Brian Jackson - Fotolia

Hackers turn Comcast voice remotes into eavesdropping tool

Guardicore researchers at RSA Conference 2021 manipulated the Xfinity XR11 voice controller to covertly record household conversations, raising concerns about IoT devices.

Security researchers uncovered a method for turning voice-controlled TV remotes into silent spying tools.

A team of researchers with cybersecurity vendor Guardicore said that it devised a method to compromise the firmware in Comcast's Xfinity XR11 remote controls and add commands to the controller that would allow for a remote attacker to turn on the microphone and transmit audio via radio frequency (RF) communications.

The issue was privately disclosed to Comcast and has since been patched.

Speaking at RSA Conference 2021 Monday, Guardicore Labs senior researcher JJ Lehmann and vice president of research Ofri Ziv explained how an attacker in close proximity to the target could trick the XR11 into downloading a modified version of the firmware that added a command to record and transmit audio via the on-board microphone the remote uses for voice commands.

The process, the researchers said, is not as straightforward as getting in the middle of data transmissions and sending out a firmware update. For starters, this wasn't the sort of update that could be intercepted via Wi-Fi communications -- every data transmission happened over short-distance radio signals.

Comcast had also put a number of measures in place to prevent tampering. Specifically, the remote would only accept commands from its paired cable box and would encrypt many of its RF communications with the box.

Guardicore Comcast RSA Conference
At RSA Conference 2021, Guardicore researchers demonstrated how they turned Comcast's Xfinity XR11 remote controls into listening devices.

To get around this, the Guardicore team devised a method to eliminate the cable box from the equation. By sending an attack packet to the box, they could trigger a crash that would temporarily prevent it from communicating with the remote. To solve the encryption problem, the researchers devised a method to simply turn off the encrypted packet check and send a firmware update over plain text.

"Besides a very quick redundancy check, there was no validation on the firmware at all," Lehmann explained. "We could in theory push any update."

With these problems solved, the team went about setting up their attack. Key to the procedure was taking advantage of the way the XR11 installed its firmware updates. Rather than try and install the entire update in one go, the remote obtains multiple packets (up to 1,500) from the cable box and installs them in pieces.

The hackers took advantage of this process and created a script that would attempt to slip a modified packet into the update stream. This packet did not actually include the recording command, but rather told the remote to change its update checks from once every 24 hours to once per minute.

When the now modified firmware ran its one-minute check, the attack was carried out. The cable box was disabled momentarily and the attacker sent a signal to the remote as it checked for an update. Rather than return a "yes" or "no" answer as to whether the firmware should be updated, the attacker simply told the remote to start recording. From there, the attacker could collect and decode the audio to gather a covert recording of what was going on in the victim's home, office or wherever the hacked remote was located.

For users concerned their voice remote is currently logging conversations and sending them abroad, there are some mitigating factors at play. For starters, this specific bug was reported to Comcast last year and was patched by the cable giant in September; Guardicore published a blog post about the technique in October. Anyone using an XR11 remote has long since been protected.

There is also the matter of access. A bad actor would have to be within short physical range of the remote control (Guardicore's demo worked up to 64 feet) for upward of several hours in order to send the RF signals that would be needed to manipulate the firmware and set up the attack. This is not the sort of thing that can be pulled off from the next town over, let alone another country.

"Technologists for both Comcast and Guardicore confirmed that Comcast's remediation not only prevents the attack described in this paper but also provides additional security against future attempts to deliver unsigned firmware to the X1 Voice Remote," Comcast said in a statement to SearchSecurity. "Based on our thorough review of this issue, which included Guardicore's research and our technology environment, we do not believe this issue was ever used against any Comcast customer."

Still, the discovery poses some interesting questions about how IoT devices, or even appliances that are not directly connected to the internet, can be manipulated by hackers.

"If more devices start relying on RF, its likely more attacks will come from this direction," Ziv said. "Assuming Comcast isn't the only company using this, it is likely the flaw we took advantage of will show up in other gear too."

Next Steps

Attorneys share worst practices for data breach response

Dig Deeper on Threats and vulnerabilities