Researchers recently discovered the ‘WarezTheRemote’ attack, which affects Comcast’s XR11 voice remote control. This security flaw allows cyber attackers to remotely snoop in on victims’ private conversations was is found to stem from an unexpected device, their TV remotes. Huh?
The flaw stems from Comcast’s XR11, a popular voice-activated remote control for cable TV, which has more than 18 million units deployed across the US. The remote enables users to say the channel or content they want to watch rather than keying in the channel number or typing to search. Using this convenient feature, researchers found a serious vulnerability in the remote, allowing attackers to take control over the remote. Worse, the ensuing attack, called WarezTheRemote, does not require any interaction from the victim. It is extremely cheap to carry out (a hacker merely needs a low-priced RF transceiver and antenna) and can be launched remotely (from up to 65 feet away).
Researchers worked with Comcast’s security team after finding the flaw. Fixes have been released that remediate the issues that make the attack possible. In a disclosure post, Comcast stresses that the incident is an important reminder of the inherent security and privacy issues plaguing even the least-suspected Internet of things (IoT) devices.
“Few people think of their television remote controls as ‘connected devices,’ fewer still would guess that they can be vulnerable to attackers, and almost no one would imagine that they can jeopardize their privacy,” said researchers with Guardicore. “In this case, the recent development of RF-based communication and voice control makes this threat real. Even more so in these pandemic times. With so many people working from home, a home-recording device is a credible means to snoop on trade secrets and confidential information.”
By extensively reverse-engineering both the remote’s firmware and the software it communicates with on the set-top box, researchers found an error in the way the remote handles incoming RF packets. To understand the flaw, it is first important to look at how XR11 voice remotes work. The remote communicates with the television set-top box over the RF4CE (Radio Frequency for Consumer Electronics) protocol. RF4CE, which is a subset of the Zigbee family of power-saving RF protocols, has a feature called ironically, “security,” which should encrypt the contents of RF4CE packets to bar attackers from injecting malicious packets into the connection.
However, in the XR11’s implementation, the RF4CE “security” feature is set on a packet-by-packet basis. Each packet has a “flags” byte, and when one of its bits is set to 1, its contents will be encrypted and if the bit is not set, the packet will be sent in plaintext.
The vulnerability lies in the fact that the original XR11 firmware did not verify that responses to encrypted requests are encrypted as well. That means an attacker within RF range (about 65 feet away) could view requests from the remote in plaintext allowing them to easily formulate a malicious response to that request.
“WarezTheRemote used a man-in-the-middle attack to exploit remote’s RF communication with the set-top box and over-the-air firmware upgrades by pushing a malicious firmware image back the remote, attackers could have used the remote to continuously record audio without user interaction,” they said.
Researchers say that the remote’s firmware queries the box it is paired with, be a default for a new firmware once every 24 hours. That means in a real-life attack, a cyber actor would need to wait for the firmware upgrade query to occur. “The request packet is encrypted, so an attacker cannot actually read its contents, but there is a non-encrypted byte in the packet’s header that indicates that this request is firmware-related, which allows the attack to guess its contents without actually decrypting it,” they said.
Following this initial exchange, the remote then sends out a series of requests asking for the contents of the firmware image, chunk by chunk. The order these chunk requests are sent in is entirely predictable meaning attackers can easily guess which chunk of the firmware the remote is asking for. “By carefully timing our responses, we were able to send exactly the right firmware chunk to the remote each time,” they said. “Furthermore, we found a way to temporarily crash the software running on the cable box using a malformed RF4CE packet. This simple DoS prevented the box from interfering over the course of the attack.” Researchers said an attacker would only need a basic RF transceiver, which is cheap a Texas Instruments CC2531 costs only a few dollars for a whole development kit as well as a cheap 2 dBi antenna (researchers used a 16dBi antenna for better results).
“We didn’t push this to the limit, but we were easily able to push firmware to the remote around 65 feet away from outside the apartment it was in,” they said. “This is the alarming part it conjures up the famous ‘van parked outside’ scene in every espionage film in recent memory.”
Researchers disclosed the vulnerability to Comcast on 21 April 2020 and Comcast began to release a patch on 24 July. On 24 September, Comcast confirmed that all devices were patched. “Nothing is more important than keeping our customers safe and secure, and we appreciate Guardicore for bringing this issue to our attention,” said Comcast in a press statement. “As detailed in this report, we fixed this issue for all affected Xfinity X1 voice remotes, which means the issue described here has been addressed and the attack exploiting it is not possible.”
This is a scary example of technology pushing products to market before properly checking on the security protections. The installation, updating and monitoring of firewalls, cyber security and proper employee training are keys to blocking malware attacks.
Red Sky Alliance offers tools and services to help stop cyber-attacks.
What can you do to better protect your organization today?
- All data in transmission and at rest should be encrypted.
- Proper data back-up and off-site storage policies should be adopted and followed.
- Implement 2-Factor authentication company wide.
- Join and become active in your local Infragard chapter, there is no charge for membership. infragard.org
- Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.
- Institute cyber threat and phishing training for all employees, with testing and updating.
- Recommend/require cyber security software, services and devices to be used by all at home working employees and consultants.
- Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
- Ensure that all software updates and patches are installed immediately.
- Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories including Keyloggers, with having to connect to your network.
- Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.
Red Sky Alliance has been has analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports.
Our services can help protect with attacks similar as the Comcast hack. We provide both internal monitoring in tandem with RedXray notifications on ‘external’ threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.
Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or email@example.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941