Warnings that our IoT devices might be spying on us are nothing new—remember the smart speaker fiasco last year? But at least we expect those devices to be listening and can exercise some caution. The latest such warning, though, takes these risks to a new level. It turns out that there may be surprising little spies hiding in our living rooms.
Last December, the FBI warned that the perilous state of IoT security means that “hackers can use an innocent device to do a virtual drive-by of your digital life.” A week earlier, that same FBI office had cautioned on the danger that smart TVs can allow “manufacturers, streaming services, and even hackers an open door into your home.”
Now a new security report from the team at Guardicore, issued today, has combined those two FBI alerts, showing just how easy it is to exploit vulnerabilities in our everyday devices. And this isn’t a data theft risk—it’s much more creepy, playing like something from a spy thriller. It’s an attack scenario that “conjures up the famous ‘van parked outside’ scene in every espionage film in recent memory,” Guardicore says.
“At the low end of the risk spectrum,” the FBI warned on smart TVs, “they can change channels, play with the volume, and show your kids inappropriate videos. In a worst-case scenario, they can turn on your bedroom TV’s camera and microphone and silently cyberstalk you.”
In its report, issued today, Guardicore says it has proven that a standard voice-enabled TV remote can be hijacked to be used as a secret listening device, accessed and attacked remotely from a vehicle out in the street. The team says it was able to remotely attack and then trigger this eavesdropping on demand, operating continually if required—subject to battery life, transmitting private conversations.
Our homes now double as our offices. Eavesdropping on those homes is as likely to compromise secrets belonging to our employers as private chats or activities between family members. According to Microsoft, “the first half of 2020 saw an approximate 35% increase in total [IoT] attack volume compared to the second half of 2019.”
“We were able to listen to conversations happening in a house from about 65 feet away,” Guadicore claims. “The attack did not require physical contact with the targeted remote or any interaction from the victim… We believe this could have been amplified using better equipment… We were able to hear a person talking 15 feet away from the remote, almost word-for-word… we could have stretched that distance out, too.”
The specifics in this instance are actually less important than the theory proven out. The team at Guardicore set about attacking Comcast set-top boxes, running the theory that this commonplace appliance may be exploitable. Probing weaknesses, the team moved over to its XR11 voice-remote, “one of the most common household devices you can find,” which in this instance can be found in some 18 million U.S. homes. Guardicore reported this to Comcast in April, and have waited until now, until the vulnerability has been fixed and rolled out, before making its disclosure.
A voice remote’s combination of RF and a microphone turns an innocuous device into a genuine listening tool. “RF enables contact with the remote from afar,” Guardicore says, “which makes for a larger attack surface than a remote control would otherwise have, and the recording capability makes it a high-value target.” The remotes also have their firmware flashed over-the-air, providing attackers with an easy entry point. This, the team says, “would have allowed attackers to turn it into a listening device, potentially invading your privacy in your living room.”
Under normal circumstances, the remote control unit checks with the cable box for new firmware just once every 24 hours. After hijacking this process, the attack intercepts those same firmware check processes to trigger each on-demand eavesdropping attack. To make this more practical, the malicious firmware increases those outgoing requests to once per minute. Intercepting a request allows the attacker to start recording.
Although the comms between the box and the remote was encrypted, it had a weakness, a signature, which was all the team needed open a door through which to return a malicious firmware load. “Normally, the box would respond to this request by saying that no new firmware is available. However… we could have told the remote that there is, in fact, a new firmware image available.” This firmware was then carefully uploaded. To prevent the cable box ending the attack, the team also “found a way to temporarily crash [its own] software.”
“Nothing is more important than keeping our customers safe and secure,” Comcast says in response to the report. “We fixed this issue for all affected Xfinity X1 Voice Remotes, which means the issue described here has been addressed and the attack exploiting it is not possible… Based on our thorough review of this issue… we do not believe this issue was ever used against any Comcast customer… Technologists for both Comcast and Guardicore confirmed that Comcast’s remediation not only prevents the attack described in this paper but also provides additional security against future attempts to deliver unsigned firmware to the X1 Voice Remote.”
