Researchers transform smart remotes from Comcast into Eavesdropping devices

Friday, October 9, 2020, 12:40 GMT

The XR11 remote controls working with the Xfinity X1 console have been studied by Guardicore and the WarezTheRemote attack has been developed. Researchers concluded that it is possible to use the remotes to render secret surveillance devices and surveillance on users.

XR11 remotes are offered to Xfinity customers by US telecoms giant Comcast. Over 18 million such devices have been sold in total to date. These remotes allow users to use voice commands to change channels, scan for programs and perform other actions.

The first stage of the WarezTheRemote attack involves the transmission to the computer of malicious firmware by the attacker. The argument is that the system uses a radio frequency to communicate with the set-top box, rather than an infrared port. Since the radio frequency has a long range, a hacker can launch such an attack from a considerable distance.

While communications between the console and the set-top box are encrypted, the console firmware does not operate properly and does not guarantee that only encrypted responses are accepted for encrypted requests, i.e. the ability of an intruder to submit malicious responses to the console in plain text.

The researchers also state that every 24 hours, by polling the set-top box paired with it, the remote control tests for firmware updates. As it turned out, an intruder could easily impersonate a set-top box, exploit the weakness of encryption, and then warn the remote computer that an upgrade was available (no signature of the firmware images).

In addition, the experts not only found a way to deliver malicious firmware to the console, but also carried out a DoS attack on the console itself to ensure that the attack on the console did not interfere with it.

The experts’ report stresses that in order to carry out the attack, costly equipment is not needed. So, you only need an RF receiver and a 16 dBi antenna, whose total cost is several hundred dollars, for WarezTheRemote. These devices will allow an attack to be carried out from approximately 65 feet (approximately 20 meters) away. At the same time, Guardicore is adamant that if more efficient devices are used, the attack will operate even at wide distances.

Back in April this year, researchers told Comcast of the reported problems, and on July 14, 2020, the company started carrying out fixes. The manufacturer confirmed that all of the above bugs were resolved in firmware version 1.1.4.0 (including a bug that triggered a console denial of service) and the modified version started to be released to devices on September 24.