Hacked Voice Remote Becomes Listening Device

A vulnerability has been found in one of the world's most popular voice-activated remote controls that can turn the device into an eavesdropping tool.

Researchers at Guardicore found the new attack vector on the Comcast XR11 voice remote. More than 18 million units of this popular device are currently in use in homes across America. 

The attack, which researchers named WarezTheRemote, does not require the bad actor to have any physical contact with the targeted device or any interaction with the victim. It can also be carried out despite the fact that the device is "dumb," meaning it isn't connected to the internet.

WarezTheRemote used a man-in-the-middle attack to exploit the remote control’s radio frequency (RF) communication with the set-top box and over-the-air firmware upgrades. 

"Any hacker with a cheap RF transceiver could have used it to take over an XR11 remote," noted researchers.

"By pushing a malicious firmware image back to the remote, attackers could have used the remote to continuously record audio without user interaction."

After using a simple 16dbi radio antenna to turn the XR11 voice remote into a listening device, Guardicore's team was able to hear conversations happening in a house around 65 feet away. They said the listening distance could very likely be amplified using better equipment.

"This is the alarming part—it conjures up the famous 'van parked outside' scene in every espionage film in recent memory," noted researchers. 

Researchers said that attacks on in-home devices were now more dangerous due to the change in working practices brought by COVID-19.

"In these strange times, with so many of us working from home, a home recording device is a credible means to snoop on trade secrets and confidential information," they said.

Guardicore informed Comcast of the vulnerability on April 21, 2020. By September 24, the company had patched all the affected devices.

Researchers said: "Comcast has released a patch to the XR11’s firmware that disables the plaintext-response capability we took advantage of here. This patch—version 1.1.4.0—makes the remote discard non-encrypted firmware packets, which were our way into the remote in the first place."

Comcast stated: "Based on our thorough review of this issue, which included Guardicore’s research and our technology environment, we do not believe this issue was ever used against any Comcast customer."

What’s Hot on Infosecurity Magazine?