This blog was written by an independent guest blogger.
This year’s RSA Conference was certainly a surprising one. There was an understandable focus, of course, on remote working security, alongside a relatively high number of presentations dealing with the issues of the moment – Kubernetes, the IoT, and the Biden administration’s plans for cybersecurity.
In the midst of these headline presentations, it was easy to miss some of the less dramatic research, and even easier to miss its implications. One such paper was given by a group of researchers from Guardicore, who demonstrated that it is possible to turn Comcast TV remotes into eavesdropping tools.
In this article, I want to take a look at the exploit, assess how likely it is to be feasible in the real world, and then think about its implications for the IoT more generally.
At one level, the reported hack was simple enough. The researchers were able to take a popular model of Comcast TV remote – the XR11 – and use it to record voice commands. They were then able to access these recordings via the internet. At a more technical level, explained the researchers, they were able to trick the XR11 into downloading a modified version of the firmware that added a command to record and transmit audio via the on-board microphone the remote uses for voice commands.
The details of how they managed to achieve this are a little more complicated, though. The remote communicates with its home cable box not through standard Wi-Fi signals, but instead via short-range radio signals. In addition, these signals are encrypted. This makes intercepting them all but impossible if both devices – the cable box and the remote – are working properly.
To get around this issue, the team at Guardicore decided to remove the cable box from the equation. Using a different form of attack – not described in the paper, but likely to be an SQL injection over Wi-Fi – they were able to trigger a crash in the cable box. During the period that the box was down, the remote was vulnerable.
The researchers could then invoke a network node that mimicked the cable box the remote was supposed to be communicating with. The researchers were then able to send a firmware update to the remote that loaded essentially any firmware they liked. Beside a quick redundancy check, in fact, they found that the remote didn’t check the firmware being loaded at all.
The hackers took advantage of this process and created a script that would attempt to slip a modified packet into the update stream. This packet did not actually include the recording command, but rather told the remote to change its update checks from once every 24 hours to once per minute. Then, they uploaded the code needed to start recording voices in small packets, so they would not be detected.
What they were left with is quite startling – a TV remote that automatically recorded voices around it, and then sent these to the researchers via an encrypted file.
The real world
The attack, it should be said, is scary. With the rise in online content consumption and ubiquity of smart televisions, the idea that your TV remote is listening to you is enough to freak anyone out. However, and before I speculate on the implications of this research, it’s also important to recognize that the chances of this attack succeeding “in the wild” are very small.
That’s for several reasons. One is that a threat actor would have to be within a very short range – on the matter of feet – to intercept the radio signals that the team used to upload their malicious “firmware”. This makes the attack highly unlikely to be deployed at scale.
Secondly, and to give credit where it is due, this specific bug was reported to Comcast last year and was patched by the cable giant in September; Guardicore published a blog post about the technique in October. Anyone using an XR11 remote has long since been protected.
Third – and for me this is the most important limitation of the attack – the firmware didn’t give the team any form of escalated privilege in the victims’ system. By that, I mean that they were not able to use this access to gather further information on the victim. An attack of this type would not allow an attacker to get into a smart TV’s Netflix settings, for instance, and steal your billing information.
With all these limitations out of the way, it’s also important to say that this kind of attack is scary. But this may not be for the reasons you expect. TV remotes are, of course, one of the essential accessories for your TV, and because of this they are in widespread use across the country. Any attack that was able to compromise them en masse would end up collecting a huge amount of data, some of which would be lucrative.
However, as I’ve said above, executing such an attack at scale is unlikely, because it essentially means having access to victims’ homes. But – and it’s an important but – TV remotes are not the only devices to use radio communications in this way. In fact, the contactless payment systems in use in many retail stores also use them, as does Bluetooth.
Though those who use SMS capabilities on their smartphones are already at risk of being hacked through texting if they aren’t careful, there is another intriguing possibility – that an attacker could use a similar technique to trick a smartphone into connecting with a malicious Bluetooth source, and use this source to send malicious firmware. And as more and more devices come to use RF to communicate – including many of the devices that constitute the nascent IoT – the risk of this sort of attack is only going to rise.
This danger was, in fact, explicitly noted by the Guardicore researchers. As vice president of research Ofri Ziv told SearchSecurity recently, “if more devices start relying on RF, it’s likely more attacks will come from this direction. Assuming Comcast isn't the only company using this,” he continued, “it is likely the flaw we took advantage of will show up in other gear too." And that’s when a niche presentation at RSA becomes headline news.