Comcast Xfinity family security system exposed to severe vulnerabilities

Comcast Xfinity family security system exposed to severe vulnerabilities

Recently, researchers found that a security vulnerability exists in the Comcast Xfinity home security system. Attackers can access the user's home without triggering an alarm.
Comcast is the largest cable TV company in the United States and a provider of broadband network and IP telephone services. The Xfinity home security system is a monthly rent Smart Home monitoring system solution. It not only provides users with the residential alarm function, but also allows users to watch cable TV, internet and telephone services.
Xfinity primarily relies on battery-powered sensors to detect intruders, which use the 2.4 GHz Wireless Communication Protocol ZigBee to communicate with base stations, send alerts to users by text message or email.
Rapid7 security experts said the vulnerability in Xfinity allows attackers to cheat the system, so that it cannot detect the opening of doors and windows and any movement of objects.
The trigger condition for this vulnerability is from the 2.4 GHz wireless band. When an error occurs, the Xfinity system cannot be started successfully. By default, all sensors are intact, doors and windows are closed, and no moving objects are detected.
The system does not limit the duration of a fault, and does not trigger an alarm on the fault. When the wireless band returns to normal, it takes a lot of time for the sensor to reconnect to the hub.
When the system is in the ARMED state, the researchers place a pair of Door and Window sensors in the tin foil for shielding, then remove the magnets from the sensors, simulate radio interference attacks and open the monitored doors and windows. When the magnet in the sensor is taken away, although the sensor is only a few feet away from the hub of the control system, the system is still in the ARMED state. When the sensor returns to normal, it takes several minutes to three hours to establish a new connection with the hub. During this time, the system still does not trigger an alarm.
Rapid7 security experts pointed out that there are multiple ways to interfere with the communication between the sensor and the base station, such as the use of radio interference devices, or the implementation of software-based release verification attacks on the ZigBee protocol.
Mitigation
Currently, there is no good way to mitigate this vulnerability, because the base station needs to determine the processing time by software or firmware update when dealing with Radio problems. Similarly, the speed at which sensors reconnect to the base station is also the same.
CERT has released the vulnerability. Comcast also announced that it could not find a proper solution to the problem, and said it would continue to study the problem and cooperate with other vendors, to determine the appropriate solution.