Security researchers analyzing the XR11 Xfinity Voice Remote from Comcast found a way to turn it into a listening device without the need for user interaction or physical access.
Dubbed Warez The Remote, the attack allowed the remote to take over and snoop on conversations from at least 65 feet (approximately 20 meters), making a “van parked outside” scenario possible.
Comcast’s XR11 relies on radio frequency to interact with cable set-top boxes, unlike regular remotes that use infrared, and comes with a built-in microphone to allow voice commands. About 18 million units are deployed in homes throughout the U.S.
To understand how contact between the two devices works, researchers at Guardicore took a close look at the remote firmware and the software on the set-top box.
In implementing the RF4CE (Radio Frequency for Consumer Electronics) protocol responsible for encrypting communication, they discovered a weakness.
“As it turned out, though, in the XR11’s implementation, RF4CE security is set on a packet-by-packet basis. Each RF4CE packet has a “flags” byte, and when one of its bits is set to 1, security is enabled for that packet, and its contents will be encrypted. Likewise, if the bit isn’t set, the packet will be sent in plaintext.” – Guardicore
They pointed out that plaintext replies to encrypted requests from the remote were acknowledged by the XR11 firmware. This allowed an attacker to create a malicious response that imitated a set-top box by guessing the content of a request.
In addition, there was no signature search for firmware updates, allowing it to install malicious photos.
Every 24 hours, the firmware review took place and the request packet was encrypted. However, a non-encrypted byte indicating that the request was connected to the firmware was found by Guardicore researchers, enabling them to guess the material.
The researchers might reply with a plaintext packet knowing these information, informing the remote that there is a firmware update available and to flash the XR11 test device.
They changed the firmware in an initial test to make one of the LEDs on the remote blink a different color:
The researchers reverse-engineered the remote’s firmware to find the code for the voice recording button to trigger the microphone for the voice control feature.
They changed the program so that instead of just when the button was pressed, the recording request would happen every minute. After they responded to this letter, a 10-minute recording will be possible.
It is definitely not easy to plan for such an assault and needs good technical skills for reverse engineering the firmware, producing patches that would be approved, and having the patience to flash the remote XR11.
In a report today, Guardicore says it took them about 35 minutes to use an RF transceiver to drive the necessary modifications in a reliable way.
The effectiveness of the attack also depends , of course, on the transceiver. More reliable outcomes will be given by a more costly one. They used an ApiMote, which cost around $150, and a person could hear 15 feet (4.5 meters) away from the remote talking. In Guardicore’s blog post, a sample of the recorded conversation is available.
Comcast has patched Guardicore ‘s recorded problems, ensuring that its XR11 devices were no longer vulnerable to the WarezTheRemote attack on September 24.