A voice-activated TV remote can be turned into a covert home surveillance device, according to researchers from infosec firm Guardicore who probed the device to show that a man-in-the-middle attack could compromise it.
Guardicore discovered an attack vector on US telco giant Comcast's Xfinity XR11 voice remote – of which around 18 million units have been sold – that allowed malicious people to turn it into an eavesdropping device.
Dubbing the attack method WarezTheRemote, researchers explained that the clicker's use of RF spectrum to communicate with its set-top box – instead of the traditional infrared systems used for telly remotes – gave them a way to use its microphone to snoop on private conversations in the home.
The firm said in a blog post: "The attack did not require physical contact with the targeted remote or any interaction from the victim – any hacker with a cheap RF transceiver could have used it to take over an XR11 remote. Using a 16dBi antenna, we were able to listen to conversations happening in a house from about 65 feet [about 20m] away. We believe this could have been amplified easily using better equipment."
Using research from the CableTap project, Guardicore realised the remotes automatically polled their paired, internet-connected set-top boxes for firmware updates. CableTap found that those firmware images did not need to be signed for the remote to install them.
A vulnerability in the protocol the remote used to talk to the set-top box (Radio Frequency for Consumer Electronics, RF4CE; derived from a standard published by IoT bods Zigbee) allowed the researchers to reflash the remote's firmware.
They explained: "The vulnerability was that the original XR11 firmware didn't verify that responses to encrypted requests are encrypted as well. This means that if an attacker within RF range had responded to outgoing (encrypted) requests from the remote in plaintext, the remote would have accepted the spurious responses."
Using this, the researchers were able to spoof the set-top box that the target remote was paired with and upload their own firmware to it. Once that was loaded into the remote (achieved in "35 minutes") and access to the microphone and the built-in recording feature had been achieved, they started experimenting to find out how far away the microphone’s transmissions could be picked up. It turned out to be quite a long way indeed.
Using a 16dBi antenna, Guardicore was able to reliably pick up the mic from 65 feet away – raising the spectre of someone malicious sitting outside your home, in a van, eavesdropping on your sofa conversations through your remotely pwned remote control.
Comcast has since patched the remote to version 220.127.116.11. Updating is achieved through one's set-top box. ®