The Remote From the Set-Top Box Turned Into a Listening Device

How researchers managed to hack the remote control

The subject of JJ Lehman and Ofri Ziv's study was the Remote control for the Comcast Xfinity X1 set-top box, which is extremely popular in the US, and according to researchers, the number of owners of such cable boxes exceeds 10 million. The remote control supports voice commands - for this, it has a microphone and is not the most stupid processor in the world.

In addition, the remote control uses two data transfer technologies. To switch programs and other simple actions, a standard infrared transmitter is used, which has an important advantage - it consumes a minimum of energy, so the remote control does not need frequent charging and can work for a long time on ordinary batteries.

Half of the buttons stopped working

However, for those cases where a higher TV remote control data transfer rate is needed, the remote control also has an air interface. It allows not only to send but also to receive data from the set-top box. This interface consumes more power and is therefore only used when needed.

Thus, this remote control, like many modern devices, is a small connected computer - therefore, with a high probability, it can be hacked.

The researchers were able to get the remote’s firmware (it was stored on the set-top box drive), and after studying it, they could formulate what exactly needed to be changed in it so that the remote could give a command to turn on the microphone and transmit sound over the radio.

But, of course, creating a modified firmware is not enough - you still need to somehow load it into the remote control, preferably in a non-contact way. To do this, JJ Lehman and Ofri Ziv had to study the mechanism of communication between the TV set-top box and the remote control over the air interface and update its software.

Solutions to Bluetooth remote control problems

As a result, they found out that the update process can only be initiated by the remote. Once every 24 hours, he sends a request to the set-top box to find out if there is an update for it and receives either a negative response or an offer to install a new firmware version. Then it starts downloading it.

In addition, the researchers found several important flaws in the way the remote communicates with the Xfinity set-top box. Firstly, the remote control does not check the authenticity of the firmware. That is, no matter what firmware the set-top box (or the hacker's computer pretending to be it) offers, it will download and install it without any questions.Secondly, although the set-top box and remote control usually exchange encrypted messages, this is not a prerequisite for interaction. The remote control can receive commands in clear text marked "encryption disabled" and will obediently execute them. The only difficulty is that requests from the console cannot be decrypted. However, knowing how the communication between the remote control and the set-top box works, you can guess what exactly the remote control is asking for and give it the right answer in time.

It turns out something like this:

— YdvJhd8w@a&hW*wy5TOxn3B*El06%D7?

- Yes, yes, there is a new firmware for you - download it soon!

— Cj@EDkjGL01L^NgW@Fryp1unc1GTZIYM.

- Sending a file, accept it.

Thirdly, in the firmware of the module of the set-top box itself, which is responsible for communicating with the remote control, it is quite easy to cause an error, after which this module goes to reboot. This gives the attacker sufficient time, during which only he is guaranteed to give commands to the remote control.

Thus, to hack the remote you need:

wait and "guess" the request from the console to download the update; immediately after that, “cut down” the set-top box module responsible for communicating with the remote control; give the console a positive response and issue a modified file for download.

All this happens contactless, using the radio interface.

As a result, the researchers were able to upload modified firmware to the remote control, which sent a request for an update not once every 24 hours, but once a minute, and upon receipt of a special response, turned on the microphone built into the remote control and broadcast the sound to the attackers. As an experiment, they successfully tested the performance of the method at a relatively large distance and through the wall, simulating a wiretapping van standing next to the house.

How to protect yourself

In our opinion, it is not worth worrying too much about your TV remote being hacked and turned into a listening device. Apparently, although it is feasible in practice, it is still a very exotic variant of hacking, which may be appropriate only for a targeted attack on some very difficult person. On the other hand, even if you are paranoid, it does not mean that no one is watching you. Therefore, here are some tips for the most cautious: If you use an Xfinity TV box, it makes sense to check that the latest firmware is installed in the remote - the problem has already been solved in it.It is likely that the remote controls of some other manufacturers of TVs and set-top boxes that support voice commands work on the same principle, and they may have similar vulnerabilities. Therefore, periodically check for updates to the remote and install them when they appear. The corresponding item in the settings of the TV or set-top box is most likely to be found somewhere near the Wi-Fi and Bluetooth settings.

Conclusion

If your remote supports voice commands, but you don’t use them at all, and you are worried about the possibility of listening, you can disassemble the remote and physically get rid of the microphone. Not that we consider it necessary, just keep in mind that there is such a radical solution to the problem.Also, keep in mind that a much more likely attack is hacking into your Wi-Fi network. Therefore, it should be securely configured, resettled all vulnerable IoT devices to the guest network, and use a secure connection when transferring especially valuable data.