- January 27, 2016
- Info notes
On 5 January 2016, Boston based company Rapid7, best known for its penetration testing tool Metasploit, released an article on its blog about a security issue in an alarm system developed by Comcast. The latter company was informed prior to the public disclosure but, in part because of the absence of a responsible vulnerability disclosure scheme, it failed to address the problem in due time.
Reason for concern
According to Rapid7 researcher Phil Bosco, jamming a door or window sensor connected to the Comcast Xfinity alarm base station via the wireless protocol ZigBee, would allow anyone to open that door or window without the home security system ever knowing it had been opened, even after the jamming ceases.
Though illegal to use, jammers are a relatively simple piece of equipment to buy or build, which render a given frequency range unusable when activated: from mobile phones to fighter aircraft radios, wifi, Bluetooth, the whole spectrum can be subject to jamming. ZigBee, a communication protocol often used in IoTs for its short range low consumption characteristics, is no exception.
What is worrisome about Bosco's discovery is the fact that the base station loses connection with one of its sensors without raising any flag. Although arguably this can happen - a microwave for instance can disturb the spectrum and cause such problem - the owner could and should easily be notified, for instance first with a light or sound signal on the sensor itself, and second with a notification from the base station, for instance to the owner's mobile.
IoT developers must cope with low consumption communication protocols and battery-powered devices, thus security by default is rarely a primary requirement. Nevertheless, alarm systems are developed for security purposes so that security must be inherent to their development and their features. The ZigBee protocol, used by Comcast, is increasingly popular in IoT products such as light bulbs, motion sensors and other smart home devices and as a matter of fact, it does provide security features. At minimum hence, manufacturers of security products such as alarm systems or smart locks relying upon this protocol should use and implement these features in accordance with the risks their products are supposed to mitigate.
Reason for caution
Although the concerns related to Comcast's base station not being informed about a door opening are more than valid, one ought to question the test protocol followed by Rapid7. Indeed, instead of actually using a jammer, they only covered the door sensor in tin foil, which cannot be done without opening the door in the first place. Jammers are rather difficult to target, so that they could easily jam other sensors or even the base station, which may have triggered the alarm.
Recommendations for users
Exert caution when advertising security: no matter how modern or expensive an alarm is, resourceful criminals will always find a way in. This is not to say that alarms are not useful, to the contrary, but rather to invite to certain caution in their use. In particular, advertising the brand of the alarm, as Comcast was offering its users to do for deterrence purposes, may also paradoxically attract, as in the present case, resourceful tech-savvy burglars. Instead, indicating that the house is protected by "an" alarm should achieve the same deterrence effect without giving away precious information.
Keep a critical mind when reading about such vulnerabilities, for sometimes researchers are more interested in the public attention the disclosure receives than in the benefits for the community.
Recommendations for security products manufacturers
Follow a Secure Software Development Life Cycle (SSDLC).
Implement security by default: in the case of Comcast, opening a sensor without the base authorizing it should trigger an alarm, even if only at sensor level.
Log security events: in the case of Comcast, a sensor should notify the base, once the connection is re-established, that it had been opened.
Set up a public policy for vulnerability disclosure, as well as processes to react.
Recommendations for security products manufacturers
Adopt, as Rapid7 did, a responsible vulnerability disclosure process, even if the concerned party does not provide officially such a scheme.
Implementing a security test protocol can sometimes be challenging, given technical or legal limitations, as in the present case given the unlawful use of jammers in the US. Nevertheless, researchers should at minimum, if unable to follow the appropriate test protocol, highlight the limitations of the alternative protocol they implemented.
About "Info Notes" from ENISA
With the “Info Notes” series ENISA aims at giving the interested reader some background and recommendations about NIS related topics. The background and recommendations are derived from past experiences and common sense, and should be taken as starting points for discussions on possible course of action by relevant stakeholders. Feel free to get in touch with ENISA to discuss or inquire more information on the “Info Notes” series (firstname.lastname@example.org).