remote

Comcast’s Xfinity remote could have been attacked by hackers

Comcast’s Xfinity X11 remote—which features a much-touted voice control feature—had a security flaw that could have theoretically let a hacker use the device to bug your living room. That scary scenario has been ended thanks to the Philadelphia-based cable giant’s fix of a vulnerability discovered by outside researchers.

The flaw that the Boston- and Tel Aviv-based security firm Guardicore reported to Comcast would have let an attacker outside a target’s home silently install custom firmware on the remote that would force it to record audio surreptitiously and stream it back to the attacker.

As Guardicore’s report explains at length, this would not have been a quick or easy trick. But this bullet we appear to have dodged should provide yet another reason to be wary of connected gadgets with microphones. Guardicore was able to pull off this exploit by chaining together a series of weak points in the XR11 remote that Comcast introduced in 2015:

  • The XR11 used a longer-range radio-frequency link instead of infrared, because only RF would provide enough bandwidth for voice control.
  • Although the remote is supposed to listen only when you press on its blue microphone button, there’s no physical switch ensuring that, just software.
  • The encryption meant to protect the remote’s communication with a Comcast X1 box didn’t operate all the time, including when cryptography should have safeguarded the remote’s software updates.
  • That X1 box is supposed to be the only device the remote control talks to, but sending it junk data over the same radio-frequency link could crash the software component that manages the connections.

The Guardicore researchers eventually proved that they could take over a remote from about 65 feet away, potentially allowing an attack from a sidewalk outside someone’s home. They could command the remote to start capturing audio and then stream

Continue Reading

Corona-fied: Employers are now spying on remote workers in their homes

The future of work is here, ushered in by a global pandemic. But is it turning employment into a Worker’s Paradise of working at home? Or more of a Big Brother panopticon?

Disturbing increases in the use of digital surveillance technologies by employers to monitor their remote workers are raising alarm bells. With the number of remote workers surging as a result of the pandemic—42 percent of U.S. workers are now doing their jobs from their kitchens, living rooms, and home offices—a number of employers have begun requiring their workers to download spying software to their laptops and smartphones. The goal is for businesses to monitor what their remote employees do all day, to track job performance and productivity, and to reduce so-called “cyber-slacking.”

Business software products from Hubstaff, which tracks a worker’s mouse movements, keyboard strokes, webpages visited, email, file transfers and applications used, are surging in sales. So are sales for TSheets, which workers download to their smartphones so that employers can track their location. Another product, called Time Doctor, “downloads videos of employees’ screens” and uses “a computer’s webcam to take a picture of the employee every 10 minutes,” NPR reports. One employee told NPR, “If you’re idle for a few minutes, if you go to the bathroom or… [to the kitchen], a pop-up will come up and it’ll say, ‘You have 60 seconds to start working again or we’re going to pause your time.'”

Another system, InterGuard, can be secretly installed on workers’ computers. The Washington Post reports that it “creates a minute-by-minute timeline of every app and website they view, categorizing each as ‘productive’ or ‘unproductive’ and ranking workers by their ‘productivity score.'” Other employers are using a lower-tech approach, requiring workers to stay logged in to a teleconference service like Zoom all day so

Continue Reading