By creating a failure condition in the 2.4 GHz radio frequency band, the Comcast XFINITY Home Security System fails open, with the base station failing to recognize or alert on a communications failure with the component sensors. In addition, sensors take an inordinate amount of time to re-establish communications with the base station, even if their "closed" state is switched to "open" during the failure event.
Update: As of January 6, Comcast is working with Rapid7 to investigate the technical details of the disclosure and potential mitigations. They also flagged that Rapid7 attempted to disclose through invalid email addresses through the xfinity.net domain, and should instead have used "firstname.lastname@example.org." We acknowledge this and would like to apologize for the miscommunication.
The Comcast XFINITY Home Security system is a remote-enabled home security system, consisting of a battery-powered base station and one or more battery-powered sensors, all using the open standard ZigBee wireless communication protocol.
This issue was discovered by Phil Bosco of Rapid7, Inc.
By causing a failure condition in the 2.4 GHz radio frequency band, the security system does not fail closed with an assumption that an attack is underway. Instead, the system fails open, and the security system continues to report that "All sensors are in-tact and all doors are closed. No motion is detected."
There does not appear to be a limit to the duration of the failure in order to trigger a warning or other alert. In addition, the sensors take a significant amount of time to re-establish communication with the hub when the radio failure subsides.
To demonstrate the issue, the researcher placed a paired window/door sensor in tin foil shielding while the system is in an ARMED state. While armed, the researcher removed the magnet from the sensor, simulating a radio jamming attack and opening the monitored door or window.
Once the magnet is removed from the sensor, the sensor was unwrapped and placed within a few inches from the base station hub that controls the alarm system. The system continued to report that it is in ARMED state. The amount of time it takes for the sensor to re-establish communications with the base station and correctly report is in an open state can range from several minutes to up to three hours.
There are any number of techniques that could be used to cause interference or deauthentication of the underlying ZigBee-based communications protocol, such as commodity radio jamming equipment and software-based deauthentication attacks on the ZigBee protocol itself.
There are no practical mitigations to this issue. A software/firmware update appears to be required in order for the base station to determine how much and how long a radio failure condition should be tolerated and how quickly sensors can re-establish communications with the base station.
This vulnerability advisory was prepared in accordance with Rapid7's disclosure policy.
- Mon, Sep 28, 2015: Issue discovered by Phil Bosco of Rapid7
- Wed, Sep 30, 2015: Internal review by Rapid7
- Mon, Nov 02, 2015: Attempted to contact the vendor
- Tue, Nov 23, 2015: Details disclosed to CERT, VU#418072 assigned
- Tue, Jan 05, 2016: Public disclosure