Guardicore has discovered a new attack vector on Comcast’s XR11 voice remote that would have allowed attackers to turn it into a listening device – potentially invading your privacy in your living room.

Before its remediation by Comcast, the attack, dubbed WarezTheRemote, was a genuine security threat: with more than 18 million units deployed across homes in the USA, the XR11 is one of the most widespread remote controls in existence.

The team broke into RF communication between the remote and set-top box and listened in on conversations with a basic RF transceiver. 

WarezTheRemote used a man-in-the-middle attack to exploit the remote’s RF communication with the set-top box and over-the-air firmware upgrades by pushing a malicious firmware image back to the remote, which attackers could have used to continuously record audio without user interaction. 

The attack did not require physical contact with the targeted remote or any interaction from the victim. Bud Broomhead, CEO at Viakoo, a Mountain View, Calif.-based provider of automated IoT cyber hygiene, says, “This is yet another example of IoT device vulnerabilities being exploited by nefarious cyber attackers leading to ransomware, stolen data, or gaining control of a sensitive system. Remediation of IoT device vulnerabilities and maximizing their defensive posture are crucial parts of preventing cascading cyberattacks. Remediation includes upgrading IoT device firmware containing the latest security patches, initial provisioning and rotation of certificates like 802.1x, and credentialing with password enforcement, all at scale across the enterprise. After remediation comes the repatriation of IoT devices back into production as full, secure network citizens, replete with an audit trail for compliance and governance.”

And, while this highlights the need of IoT device makers to think about security to prevent fairly basic attacks like this, it is more important not to lose sight of the more severe risks, explains John Bambenek, Threat Intelligence Advisor at Netenrich, a San Jose, Calif.-based digital IT and security operations company. “While a subset of people need to worry about a stalker hiding in their bushes, the privacy risk is the amount of data these IoT devices are enabling organizations to vacuum upon consumers and whether those entire datasets can be taken and abused by criminals.”

Jake Williams, Co-Founder and CTO at BreachQuest, an Augusta, Georgia-based leader in incident response, says the research highlights why independent security research is essential for consumers. 

Williams adds, “Consumers need to realize that everything that has a microphone can potentially be turned into a listening device. When Amazon released the Echo, many researchers screamed, “the sky is falling,” but of course, those worst fears never came to pass. This has likely lead to some complacency among the public. Amazon expended significant resources on privacy and security that most producing devices with microphones device have not. As we’ve seen with IP-based security cameras before, much of this hardware is a race to the bottom.”