Warnings that our IoT devices might be spying on us are nothing new—remember the smart speaker fiasco last year? But at least we expect those devices to be listening and can exercise some caution. The latest such warning, though, takes these risks to a new level. It turns out that there may be surprising little spies hiding in our living rooms. Last December, the FBI warned that the perilous state of IoT security means that “hackers can use an innocent device to do a virtual drive-by of your digital life.” A week earlier, that same FBI office had cautioned on the danger that smart TVs can allow “manufacturers, streaming services, and even hackers an open door into your home.”
Now a new security report from the team at Guardicore, issued today, has combined those two FBI alerts, showing just how easy it is to exploit vulnerabilities in our everyday devices. And this isn’t a data theft risk—it’s much more creepy, playing like something from a spy thriller. It’s an attack scenario that “conjures up the famous ‘van parked outside’ scene in every espionage film in recent memory,” Guardicore says.
“At the low end of the risk spectrum,” the FBI warned on smart TVs, “they can change channels, play with the volume, and show your kids inappropriate videos. In a worst-case scenario, they can turn on your bedroom TV’s camera and microphone and silently cyberstalk you.”
In its report, issued today, Guardicore says it has proven that a standard voice-enabled TV remote can be hijacked to be used as a secret listening device, accessed and attacked remotely from a vehicle out in the street. The team says it was able to remotely attack and then trigger this eavesdropping on demand, operating continually if required—subject to battery life, transmitting private conversations.
Our homes now double as our offices. Eavesdropping on those homes is as likely to compromise secrets belonging to our employers as private chats or activities between family members. According to Microsoft, “the first half of 2020 saw an approximate 35% increase in total [IoT] attack volume compared to the second half of 2019.”
“We were able to listen to conversations happening in a house from about 65 feet away,” Guadicore claims. “The attack did not require physical contact with the targeted remote or any interaction from the victim… We believe this could have been amplified using better equipment… We were able to hear a person talking 15 feet away from the remote, almost word-for-word… we could have stretched that distance out, too.”
The specifics in this instance are actually less important than the theory proven out. The team at Guardicore set about attacking Comcast set-top boxes, running the theory that this commonplace appliance may be exploitable. Probing weaknesses, the team moved over to its XR11 voice-remote, “one of the most common household devices you can find,” which in this instance can be found in some 18 million U.S. homes. Guardicore reported this to Comcast in April, and have waited until now, until the vulnerability has been fixed and rolled out, before making its disclosure.
A voice remote’s combination of RF and a microphone turns an innocuous device into a genuine listening tool. “RF enables contact with the remote from afar,” Guardicore says, “which makes for a larger attack surface than a remote control would otherwise have, and the recording capability makes it a high-value target.” The remotes also have their firmware flashed over-the-air, providing attackers with an easy entry point. This, the team says, “would have allowed attackers to turn it into a listening device, potentially invading your privacy in your living room.”
Under normal circumstances…