The researchers modified the firmware of XR11 so that the microphone could be turned on remotely. Guardicore
XR11 allows users to switch channels, select programs and perform other actions with the help of voice commands. In the course of the research Guardicore specialists used the remote control for Xfinity X1 set-top box.
The first stage of the attack, called WarezTheRemote, involves remote installation of a malicious firmware version on XR11. To transmit the signal to the set-top box, the device uses radio waves rather than infrared rays like conventional remotes. Since the length of the radio waves is much longer than the infrared rays, the attackers can carry out an attack even when they are quite far away.
The connection between the remote control and the set-top box is encrypted, but the mechanism to check that only encrypted responses are received for encrypted requests is absent in the firmware. In other words, the attackers can send malicious responses in an unencrypted form.
Every 24 hours, the console automatically checks for available firmware updates by sending the corresponding request. According to the researchers, the cybercriminals can forge a response from the console and inform the console about available firmware updates.
The experts were able not only to send the console a malicious firmware update by forging the responses from the STB, but also to cause the STB to be refused service so that it could not interfere with the attack process (the firmware update took almost half an hour, and during this time the process could be interrupted).
The researchers reverse-engineered the firmware and were able to make small changes to enable remote activation of the remote microphone. Recorded audio was transmitted over radio waves, providing an opportunity to overhear users’ conversations.
Comcast was notified of the vulnerabilities in April this year, and deployment of patches began on July 14. The vulnerability fixing firmware version 184.108.40.206 was distributed to all devices on September 24th.