Comcast’s Xfinity XR11 remote—which features a much-touted voice control feature—had a security flaw that could have theoretically let a hacker use the device to bug your living room. That scary scenario has been ended thanks to the Philadelphia-based cable giant’s fix of a vulnerability discovered by outside researchers.
The flaw that the Boston- and Tel Aviv-based security firm Guardicore reported to Comcast would have let an attacker outside a target’s home silently install custom firmware on the remote that would force it to record audio surreptitiously and stream it back to the attacker.
As Guardicore’s report explains at length, this would not have been a quick or easy trick. But this bullet we appear to have dodged should provide yet another reason to be wary of connected gadgets with microphones. Guardicore was able to pull off this exploit by chaining together a series of weak points in the XR11 remote that Comcast introduced in 2015:
- The XR11 used a longer-range radio-frequency link instead of infrared, because only RF would provide enough bandwidth for voice control.
- Although the remote is supposed to listen only when you press on its blue microphone button, there’s no physical switch ensuring that, just software.
- The encryption meant to protect the remote’s communication with a Comcast X1 box didn’t operate all the time, including when cryptography should have safeguarded the remote’s software updates.
- That X1 box is supposed to be the only device the remote control talks to, but sending it junk data over the same radio-frequency link could crash the software component that manages the connections.
The Guardicore researchers eventually proved that they could take over a remote from about 65 feet away, potentially allowing an attack from a sidewalk outside someone’s home. They could command the remote to start capturing audio and then stream that audio back to a computer impersonating a Comcast X1 box.
“We worked at this on and off over the course of around nine months,” wrote senior researcher JJ Lehmann in an email. “Reverse-engineering the remote’s firmware was a very long process—it was like spending an hour or two every day for six months on a huge crossword puzzle, but without knowing a single hint.”
The report credits Comcast with responding promptly and professionally after Guardicore disclosed the vulnerability.
Fortunately, the report credits Comcast with responding promptly and professionally after Guardicore disclosed the vulnerability on April 21. Comcast started work on a patch to fix the remote’s encryption two weeks later, began testing that fix on June 25, released the patch on July 14, and finished distributing it to all affected remotes by September 24.
Although flaws in the XR11’s cryptography were first publicized in a 2017 talk at the Defcon hacker conference—researcher Logan Lamb, then with Bastille Security Group, showed how they pushed their own update to the remote and said “the reason you can do this is because there’s no crypto involved”—Comcast says it doesn’t believe any customer got hit with this attack.
“Based on our thorough review, which included Guardicore’s research and our own technology environment, we don’t believe this issue was ever used against any Comcast customer,” emailed spokesman David McGuire. “We thank Guardicore for its responsible disclosure of this matter and appreciate the important role that independent security researchers play in our ongoing commitment to keeping our products and customers safe and secure.”
Comcast provides a dedicated channel for researchers to report vulnerabilities and pays rewards for confirmed submissions of flaws as part of a program managed by the security firm Bugcrowd.
That openness to reports of trouble from outsiders (see also this winter’s prompt fix of a serious vulnerability in Hue connected light bulbs) represents an underrated but welcome change in attitude among much of corporate America.
Chris Wysopal, now chief technology officer at Veracode, put things this way at a 2018 hearing in Washington, D.C., 20 years after he’d testified before Congress as a member of the hacker collective Løpht Heavy Industries: “We went from, you know, ‘please go away, you’re horrible,’ to ‘thank you very much, here’s some money.'”
This Comcast episode’s happy ending doesn’t change the underlying plot of the security of connected gadgets, some of which come from companies less responsive to warnings of vulnerabilities.
And while Comcast erred by not including a hardware control for the remote’s microphone—a last line of defense in Amazon Echo devices and one that Lemann said “could entirely prevent this sort of abuse”—other TV and streaming-media vendors have moved a step ahead to include far-field microphones that are always on. That could make them even more tempting targets for abuse by hackers.
Lehmann’s less-than-cheerful conclusion: “As long as we’re surrounded by devices that connect to other devices, these threats will become more and more prevalent.”