Security News > 2021 > September > Comcast RF Attack Leveraged Remotes for Surveillance

More details about a now-patched vulnerability in Comcast's XR11 voice remotes have emerged, which would have made it easy for a threat actor to intercept radio frequency communications between the remote and the set-top box, effectively turning the remote into a surveillance device.

The XR11 remotes are some of the most common around, with more than 18 million scattered across homes in the U.S. A man-in-the-middle attack conducted by researchers at Guardicore, dubbed "WarezTheRemote," allowed the team to listen in on conversations from up to 65 feet away.

"The combination of recording capabilities with RF-based communication led us to believe that the XR11 can be of particular interest to an attacker: RF enables contact with the remote from afar, which makes for a larger attack surface than a remote control would otherwise have, and the recording capability makes it a high-value target," the Guardicore researchers wrote.

The details of how Guardicore managed to achieve the attack were laid out further recently, AT&T noted, explaining that the remote communicates with the cable box via encrypted, short-range radio signals - which makes intercepting them all but impossible if both devices - the cable box and the remote - are working properly.

"Using a different form of attack - not described in the paper, but likely to be an SQL injection over Wi-Fi - they were able to trigger a crash in the cable box," according to AT&T's writeup/ "During the period that the box was down, the remote was vulnerable."

Comcast has made all the necessary mitigations and Guardicore reported there are no currently vulnerable devices but pointed out that up until remediation was pushed out, every one of these remotes was open to this kind of attack.

News URL

https://threatpost.com/comcast-rf-attack-remotes-surveillance/169133/