A security flaw allowing attackers to remotely snoop in on victims’ private conversations was found to stem from an unexpected device – their TV remotes.
The flaw stems from Comcast’s XR11, a popular voice-activated remote control for cable TV, which has more than 18 million units deployed across the U.S. The remote enables users to say the channel or content they want to watch rather than keying in the channel number or typing to search.
However, researchers found a serious vulnerability in the remote, allowing attackers to take it over (details below). Worse, the ensuing attack, dubbed WarezTheRemote, does not require any interaction from the victim — it’s extremely cheap to carry out (a hacker merely needs a low-priced RF transceiver and antenna), and can be launched remotely (from up to 65 feet away).
Researchers worked with Comcast’s security team after finding the flaw and fixes have been released that remediate the issues that make the attack possible – however, in a disclosure post on Wednesday, they stressed that the incident is an important reminder of the inherent security and privacy issues plaguing even the least-suspected internet of things (IoT) devices.
“Few people think of their television remote controls as ‘connected devices,’ fewer still would guess that they can be vulnerable to attackers, and almost no one would imagine that they can jeopardize their privacy,” said researchers with Guardicore, in a Wednesday post. “In this case, the recent development of RF-based communication and voice control makes this threat real. Even more so in these strange times: With so many of us working from home, a home-recording device is a credible means to snoop on trade secrets and confidential information.”
The Flaw
By extensively reverse-engineering both the remote’s firmware and the software it communicates with on the set-top box, researchers found an error in the way the remote handles incoming RF packets.
To understand the flaw, it’s first important to look at how XR11 voice remotes work. The remote communicates with the television set-top box over the RF4CE (Radio Frequency for Consumer Electronics) protocol. RF4CE, which is a subset of the Zigbee family of power-saving RF protocols, has a feature called, straightforwardly, “security” — which should encrypt the contents of RF4CE packets to bar attackers from injecting malicious packets into the connection.
However, in the XR11’s implementation, the RF4CE “security” feature is set on a packet-by-packet basis. Each packet has a “flags” byte, and when one of its bits is set to 1, its contents will be encrypted – and if the bit isn’t set, the packet will be sent in plaintext.
The vulnerability lies in the fact that the original XR11 firmware didn’t verify that responses to encrypted requests are encrypted as well, said researchers. That means an attacker within RF range (about 65 feet away) could view requests from the remote in plaintext – allowing them to easily formulate a malicious response to that request.
“WarezTheRemote used a man-in-the-middle attack to exploit remote’s RF communication with the set-top box and over-the-air firmware upgrades – by pushing a malicious firmware image back the remote, attackers could have used the remote to continuously record audio without user interaction,” they said.
The Attack
Researchers say that the remote’s firmware queries the box it is paired with – be default – for a new firmware once every 24 hours. That means in a real-life attack, a bad actor would need to wait for the a firmware upgrade query to occur.
“The request packet is encrypted, so an attacker can’t actually read its contents, but there is a non-encrypted byte in the packet’s header that indicates that this request is firmware-related, which allows the attack to guess its contents without actually decrypting it,” they said.
Following this initial exchange, the remote then sends out a series of requests asking for the contents of the firmware image, chunk by chunk. The order these chunk requests are sent in is entirely predictable – meaning attackers can easily guess which chunk of the firmware the remote is asking for.
“By carefully timing our responses, we were able to send exactly the right firmware chunk to the remote each time,” they said. “Furthermore, we found a way to temporarily crash the software running on the cable box using a malformed RF4CE packet. This simple DoS prevented the box from interfering over the course of the attack.”
Researchers said an attacker would only need a basic RF transceiver, which is cheap – a Texas Instruments CC2531 costs only a few dollars for a whole development kit – as well as a cheap 2 dBi antenna (researchers used a 16dBi antenna for better results).
“We didn’t push this to the limit, but we were easily able to push firmware to the remote around 65 feet away from outside the apartment it was in,” they said. “This is the alarming part – it conjures up the famous ‘van parked outside’ scene in every espionage film in recent memory.”
Researchers disclosed the vulnerability to Comcast April 21, and Comcast began to release a patch on July 24. On Sept. 24, Comcast confirmed that all devices were patched.
“Nothing is more important than keeping our customers safe and secure, and we appreciate Guardicore for bringing this issue to our attention,” said Comcast in a press statement. “As detailed in this report, we fixed this issue for all affected Xfinity X1 voice remotes, which means the issue described here has been addressed and the attack exploiting it is not possible.”
On October 14 at 2 PM ET Get the latest information on the rising threats to retail e-commerce security and how to stop them. Register today for this FREE Threatpost webinar, “Retail Security: Magecart and the Rise of e-Commerce Threats.” Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this LIVE webinar.