a hall-pass by their unsuspecting clientele. In order to address this, the answer is, as always, user education. This should come, according to Phill Pexton, senior analyst at Beecham Research, in two forms.

For companies there is a need for an understanding "that their products are accessible to nearly everyone, and can be broken down and reverse engineered to exploit security flaws, something rarely experienced in network security or M2M security," Pexton explains. From this position tighter security policies can be developed.

As for end users, they should be educated so that they realise that "bringing an internet enabled device into your home exposes you to the same sort of threats as having a home computer".

Pexton concludes with age-old advice: "Be sure to change default passwords, install updates as soon as they become available and disable any features you might not be using..." 


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews