Security firm: WarezTheRemote flaw could turn a Comcast remote into a listening device

Could your cable TV device spy on you? Vulnerability found and patched in Comcast TV remote.

guardiacore.jpg

Security researchers at Guardicore reverse-engineered the firmware update process for a popular Comcast remote to turn the device into a spying tool.

Image: Guardicore

Security firm Guardicore reverse-engineered the firmware update process for Comcast’s XR11 remote to take control of the device. Researchers interrupted the process to turn the voice-control element of the remote into a listening device.

Once the malicious firmware update was in place, researchers used a 16dBi antenna and were able to listen to conversations inside a house from about 65 feet away.

The WarezTheRemote attack could have affected the 18 million remotes in use around the US. After Guardicore disclosed the vulnerability to Comcast, the company developed a fix that was deployed to all units by the end of September. 

SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)

The XR11 has a microphone button to allow users to operate the set-top box with voice commands. The remote communicates with the set-top box over a radio frequency (RF) as opposed to an infra-red connection. As the researchers wrote in the research paper on the vulnerability, “RF enables contact with the remote from afar, which makes for a larger attack surface than a remote control would otherwise have, and the recording capability makes it a high-value target.”

Guardicore described the vulnerability in a new paper published Wednesday, “WarezTheRemote: Turning remotes into listening devices.” Guardicore used a man-in-the-middle attack to exploit remote’s RF communication with the set-top box and over-the-air firmware upgrades. By pushing a malicious firmware image back through the remote, attackers could have used the remote to continuously record audio without requiring any user interaction.

Guardicore researchers put the security threat in context:

“… with so many