|Possible replacement sign?|
When we work with customers at Rendition Infosec, one of the design decisions we always tell them to consider is whether to have their security solutions fail open or fail closed. There's no consistently correct answer as to which method is best. If you are protecting classified information, failing closed is clearly the correct answer. If you are providing lifesaving information to a doctor to treat a patient, failing open is probably the correct answer - the loss of information can always be mitigated, the loss of life less so.
In Comcast's specific case, it's hard to say what the correct answer is. Should the alarm activate if the remote sensor loses communication with the control panel? Perhaps this is the case in some high security applications. But let's be fair, you probably should wire a security system in if your application is high security enough to warrant that. In a wireless environment, imagine the number of potential false positives you could have. The number of those false positive events is likely to increase in densely populated areas (apartments, town homes, etc.) which is precisely the target market for the "no wiring" security solution Comcast is peddling.
All in all, while I do find the research disturbing from a security sense, I wouldn't recommend that the alarm systems should fail closed by default. The high number of false alarms would likely render the systems useless (or unused) anyway. What Comcast should however seek to correct immediately is the amount of time that it takes for a sensor to re-establish communications with the control panel/base station. I think anyone would agree that three hours is simply too long for this process to take.
Finally, this is another great case of "what's the worst that can happen" when adopting a product. While the products probably tested fine in a lab under normal use, they are clearly vulnerable to trivial tampering in the real world. Comcast is likely opening itself to legal action providing these vulnerable solutions if they do not openly disclose the vulnerabilities to current and future customers.