Life hacks, useful tips, recommendations. Articles for men and women. We write about technology, and about everything that is interesting.

Hackers have hacked the remote from the set-top box, turning it into a listening device


Security researchers who analyzed the Comcast XR11 Xfinity Voice Remote and found a way to turn it into a listening device without physical access or user interaction.

The attack, dubbed WarezThe Remote, allowed the remote to be intercepted and conversations monitored from at least 65 feet (about 20 meters) away, making the "van parked outside" scenario possible.

Hackers have hacked the remote from the set-top box, turning it into a listening device

Unlike conventional infrared remote controls, the Comcast XR11 uses radio frequencies to communicate with cable boxes and has a built-in microphone for voice commands. There are more than 18 million such devices in the homes of US residents .

Hackers have hacked the remote from the set-top box, turning it into a listening device

Guardicore researchers took a close look at the remote’s firmware and the software on the set-top box to understand how communication between the two devices works.

They found a weak point in the implementation of the RF4CE (Radio Frequency for Consumer Electronics) protocol, which is responsible for encrypting communications.

"However, as it turned out, in the XR11 implementation, RF4CE security is set on a per-packet basis. Each RF4CE packet has a "flags" byte, and when one of its bits is set to 1, secure mode is enabled for that packet and its contents will be encrypted. Similarly Thus, if the bit is not set, the packet will be sent in clear text." – Guardicore

They found that the XR11 firmware accepts cleartext responses to encrypted requests from the remote control. This allowed an attacker who guessed the content of the request to create a malicious response, ostensibly on behalf of the prefix.

In addition, there was no signature verification for the firmware update feature, allowing an attacker to install malicious images.

The firmware check happens every 24 hours and the request packet is encrypted. However, Guardicore researchers noticed an unencrypted byte indicating that the request was related to firmware, allowing them to guess the content.

Knowing these details, the researchers could respond with a cleartext packet, telling the remote control that a firmware update was available, and flash the XR11 with their version of the firmware containing the malware.

During the initial test, they changed the firmware so that one of the LEDs on the remote control blinked a different color:

Since the remote has a voice control function on board, the researchers wondered how the microphone could be activated. To do this, they reverse-engineered the remote’s firmware to find the code for the voice recording button.

They changed the software so that the recording request happens every minute, and not just when a button is pressed. As soon as they respond to this request, the recording will begin, lasting up to 10 minutes.

Hackers have hacked the remote from the set-top box, turning it into a listening device

Preparing for such an attack is certainly not easy and requires serious technical skills to reverse engineer the firmware, create patches that will be accepted, and have the patience to flash the XR11 remote.

In their report, Guardicore says it took them about 35 minutes to make the necessary changes using the RF transceiver.

Of course, the success of the attack also depends on the transceiver. The more expensive option will provide more consistent results. They used an ApiMote, which costs about $150 and can hear a person speaking up to 15 feet away from the remote control. A sample of the recorded conversation is available in the Guardicore blog post.

Comcast fixed the issues reported by Guardicore by confirming on September 24 that its XR11 devices are no longer vulnerable to the WarezTheRemote attack.

Cover image: Jonas Leupe via Unsplash.

Based on Bleeping Computer material .