Again, the issue here is not a specific (now-fixed) Comcast issue, it’s a timely warning into the myriad camera and microphone equipped IoT devices we surround ourselves with. We have now seen multiple reports into smart speakers recording our conversations for training and other purposes, this simply manipulates that risk. “Most consumers have at least some idea of the risks in having a WiFi-connected baby monitor or voice-controlled smart speaker in their homes,” Guardicore says. “Few people think of their television remote controls as ‘connected devices’… The recent development of RF-based communication and voice control makes this threat real.”
And so while this issue has been fixed, you can assume that there will be countless other vulnerabilities not yet researched, discovered and disclosed. “Capabilities like these used to be the closely-guarded secrets of sophisticated, nation-state actors,” the team says—and they’re right. Only this one was executed with nothing more than some cheap electronics that any one of us could purchase online. Comcast acted quickly and did the right thing—not all IoT vendors would have done the same, most such devices do not come from large U.S. corporations.
We have seen so many IoT security reports now that users must accept the risks. You need to change standard passwords, you need to update firmware automatically or regularly when that’s not an option, you should keep a note of those devices you install and give access to your home WiFi, or better still install a router with an app that easily lets you see what’s connected. The FBI even recommends running a parallel IoT WiFi network, one without access to your core devices—albeit that’s easier said than done.
All of these risks have now been amplified by the increase in working from home. As the Financial Times warned last week, “moving from a well-furnished office to setting up a workstation at home poses new cyber security risks for businesses… The home network is likely to be used for professional as well as personal devices—including any number of smart gadgets—all of which could be targeted by malware attackers.”
According to ESET cyber guru Jake Moore, “the massive growth in IoT devices placed in the home and office is the perfect opportunity to create revenue or mayhem among users. IoT devices are far too often packaged up with weak (if any) built-in security features so the public are on the back foot from the get go. Security updates also tend to be infrequent which put further risks on the owner.”
And that’s a warning echoed by Guardicore. It’s one thing for an attacker to eavesdrop on our family chats, but “with so many of us working from home, a home recording device is a credible means to snoop on trade secrets and confidential information.” The next time you’re on a highly confidential Zoom call, spare a thought to the value of the information being discussed as openly as it would in a secure office environment.
Every IoT device you buy and power on at home, every device you add to your WiFi network, increases you risk. And where those devices are cheap IoT units, from unknown sources, those risks increase materially. If your TV or remote or speaker or fridge or toy or gadget is listening for trigger words or has the ability to transmit audio and video, then you’re taking it on trust it’s not doing so maliciously or has been compromised.
“What’s interesting is seeing these “new” incredibly complex products come under scrutiny,” warns Cyjax CISO Ian Thornton-Trump. “These new devices are sure to have exploitable bugs at all layers of the operating systems, and into the high level functions like AI and ML driven responses.”
This security report echoes that “drive-by hacking” warning—only this really is a physical drive-by, not a virtual one, an attack requiring proximity to a target location and device: “Digital assistants, smart watches, fitness trackers, home security devices, thermostats, refrigerators, and even light bulbs are all on the list. Add to that all of the fun stuff: remote-controlled robots; games and gaming systems; interactive dolls; and talking stuffed animals… What these all have in common is that they send and receive data. But do you know how that data is collected? And where it is going?”
A proximity attack such as this would be highly targeted. “The risk increases based on the profile of the target,” infosec commentator Mike Thompson points out, “like pretty much everything else.” But if you’re a lawyer, a journalist, a dissident, or hold a senior role within a large commercial enterprise or a government contractor, then that fits.
The key takeaway here is that researchers focused on a popular device, probing until they found its weakness. The device had all the component parts needed for a malicious task. Where once such a listening device would have been planted in the dead of night by covert method of entry professionals, now we’re doing that all by ourselves. As ESET’s Moore warns, “IoT owners must understand the risks when putting an audio/camera device in their home, which could be effectively seen as a surveillance bug.”