A security vendor says it discovered a flaw in Comcast's home security system that could let criminals break into houses undetected by using radio jamming equipment. The vendor, Rapid7, says it alerted Comcast to the problem two months ago but never received a response from the company. However, Comcast told Ars that Rapid7 e-mailed the wrong address.

Though primarily known for its cable TV and broadband Internet services, Comcast also sells Xfinity-branded home security systems. Rapid7 found the flaw in Comcast's implementation of the ZigBee wireless protocol. Attackers armed with commodity radio-jamming equipment can "cause interference or deauthentication of the underlying ZigBee-based communications protocol," Rapid7 said. When this happens, sensors that detect motion or open doors and windows are unable to communicate with a base station hub in the home that controls the alarm system.

Rapid7 published details of the flaw in an advisory today, in accordance with its policy of giving companies at least 60 days to respond before making a security problem public. That's a pretty standard timeline used by other companies and security research organizations—though it seems Rapid7's attempt to contact Comcast went awry.

If the attacker uses this equipment and breaks into a home monitored by Comcast's security system, the Comcast system will continue to report that all sensors are intact and that all doors are closed. No alarm will sound and homeowners won't get the real-time text and e-mail alerts they're supposed to receive when someone breaks into the home. "The amount of time it takes for the sensor to re-establish communications with the base station and correctly report it is in an open state can range from several minutes to up to three hours," Rapid7 wrote.

In addition to radio jamming equipment, attackers could also use "software-based deauthentication attacks on the ZigBee protocol itself" in order to achieve the same result, according to Rapid7.

Comcast told Ars that it uses industry-standard technology and will work with other companies to identify a solution.

“There’s no indicator to the user that something bad happened or something unusual—that it was being jammed for 20 minutes or whatever,” Rapid7 Security Research Manager Tod Beardsley said in an interview with Wired. “The sensor says ‘everything is cool, everything is cool,’ and then it stops talking, and the base station says ‘I guess everything is [still] cool.’”

After the sensors reestablish connection with the base station, “There’s no clue to let the base station know, ‘While you weren’t acknowledging any of my signals, I was open,'" Beardsley said.

There are no practical steps consumers can take to work around the problem, so Comcast needs to issue a software or firmware update "in order for the base station to determine how much and how long a radio failure condition should be tolerated and how quickly sensors can re-establish communications with the base station," Rapid7 said. At the very least, a Comcast system that can't communicate with a building's sensors should notify occupants that something is wrong rather than continuing to report that everything is safe.

Lack of communication between Comcast and Rapid7

A Rapid7 spokesperson told Ars today that the company "attempted contact with Comcast on November 2, but did not get any responses to its inquires to security@xfinity.com, secure@xfinity.com, info@xfinity.com, support@xfinity.com, or abuse@xfinity.com. So far, Comcast has not acknowledged Rapid7’s attempts to contact them about this issue."

However, Comcast told Ars that these addresses are incorrect and that Rapid7 should have instead e-mailed abuse@comcast.net, the same e-mail Comcast says customers should contact if they've been hacked. It's not clear to us whether any of the e-mail addresses Rapid7 used actually exist.

We asked Comcast this morning what its plans are for issuing a fix. The company's public relations team told us that “Our home security system uses the same advanced, industry-standard technology as the nation’s top home security providers. The issue being raised is technology used by all home security systems that use wireless connectivity for door, window and other sensors to communicate. We are reviewing this research and will proactively work with other industry partners and major providers to identify possible solutions that could benefit our customers and the industry.”

Security researchers at CognoSec warned in August of potential flaws in home automation systems using the ZigBee protocol, which is suitable for building wireless networks with "low-cost" devices that require little power consumption. The ZigBee standard itself uses strong encryption, but there are generally limited resources in ZigBee-powered wireless networks, which use battery-powered devices with limited computational power and memory size. "The main risks for ZigBee Home Automation Systems are implementation failures and shortfalls," CognoSec said.

Beardsley said the Comcast flaw is common in so-called Internet of Things devices. “We see these kinds of design decisions, these failure conditions, not really getting tested in Internet of Things devices [before they’re sold]," he said.

In some cases, Comcast alarm systems have failed because they were installed incorrectly. But with the security flaw reported by Rapid7, even a system that's installed correctly would be at risk.

Editor's note: This article was published just before Comcast told us that Rapid7 didn't e-mail the correct address when reporting the security vulnerability. We've added that information since publication.

UPDATE: We asked Rapid7 to explain how it chose the e-mail addresses it used to contact Comcast, and the company said the following:

We attempted to contact anyone responsible for the security of Xfinity home security devices at the following addresses: security@xfinity.com; secure@xfinity.com; support@xfinity.com; info@xfinity.com; abuse@xfinity.com, but we did not get a response to our attempt to disclose the issues to the vendor. There is no guidance on http://customer.xfinity.com/help-and-support/home-security/ or other obvious indicator of where security issues should be reported, so these addresses were chosen based on what we see work most effectively from other vendors. Often, when security@someorginzation.com fails, we tend to be able to get a human response on one of the other backup addresses of support@, info@, or abuse@. After attempting to contact the vendor directly, we did contact CERT with the findings, and they committed to also attempt to contact the vendor. From what we understand, CERT was also unsuccessful in their attempts to contact Xfinity between November 24 and December 10, 2015.

CERT is a research group affiliated with Carnegie Mellon University that coordinates responses to Internet security problems.