Guardicore's global research team, consisting of hackers, cybersecurity researches and industry experts today published a blog that outlined a new, troubling attack vector discovery. Guardicore discovered a new attack vector on Comcast’s XR11 voice remote that would have allowed attackers to turn it into a listening device – potentially invading your privacy in your living room.
To learn more about this attack vector, we sat down with Ofri Ziv, Head of Guardicore Labs and JJ Lehman, Guardicore Labs Senior Researcher.
Tell us about this research. What prompted you to do it?
"Our research typically focuses on enterprise datacenters -- in particular, how attackers infiltrate them and move laterally to execute their attacks. This type of research helps us understand how microsegmentation can mitigate attacker movement and prevent data breaches. In doing this research, we found ourselves increasingly interested in home devices that connect to these datacenters from afar. Further, as the world moved to a remote work model, we started thinking more about vulnerabilities in home devices and the impact they could have on enterprise networks and datacenters.
We began investigating set-top boxes because they connect directly to cable providers' datacenters – they’re not quite part of the datacenter, but they aren’t completely external, either. We thought we could gain some insight into cable providers' networks by experimenting with these boxes. This is what led us to first look at the Comcast Xfinity X1 set top box as a potential vector for attack. We opened a shell over Ethernet on the set-top box and although it required physical access to the box’s hardware, it still left the possibility that a home user could take advantage of the capability to start snooping around Comcast’s cable network.
We went further down the rabbit hole and shifted our focus towards looking at the XR11 voice remote. The combination of the remote’s recording capabilities, and the fact that it had RF based communication, led us to believe that it could be of interest to an attacker. We realized that if we could make the remote open its microphone without requiring physical access with it or any interaction from the user, it would basically mean that we have a potential listening device in millions of US households. And we developed an attack that does exactly that."
-- Ofri Ziv
What did the research find? Was this out of the norm?
"We found a new attack vector on Comcast's XR11 voice remote that would have allowed attackers to turn it into a listening device. The bug we discovered in the remote’s incoming RF packets handling mechanism left it vulnerable to man-in-the-middle attacks. An attacker could use this to exploit the remote’s RF communication with the set top box; this way, they could push a malicious firmware image to the remote and control the device completely.
If you have this remote, you’ll know that you can push the mic icon and speak a command into the remote for the show / channel you want -- for example, “show me ESPN.” With this new attack vector, an attacker could have made the remote record everything around it without user interaction; a simple RF transceiver and antenna were all that was needed to pull it off.
Now, they would have to be physically fairly close to the house - but in our trials, we were able to listen to conversations in a home sitting as much as 65 feet away from the house, using nothing more than a 16dBi antenna. We’re confident that we could listen to conversations in a specific home from even farther away using a more advanced antenna
I would say that this research is definitely out of the norm. Most security research on ‘home hacks’ focuses on IoT and connected devices like Alexa, Google Home, Ring and other popular names you’d think of when you hear “IoT”. Our attack turns conventional wisdom on its head by targeting a ‘dumb’ device that may be one of the most common household devices found in the country."
-- JJ Lehman
What kind of threats does this pose to the every-day user? What are the security implications for other connected home devices with listening capabilities?
"WarezTheRemote illuminates a new aspect of the problematic state of IoT in the present. Like I mentioned, there’s no shortage of research and conference talks on vulnerable smart home devices from the last few years. One can assume that by now, most consumers have at least some idea of the risks in having a WiFi-connected baby monitor or voice-controlled smart speaker in their homes.
However, it’s easy to forget that the term IoT encompasses a lot more Things than just the clear-cut examples. Few people think of their television remote controls as “connected devices”, fewer still would guess that they can be vulnerable to attackers, and almost no one would imagine that they can jeopardize their privacy. In this case, the recent development of RF-based communication and voice control makes this threat real.
This type of attack would be very powerful for targeted surveillance. Millions of people have been forced to work from home - this includes CEOs, board members, government officials and other professionals who trade in secret and confidential information. The TV remote is typically sitting in the middle of the room and would be incredibly effective to snoop and listen in to a conversation."
-- Ofri Ziv
What do end-users need to do to make sure they aren't compromised?
"Luckily, end-users are now protected. We worked closely with Comcat’s team after finding the vulnerability and they released patch 220.127.116.11 to the millions of active remotes, remediating the issues that made the attack possible. Up until the fixes were released, though, every XR11 remote could have been attacked in this fashion. Besides leaving out the batteries, there was no effective way to mitigate it, either."
For more information about Guardicore, visit their website: https://www.guardicore.com/