Comcast’s Xfinity X11 remote—which features a much-touted voice control feature—had a security flaw that could have theoretically let a hacker use the device to bug your living room. That scary scenario has been ended thanks to the Philadelphia-based cable giant’s fix of a vulnerability discovered by outside researchers.
The flaw that the Boston- and Tel Aviv-based security firm Guardicore reported to Comcast would have let an attacker outside a target’s home silently install custom firmware on the remote that would force it to record audio surreptitiously and stream it back to the attacker.
As Guardicore’s report explains at length, this would not have been a quick or easy trick. But this bullet we appear to have dodged should provide yet another reason to be wary of connected gadgets with microphones. Guardicore was able to pull off this exploit by chaining together a series of weak points in the XR11 remote that Comcast introduced in 2015:
- The XR11 used a longer-range radio-frequency link instead of infrared, because only RF would provide enough bandwidth for voice control.
- Although the remote is supposed to listen only when you press on its blue microphone button, there’s no physical switch ensuring that, just software.
- The encryption meant to protect the remote’s communication with a Comcast X1 box didn’t operate all the time, including when cryptography should have safeguarded the remote’s software updates.
- That X1 box is supposed to be the only device the remote control talks to, but sending it junk data over the same radio-frequency link could crash the software component that manages the connections.
The Guardicore researchers eventually proved that they could take over a remote from about 65 feet away, potentially allowing an attack from a sidewalk outside someone’s home. They could command the remote to start capturing audio and then stream