How to hack a TV and a cable remote control to listen to anyone’s conversation at home

A group of cybersecurity experts has found a way to turn a Comcast remote control into a device capable of capturing audio without the need for physical access or target user interaction. The attack, dubbed “WarezThe Remote”, allows threat actors to take control of the device to spy on victims’ conversations within 20 a yards range.

The exploited device for the attack is a Comcast XR11 remote control, which unlike other similar devices relies on radio frequency for communication with the cable decoder, plus it has a built-in microphone to capture voice commands. Guardicore experts examined the device’s firmware and discovered how communication between the remote control and the set-top box is presented.

La imagen tiene un atributo ALT vacío; su nombre de archivo es comcast01.jpg

During the investigation, experts encountered a security flaw in the implementation of the Consumer Electronics Radio Frequency Protocol (RF4CE), which is responsible for encrypting transmitted information: “RF4CE security is established packet by packet; when sending the information, if a bit of these packets is not set correctly, the packet is sent in plain text,” the report mentions.

XR11 firmware accepted plain text responses to encrypted requests from the remote control, allowing threat actors to guess the contents of a request by creating a malicious response that was passed through a decoder.

La imagen tiene un atributo ALT vacío; su nombre de archivo es comcast02.jpg

In addition, experts applied reverse engineering to the firmware of the remote control in order to activate the microphone, altering the software so that recording requests were activated every minute automatically. Researchers were able to record up to 10 minutes of audio.

Deploying this attack is complex, plus advanced hacking skills are required to correctly reverse engineer the firmware, create the required patches, and upgrade the XR11 remote control, complicating an attack in real-world scenarios, not to mention that the success of the attack would also depend on other variables such as the capacity and cost of the required devices.

Comcast received the report and has already solved the problems reported by the researchers. On September 24, the company reported that its XR11 devices were fully protected from the attack described by Guardicore.