Earlier this year, the security researchers at Guardicore discovered a flaw in the firmware of a popular Comcast remote that enabled them to use it as an eavesdropping device.
The firmware update process for Comcast’s XR11 TV remote was reverse engineered by the researchers at Guardicore, allowing them to take control of the device and transform the voice-control feature of the remote into an eavesdropping device. Using a 16 dBi antenna, attackers would be able to listen to conversations inside the house from up to 65 feet away.
The Comcast Xfinity XR11 remote control is a ‘smart remote’, with one of its most prominent features being the voice control function and approximately 18 million of the devices are in use across the US. Instead of using an infrared (IR) connection to communicate with the TV like a traditional remote, the XR11 used a radio frequency (RF). One of the main benefits of using RF over IR is that the remote doesn’t need a line of sight to the TV or set-top box, however, it’s because of this RF connection that the researchers were able to connect to the remote from outside of the house.
In their report, the security researchers commented on the RF component of the remote, saying that “RF enables contact with the remote from afar, which makes for a larger attack surface than a remote control would otherwise have, and the recording capability makes it a high-value target.”
The researchers at Guardicore divulged the vulnerability to Comcast themselves before publicly releasing their report. Thankfully, this resulted in Comcast being able to issue a firmware update to patch this flaw before the issue fully got out. This is another example of the importance of ensuring that you keep your devices up to date with the latest security patches.
In response to Guardicore’s report being published, Comcast said:
“Technologists for both Comcast and Guardicore confirmed that Comcast’s remediation not only prevents the attack described in this paper but also provides additional security against future attempts to deliver unsigned firmware to the X1 Voice Remote. Based on our thorough review of this issue, which included Guardicore’s research and our technology environment, we do not believe this issue was ever used against any Comcast customer.”