Could your cable TV device spy on you? Vulnerability found and patched in Comcast TV remote.
Security firm Guardicore reverse-engineered the firmware update process for Comcast’s XR11 remote to take control of the device. Researchers interrupted the process to turn the voice-control element of the remote into a listening device.
Once the malicious firmware update was in place, researchers used a 16dBi antenna and were able to listen to conversations inside a house from about 65 feet away.
The WarezTheRemote attack could have affected the 18 million remotes in use around the US. After Guardicore disclosed the vulnerability to Comcast, the company developed a fix that was deployed to all units by the end of September.
SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
The XR11 has a microphone button to allow users to operate the set-top box with voice commands. The remote communicates with the set-top box over a radio frequency (RF) as opposed to an infra-red connection. As the researchers wrote in the research paper on the vulnerability, “RF enables contact with the remote from afar, which makes for a larger attack surface than a remote control would otherwise have, and the recording capability makes it a high-value target.”
Guardicore described the vulnerability in a new paper published Wednesday, “WarezTheRemote: Turning remotes into listening devices.” Guardicore used a man-in-the-middle attack to exploit remote’s RF communication with the set-top box and over-the-air firmware upgrades. By pushing a malicious firmware image back through the remote, attackers could have used the remote to continuously record audio without requiring any user interaction.
Guardicore researchers put the security threat in context:
“… with so many of us working from home, a home recording device is a credible means to snoop on trade secrets and confidential information. … The truly dangerous devices are the ones with more insidious connections to our homes, our networks, and our private information.”
How the attack could have worked
The hijacking of the remote took some effort but the vulnerabilities were not hard to take advantage of. The XR11 remote queries the set-top box for new firmware every 24 hours. The researchers took advantage of this query to install firmware that allowed recording. Guardicore had to reverse-engineer the remote’s firmware and the software on the set-top box.
The vulnerability was in the way the remote handled incoming RF packets.The security for the packets was set on a packet-by-packet basis. The problem was that the original XR11 firmware didn’t verify that responses to encrypted requests were encrypted as well. An attacker within RF range could have responded to outgoing requests from the remote in plaintext, the remote would have accepted the malicious requests.
In addition to figuring out the firmware update process, researchers found the code that handles the recording button. The reverse-engineering was a delicate process:
“Because we didn’t have access to the remote’s source code, developing our patch to the firmware was not at all straightforward–we had to carefully edit the firmware binary without breaking anything. By strategically, choosing where and how to change the original firmware image, we were able to make all of our changes to the regular remote control behavior in the space of just a few dozen bytes.”
Guardicore implemented a full proof-of-concept malicious firmware upgrade using this method.
Working with Comcast
Guardicore informed Comcast about the vulnerability in late April. The company worked with Guardicore to resolve the issue over the next several months. Comcast started testing a patch in June and delivered the patch to all devices by the end of September. The cable company provided this statement for the Guardicore report on the security vulnerability:
“Technologists for both Comcast and Guardicore confirmed that Comcast’s remediation not only prevents the attack described in this paper but also provides additional security against future attempts to deliver unsigned firmware to the X1 Voice Remote. Based on our thorough review of this issue, which included Guardicore’s research and our technology environment, we do not believe this issue was ever used against any Comcast customer.”