Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Comcast Cable Remotes Hacked To Snoop On Conversations

Comcast Cable Remotes Hacked To Snoop On Conversations

Security researchers analyzing Comcast’s XR11 Xfinity Voice Remote found a way to turn it into a listening device without needing physical access or user interaction.

Dubbed WarezThe Remote, the attack allowed taking over the remote and snooping on conversations from at least 65 feet (about 20 meters), making possible a “van parked outside” scenario.

One-way encryption

Unlike regular remotes that use infrared, Comcast’s XR11 relies on radiofrequency to communicate with cable set-top boxes and comes with a built-in microphone to allow voice commands. XR11 is the older model of the X1 Voice Remote, which controls the X1 video entertainment platform. There are more than 18 million units deployed in homes across the U.S. 

Researchers at Guardicore took a close look at the remote’s firmware and the software on the set-top box to understand how communication between the two devices works.

They found a weakness in the implementation of the RF4CE (Radio Frequency for Consumer Electronics) protocol responsible for encrypting the communication.

Also Read: How To Check Data Breach And How Can We Prevent It

“As it turned out, though, in the XR11’s implementation, RF4CE security is set on a packet-by-packet basis. Each RF4CE packet has a “flags” byte, and when one of its bits is set to 1, security is enabled for that packet, and its contents will be encrypted. Likewise, if the bit isn’t set, the packet will be sent in plaintext.”

– Guardicore

They discovered that the XR11 firmware accepted plaintext replies to encrypted requests from the remote. This allowed an attacker that guessed the content of a request to create a malicious response that impersonated a set-top box.

Furthermore, there was no signature check for firmware updates, letting malicious images to be installed.

The firmware check occurred every 24 hours and the request packet is encrypted. However, Guardicore researchers noticed a non-encrypted byte indicating that the request was related to the firmware, allowing them to guess the content.

Knowing these details, the researchers could respond with a plaintext packet telling the remote that a firmware update is available and to flash the XR11 test unit.

In an initial test, they modified the firmware to make one of the LEDs on the remote blink a different color:

To activate the microphone for the voice control function, the researchers reverse-engineered the remote’s firmware to find the code for the voice recording button.

They modified the software so that the recording request would occur every minute instead of just when the button was pressed. Once they replied to this request, a recording would be possible for 10 minutes.

Preparing for such an attack is certainly not easy and requires solid technical skills for reverse engineering the firmware, creating patches that would be accepted, and having the patience to flash the XR11 remote.

Guardicore says in a report today that it took them about 35 minutes to push the necessary modifications in a reliable manner using an RF transceiver.

Also Read: The Importance Of Knowing Personal Data Protection Regulations

Of course, the success of the attack also depends on the transceiver. A more expensive one would offer more consistent results. They used an ApiMote, which costs about $150 and could hear a person talking 15 feet (4.5 meters) away from the remote. A sample of the recorded conversation is available in Guardicore’s blog post.

Comcast has fixed the issues reported by Guardicore, confirming on September 24 its XR11 devices were no longer vulnerable to the WarezTheRemote attack.

Update [10/07/2020]: In a statement for BleepingComputer, Comcast underlines that the vulnerabilities are no longer affecting Xfinity X1 Voice Remotes, eliminating the possibility of a WarezTheRemote attack.

The fixes also contain security improvements that no longer permit delivering unsigned firmware to X1 Voice Remote units. Based on their review, Comcast believes that this attack was never used against its customers.

The company said that its effort to deliver secure products is embedded into all phases of product development and deployment (architecture, design, code, and testing).

“As part of that work, we actively engage with the global security research community, and work quickly to address issues they bring to our attention. We value the work of independent security researchers and the important role they play in our commitment to keeping our customers safe and secure. We encourage researchers to reach out to us with any issues through our reporting page,” the company added.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us