Comcast Cable remotes and TV top box vulnerability

November 3, 2020
Comcast Cable remote tv box set vulnerability exploit malicious code injection WarezThe Remote

A recent update to TV top box software has been released by Comcast to its 18 million devices used at home for digital TV subscribers in the United States region. Affected devices are specifically the XR11 entertainment platform. This has been immediately patched after cybersecurity ethical hackers able to scrutinized and hacked its communication platform.

Based on the submitted vulnerability scanner report, researchers can inject malicious codes into the software that the Comcast Xfinity remote and TV set boxes used. Named as WarezThe Remote – malicious code that is being injected, ethical hackers can flash current communication software between the remote and TV boxes. As the communication between the remote and top box used Radio Frequency rather than the usual infrared, this has allowed exploiting frequency tapping.

In this report, they were able to exploit the built-in microphone in the remote control for the voice command feature of the TV top box. Instead of sending the command to the top box, the microphone can broadcast audio that it captures up to 65 feet or 20 meters. This means that adversaries who can control the device can listen to the recorded audio captured by the microphone from a surveillance car within the given range.

They were able to inject the malicious codes on the detailed report since the top boxes received a plain text or unencrypted command from the remote. They were able to flush current software into the hackers-controlled software. As an initial test, they set the LED of the remote show in a different color. Since a success, they were able to inject the code that lets the microphone be turned on every minute to perform its listening command rather than being activated when the microphone button is pressed. Hence, able to conclude the vulnerability report.

Upon receipt, Comcast did not waste any time and immediately developed a software patch to resolve the vulnerability report and further strengthen the said devices’ security. They were grateful to the researcher for discovering the weaknesses and encouraged other researchers to report any other fault located within their system.


Comcast concluded that they were fortunate to know the issue before this can be exploited by scheming adversaries and confirmed that no report has been recorded relating to the said vulnerability.


Comcast has been serving homes in the United States for more than 40 states that provide internet, phone, and cable television services. This tagged them as the prominent and largest company that caters to such home services in the mentioned region.

About the author

Leave a Reply