A security vendor says it discovered a flaw in Comcast's home security system that could let criminals break into houses undetected by using radio jamming equipment. The vendor, Rapid7, says it alerted Comcast to the problem two months ago but never received a response from the company. However, Comcast told Ars that Rapid7 e-mailed the wrong address.
Though primarily known for its cable TV and broadband Internet services, Comcast also sells Xfinity-branded home security systems. Rapid7 found the flaw in Comcast's implementation of the ZigBee wireless protocol. Attackers armed with commodity radio-jamming equipment can "cause interference or deauthentication of the underlying ZigBee-based communications protocol," Rapid7 said. When this happens, sensors that detect motion or open doors and windows are unable to communicate with a base station hub in the home that controls the alarm system.
Rapid7 published details of the flaw in an advisory today, in accordance with its policy of giving companies at least 60 days to respond before making a security problem public. That's a pretty standard timeline used by other companies and security research organizations—though it seems Rapid7's attempt to contact Comcast went awry.