A security flaw allowing attackers to remotely snoop in on victims’ private conversations was found to stem from an unexpected device – their TV remotes.
The flaw stems from Comcast’s XR11, a popular voice-activated remote control for cable TV, which has more than 18 million units deployed across the U.S. The remote enables users to say the channel or content they want to watch rather than keying in the channel number or typing to search.
However, researchers found a serious vulnerability in the remote, allowing attackers to take it over (details below). Worse, the ensuing attack, dubbed WarezTheRemote, does not require any interaction from the victim — it’s extremely cheap to carry out (a hacker merely needs a low-priced RF transceiver and antenna), and can be launched remotely (from up to 65 feet away).
Researchers worked with Comcast’s security team after finding the flaw and fixes have been released that remediate the issues that make the attack possible – however, in a disclosure post on Wednesday, they stressed that the incident is an important reminder of the inherent security and privacy issues plaguing even the least-suspected internet of things (IoT) devices.
“Few people think of their television remote controls as ‘connected devices,’ fewer still would guess that they can be vulnerable to attackers, and almost no one would imagine that they can jeopardize their privacy,” said researchers with Guardicore,
in a Wednesday post. “In this case, the recent development of RF-based communication and voice control makes this threat real. Even more so in these strange times: With so many of us working from home, a home-recording device is a credible means to snoop on trade secrets and confidential information.”
threatpost.com
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}
