Researchers turn a Comcast voice remote into secret microphone

The patch has already been fixed.

Sponsored Links

PHILADELPHIA, PA - AUGUST 18:  A view of the Comcast offices on August 18, 2015 in Philadelphia, Pennsylvania.  Comcasts Voice Remote allows customers to navigate tens of thousands of shows and movies on the X1 platform with their voice.  (Photo by Cindy Ord/Getty Images for Comcast)
Cindy Ord via Getty Images

We’ve all heard the urban legend about having a conversation about a product, and then seeing adverts for that product pop up on our browser. The fears that our smartphones are listening to us are unfounded, but it’s quite possible that our remote control is keeping an ear out. At least, that’s what researchers at Guardicore Labs managed, after turning a Comcast XR11 voice remote into a remote microphone. And while the flaw has already been patched by Comcast, it’s a sobering reminder never to trust our internet-connected gear.

Guardicore was looking into Comcast’s set-top-box and remote pairing, and found that the system to push firmware updates wasn’t entirely secure. Armed with an RF transceiver, the team was able to install their own, malicious, software onto the remote control. After much fiddling, it was possible to listen in to conversations via the remote, including hearing “almost word-for-word” a chat taking place 15 feet away. 

The team claim that with the 16dBi antenna, they could attack a handset from a range of 65 feet, although more powerful gear could extend that range. That means that, before it was patched, a canny hacker with enough time and resources (as Guardicore say, a van parked outside a house) could have been able to listen in to your conversations at home. In a statement, Comcast said that the flaw has already been patched, and the flaw is no longer exploitable. 

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Popular on Engadget