Comcast’s Xfinity voice remote had a security flaw that gave hackers an entry to spy on consumers in their homes, but the Philadelphia cable giant says it has fixed the vulnerability before harm could be done.
Although the hack was complex and required radio equipment, it is the latest example of security threats found in connected devices that consumers increasingly bring home.
Guardicore, a cybersecurity firm based in Tel Aviv, Israel, says it found the flaw that would have let bad guys install malicious firmware to turn a TV remote into a listening device, recording living room conversations with alarming clarity. The company’s researchers reported the vulnerability in April to Comcast, which launched an investigation into the issue and fixed the flaw on all devices by September, the companies said.
“If you wouldn’t buy yourself [Amazon’s] Alexa or other smart home devices — I don’t think that you would think about the Comcast set-top box and its remote as something that will ever be a risk to your privacy,” said Ofri Ziv, vice president of research at Guardicore.
Much of the previous research on such threats has focused on internet-connected devices, such as “smart” speakers, but TV remotes have gotten little attention, Guardicore researchers said. There are 18 million of the Xfinity “XR11” remotes in homes across America, making it “one of the most widespread remote controls in existence,” according to the firm’s report published Wednesday.
Comcast’s voice remote is not connected to the internet, but it does use radio frequency rather than the traditional infra-red. With a radio transceiver and an antenna, Guardicore was able to interfere with daily communication between the cable box and remote to send software updates, the Israeli company said. Researchers temporarily put the box out of commission, impersonated the box, and sent malicious software that made the remote record and transmit audio on command, without users pushing the microphone button, said JJ Lehmann, Guardicore’s senior researcher.
Researchers were able to take over the remote from 65 feet away, but better equipment could have allowed them to deploy the attack from even farther, they said.
“This is the alarming part,” they wrote in the report. “It conjures up the famous ‘van parked outside’ scene in every espionage film in recent memory.”
In a statement, Comcast said that, after a thorough review, it does not appear the flaw was ever used against its customers, and that the recent fix prevents the attack described by Guardcore and provides additional security. The remote hacked by Guardcore is an older model that Comcast no longer ships to customers.
“Nothing is more important than keeping our customers safe and secure, and we appreciate Guardicore for bringing this issue to our attention,” the statement said.