Comcast security systems vulnerable by design - but what should they change?

If you follow me on Twitter, you know I have a love/hate (mostly hate) relationship with my ISP Comcast.  The problem is that in my rural area, I simply lack another choice.  Last November, Comcast was in the news for leaking private details of home wifi access points.  But this morning I saw that Comcast is in the news this time for their faulty security systems. 

Possible replacement sign?

Researchers from Rapid7 discovered that the wireless alarm system fails open by design.  One of the selling points for the Comcast home security system is that it is wireless and hence easier to install. But ease of installation comes with a price.  The Comcast home security system, like many other wireless security systems, uses the ZigBee protocol for communications between the remote sensors and the control panel.  Researchers found that if they could jam the signal between the sensor and the control panel the alarm wouldn't activate.  They also discovered that in some cases it took up to three hours for the remote sensor to synchronize with the control panel.  During this time, the sensor was not being actively jammed, but was still ineffective at sounding the alarm.

When we work with customers at Rendition Infosec, one of the design decisions we always tell them to consider is whether to have their security solutions fail open or fail closed.  There's no consistently correct answer as to which method is best.  If you are protecting classified information, failing closed is clearly the correct answer.  If you are providing lifesaving information to a doctor to treat a patient, failing open is probably the correct answer - the loss of information can always be mitigated, the loss of life less so.

In Comcast's specific case, it's hard to say what the correct answer is.  Should the alarm activate if the remote sensor loses communication with the control panel?  Perhaps this is the case in some high security applications.  But let's be fair, you probably should wire a security system in if your application is high security enough to warrant that.  In a wireless environment, imagine the number of potential false positives you could have.  The number of those false positive events is likely to increase in densely populated areas (apartments, town homes, etc.) which is precisely the target market for the "no wiring" security solution Comcast is peddling.

All in all, while I do find the research disturbing from a security sense, I wouldn't recommend that the alarm systems should fail closed by default.  The high number of false alarms would likely render the systems useless (or unused) anyway.  What Comcast should however seek to correct immediately is the amount of time that it takes for a sensor to re-establish communications with the control panel/base station.  I think anyone would agree that three hours is simply too long for this process to take.

Finally, this is another great case of "what's the worst that can happen" when adopting a product.  While the products probably tested fine in a lab under normal use, they are clearly vulnerable to trivial tampering in the real world.  Comcast is likely opening itself to legal action providing these vulnerable solutions if they do not openly disclose the vulnerabilities to current and future customers.