Thursday, January 21, 2016

Putting the Comcast Vulnerability in Context

Exploitable vulnerabilities are attention-grabbing, but need to be considered in proper context. Just because a design decision can be abused for ill gain doesn't always mean it was the wrong design decision.

In the news this month were numerous stories about vulnerabilities in Comcast's Xfinity home security system. The systems use wireless sensors to detect opened doors and windows, and to detect motion when a home is expected to be vacant. Some of the stories made it sound as though owners of Xfinity security systems were now a burglary waiting to happen.

Wireless sensors make installing a security system very easy. At the same time, wireless sensors are vulnerable to radio frequency interference - whether incidental or intentional.

Security products by necessity walk an often-grey line between function and usability. On the one hand, elaborate, multi-layer controls can provide a high degree of security, but at a high financial as well as usability cost. As an extreme example, Jake Williams writes of the Australian government resorting to hand-delivering submarine plans and communications, to eliminate entirely the chances of communication being intercepted electronically.

On the other hand, simple and user-friendly controls are far less cumbersome, but far easier for a determined adversary to overcome. Consumer-grade systems tend to err more on the side of usability - frustrated customers cost companies in the form of technical support, and tend not to be repeat customers.

The Xfinity system fails open, meaning a disabled sensor does not trigger an alarm. A simple radio frequency jammer can interfere with the sensors, preventing any alarm when someone opens a door or window or passes a motion sensor. A burglar with the right equipment can easily disable the system and break in without triggering an alarm.

Think about it though: do you want your home alarm to alert you every time a sensor briefly loses connectivity with the base station? Or worse, alert local authorities? Many cities have local laws that assess citations and fines for false alarms.

That Xfinity security systems are vulnerable to abuse in this manner is noteworthy, but there is a more important point to consider. Vulnerabilities need to be understood in the context of what is being protected, and in the context of who is the intended user.

I will not say whether this particular vulnerability is "a bad thing." It depends on the priorities of the purchaser. What I will say though is this: as a consumer, or as an enterprise product specialist, include failure mode in your evaluation of a product. How does the product behave when things don't go as expected - and how do you want it to behave?

The "right" design is the one that best fits with your priorities.

Do you have thoughts to add? Disagree? Comment below or hit me up on Twitter at @dnlongen.

This article first appeared in CSOonline

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at), or hit me up on Twitter at @dnlongen

Whois David?

My photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.