Comcast security researcher team disclosed a vulnerability found in the Comcast XR11 TV remote called “WarezTheRemote” allowing an attacker to record audio without the user’s interaction [1]. What makes this remote different from a traditional one is the capabilities of voice-activation giving the users the ability to change channels or applications without having to utilize the keys on the remote. It is said that “18 million remotes around the United States could be affected from this vulnerability [3].
Vulnerability
The XR11 remote uses RF4CE (Radio Frequency for Consumer Electronics) protocol that is a subnet to the Zigbee protocol that uses power-saving RF (Radio Frequency) to communicate with the TV’s set-top box. RF4CE protocol contains a security feature that should encrypt the contents of RF4CE packets to prevent attackers from being able to apply malicious packet injection in the connection. In the security encryption feature there are “flags” within each packet being sent, if the bite is set to 1 the contents are encrypted, however, if the bite is not set then the packet contents will be sent in plaintext [1]. The “WarezTheRemote” Vulnerability was not verifying the responses whether the packet was encrypted. Which meant if an attacker is within RF range, they can respond to the outgoing encrypted requests from the remote in plaintext because the device was accepting any false responses. Becoming the man-in-the-middle attack through the RF (Radio Frequency) with the set-top box and over-the-air firmware upgrade [2].
Impact
If there was an attacker about 65 feet away or closer with a basic RF transceiver, they would be able to view the remote plaintext request giving easy access to respond with a malicious request. The compromised malicious firmware would then give the attack the ability to use the remote as a listening/recording device without the user having to interact with the remote. It is also suspected that if the attacker had a more amplified RF transceiver the 65 feet distance could be extended [2].
Mitigation
Comcast has released a statement about the vulnerability ensuring all customers that have the XR11 remote the patch 1.1.4.0 has been deployed.
Relevance
This vulnerability holds relevance because about 18 million United States customers were vulnerable of the possibility of an attack spying and listening into conversations in the privacy of their homes. The moment the attacker gained control the user is then exposed with not having to interact with the remote.