You can download our full research paper for the technical details of the WarezTheRemote project. We worked with Comcast’s security team after finding the vulnerability and they have released fixes that remediate the issues that made the attack possible. We believe this could have been amplified easily using better equipment. Using a 16dBi antenna, we were able to listen to conversations happening in a house from about 65 feet away. The attack did not require physical contact with the targeted remote or any interaction from the victim – any hacker with a cheap RF transceiver could have used it to take over an XR11 remote.
WarezTheRemote used a man-in-the-middle attack to exploit remote’s RF communication with the set-top box and over-the-air firmware upgrades – by pushing a malicious firmware image back the remote, attackers could have used the remote to continuously record audio without user interaction.
