A security flaw allowing attackers to remotely listen-in on victims’ private conversations was found to come from an unexpected device – their TV remotes.
Researchers disclosed the ‘Warez The Remote’ attack, affecting Comcast’s XR11 voice remote control.
The flaw stems from Comcast’s XR11, a popular voice-activated remote control for cable TV, which has more than 18m units deployed across the US. The remote enables users to say the channel or content they want to watch rather than keying in the channel number or typing to search.
Low-Priced RF Transceiver
Researchers found a serious vulnerability in the remote, allowing attackers to take it over. The ensuing attack, called Warez The Remote, does not require any interaction from the victim — it’s extremely cheap to carry out (a hacker merely needs a low-priced RF transceiver & antenna), & can be launched remotely (from up to 65 ft. away).
Researchers worked with Comcast’s security team after finding the flaw, & fixes have been released that remediate the issues that make the attack possible, however, in a post on Wed., they stressed that the incident is an important reminder of the inherent security & privacy issues plaguing even the least-suspected internet of things (IoT) devices.
“Few people think of their TV remote controls as ‘connected devices,’ fewer still would guess that they can be vulnerable to attackers, & almost no-one would imagine that they can jeopardise their privacy,” reported researchers with Guardicore, in a Wed. post.
“In this case, the recent development of RF-based communication & voice control makes this threat real. Even more so in these strange times: With so many of us working from home, a home-recording device is a credible means to snoop on trade secrets & confidential information.”
By extensively reverse-engineering both the remote’s firmware, & the software, it communicates with on the set-top box, researchers found an error in the way the remote handles incoming RF packets.
To understand this, it is 1st important to look at how XR11 voice remotes work. The remote communicates with the tv set-top box over the RF4CE (Radio Frequency for Consumer Electronics) protocol. RF4CE, which is a subset of the Zigbee family of power-saving RF protocols, has a feature called, “security”, which should encrypt the contents of RF4CE packets to bar attackers from injecting malicious packets into the connection.
In the XR11’s implementation, the RF4CE “security” feature is set on a packet-by-packet basis. Each packet has a “flags” byte, & when one of its bits is set to 1, its contents will be encrypted, & if the bit is not set, the packet will be sent in plaintext.
The vulnerability is because the original XR11 firmware did not verify that responses to encrypted requests are encrypted as well, observed researchers.
So, an attacker within RF range (circa 65 ft. away) could view requests from the remote in plaintext, allowing them to easily formulate a malicious response to that request.
“Warez The Remote used a ‘man-in-the-middle’ attack to exploit remote’s RF communication with the set-top box & over-the-air firmware upgrades – by pushing a malicious firmware image back the remote, attackers could have used the remote to continuously record audio without user interaction,” they explained.
Researchers say that the remote’s firmware queries the box it is paired with – by default – for a new firmware once every day. That means in a real-life attack, a bad player would need to wait for the firmware upgrade query to occur.
“The request packet is encrypted, so an attacker can’t actually read its contents, but there is a non-encrypted byte in the packet’s header that indicates that this request is firmware-related, which allows the attack to guess its contents without actually decrypting it,” they explained.
Following this initial exchange, the remote then sends out a series of requests asking for the contents of the firmware image, chunk by chunk.
The order these chunk requests are sent in is entirely predictable, meaning attackers can easily guess which chunk of the firmware the remote is asking for.
“By carefully timing our responses, we were able to send exactly the right firmware chunk to the remote each time,” they commented. “Furthermore, we found a way to temporarily crash the software running on the cable box using a malformed RF4CE packet. This simple DoS prevented the box from interfering over the course of the attack.”
Researchers further observed an attacker would only need a basic RF transceiver, which is cheap – a Texas Instruments CC2531 costs only a few $s for a whole development kit, as well as a cheap 2 dBi antenna (researchers used a 16dBi antenna for enhanced results).
“We didn’t push this to the limit, but we were easily able to push firmware to the remote around 65 ft. away from outside the apartment it was in,” they outlined. “This is the alarming part, as it conjures up the famous ‘van parked outside’ scene in every espionage film in recent memory.”
Researchers revealed the vulnerability to Comcast on Apr. 21, & Comcast began to release a patch on July 24. On Sept. 24, Comcast confirmed that all devices were patched.
“Nothing is more important than keeping our customers safe & secure, & we appreciate Guardicore for bringing this issue to our attention,” commented Comcast in a press statement.
“As detailed in this report, we fixed this issue for all affected Xfinity X1 voice remotes, which means the issue described here has been addressed & the attack exploiting it is not possible.”