In a result of its research investigation efforts, Security Explorations discovered multiple critical security vulnerabilities in a major polish digital satellite TV platform and selected set-top-boxes implementing Conax conditional access system with chipset pairing functionality.
This section of our website presents the most crucial information regarding the project that lead to this discovery:
Security Explorations, a security and vulnerability research company from Poland, discovered multiple security vulnerabilities in the major (...)
One of the missions of our company is to increase general awareness of users and vendors in the area of computer and Internet security. Pro Bono security research is the essential part of that mission.
By verifying security of digital satellite set-top-boxes we wanted to find out whether they pose any security risks to end users if connected to the Internet.
These days, set-top-boxes are no more dumb devices that can only process and display digital satellite signal on end users' TV screen. These are complex systems that run atop of dedicated hardware and software. In response to growing users need, they also usually offer access to different Internet services such as World Wide Web in particular.
Being part of a global network, set-top-box devices cannot be perceived as dumb devices any more. Instead, they should be perceived as any other networked / communication equipment such as mobile phones and PCs. This perception involves considering potential security risks posed to end users as well.
It is thus natural to consider whether digital satellite equipment deployed in subscribers' homes do not open unauthorized access to their home networks via vulnerable set-top-box devices. Similarly, it is natural to consider whether access to any TV / VOD programming which decent users paid for could be stolen from them by attackers.
We've shown that malware can infect digital satellite set-top-boxes in the very same way as it does infect personal computers these days. We have demonstrated that malware code can persistently and without the users' consent be installed on digital satellite set-top boxes. Once installed, such malware code can operate silently on a target device and can provide full access to it for remote attackers. From that point, all sorts of malicious activities could be conducted on a hijacked set-top-box, of which stealing the digital satellite signal seemed to be the most interesting and novel scenario in our opinion.
We've actually proved that properly implemented malware can successfully steal and distribute digital satellite TV signal from a set-top-box subscriber in the environment of platform "N".
The weaknesses found span across multiple vendors, whose software / hardware products were used to create a digital satellite platform "N". The platform has a more generic meaning here - it is about devices, but also about the network and services.
One of the missions of our company is to increase general awareness of users and vendors in the area of computer and Internet security. Pro Bono security research is the essential part of that mission.
By verifying security of digital satellite set-top-boxes we wanted to find out whether they pose any security risks to end users if connected to the Internet.
Security Explorations worked with the equipment of only one digital satellite TV provider (Platform "N").
We found several clues [1][2][3][4] that let us think the equipment of some other digital satellite TV providers might be also vulnerable to some of the issues found.
Information about the real impact of the flaws requires verification with the vendors (set-top-box manufacturer and semiconductor company in particular). Since we didn't receive any information from a set-top-box / DVB chipsets manufacturers about the impact of the reported issues, we suggest that all interested parties (customers, journalists, etc.) contact Advanced Digital Broadcast and STMicroelectronics companies directly for any impact related inquiries.
Chipset pairing technology was invented to protect against hacking satellite TV. Chipset pairing uniquely ties a given subscriber's smartcard with a corresponding set-top-box equipment. The pairing has a form of a cryptographic function. It is usually implemented in a silicon (DVB chipset). The goal of the latter is to prevent set-top-box hijacking and unauthorized sharing / distribution of a satellite TV programming.
The weaknesses in a chipset pairing technology may be used by intruders (or malware code) to silently share access to premium content (such as HBO, Cinemax, BBC, Discovery, etc.) with other, non paying users. This obviously poses a great security threat to the revenue of digital satellite TV operators and content providers.
Security Explorations discovered several security weaknesses in the implementation of the chipset pairing functionality used by the investigated devices. We discovered that for STi7100 / STI7111 DVB chipsets, it is possible to extract plaintext values of Control Word cryptographic keys - the keys that protect security of content in a digital satellite TV system. For STi7111 DVB chipset, we also discovered a way to extract the plaintext value of the pairing key itself. By doing so, we broke security of the pairing function and the cryptographic relationship between a subscriber's smartcard and a set-top-box' DVB chipset.
Taking the nature of the flaws and the actual hardware component they affect (dedicated crypto core embedded in a silicon chip), we would not be surprised if it turned out that the issues discovered have their roots in an improperly implemented hardware component (potentially hardware bug).
It is however up to the DVB chipset vendor to make a final verdict in that case.
Some sources [5] state that a cumulative total of more than 400 million MPEG-2 and MPEG-4 decoder chips used worldwide in STBs, digital television sets and DVD/Bluray players were shipped to the market by STMicroelectronics (as of 2007). STMicroelectronics own sources [7] mention 541 millions as the number of these chipsets released to the market in 2008. They also speak about the company as #1 chipset vendor in H.264 market (68% of market share in 2008). It is however very difficult for us to provide any precise number with respect to how many of these chips are actually vulnerable to the issues found. What we know is that we discovered security issues in Gen-1 (STi7100) and Gen-2 (STi7111) chipsets. This means that some other chipsets from these generations could be vulnerable to the issues found (such as STi7101, STi7109 sharing same SoC architecture with vulnerable STi7100). But again, DVB chipset vendor should make a final verdict in that case.
Since on Jan-17-2012, STMicrolectronics informed us that no confidential information would be disclosed to Security Explorations in response to our impact inquiry questions, we suggest that all interested parties (customers, journalists, etc.) contact STMicroelectronics company directly for any impact related inquiries.
We found a remote attack vector allowing for the execution of malware code on selected set-top-box receivers used by the platform "N".
As of Jan-12-2012, it was not possible to use this attack vector anymore. On Feb-01-2012, Onet.pl S.A. officially confirmed to us the fixing of the issues reported to the company.
That attack made use of a specially crafted web page in order to distribute malware code into set-top boxes of visiting users. It exploited the possibility to embed potentially malicious sequence of JavaScript code in the web page of a trusted service (Onet Foto) visited by the users of vulnerable set-top-box devices.
The attack was very dangerous as the infection process could proceed in a completely stealth and automatic fashion. However, its successfull launch did require multiple security issues to be combined together (3 in total):
- CSS in a trusted web service (Onet Foto),
- a bug in AIT handler / support for arbitrary Xlet execution,
- the use of "/" in system classpath / JVM class loading order.
The actual attack details were disclosed at Hack In The Box Security Conference in Amsterdam [6]. Presentation materials for the two talks given there are available to download from here.
Gluing together multiple pieces of information for the purpose of discovering the operation of an unknown crypto processor embedded in a dedicated DVB chipset (system-on-chip). This includes reverse engineereing from scratch the instruction set of some unknown processor core.
Without taking into account many breaks, it would be a total of about 1.5 years of work.
We published the results of this research on 24 May 2012 at Hack In The Box Security Conference in Amsterdam [6].
In general, we support publication of vulnerability information. Such information dissemination usually allows to improve the overall state of the art of the whole security field.
No. SE-2011-01 is a Pro Bono security research project. This means that all vendors of affected technologies are given information about vulnerabilities in their products completely for free. Depending on the nature of the flaws, some vendors can be also provided with selected source code of our Proof of Concept code as well.
Per our disclosure policy, only original vendors of the affected technology or software are provided with brief vulnerability information.
No, we are not. By pointing out weaknesses in a digital satellite TV equipment, we actually helped different vendors improve security of their products. By choosing not to publish any details pertaining to the weaknesses found, we took the steps aimed at protecting the users of affected technologies. For nearly 6 years, we have also kept our ST DVB chipsets reverse engineering tools under wraps, thus giving the vendors and operators sufficient time to address the issues (improve security of set-top-box devices, replace vulnerable DVB chipsets / STB devices, work with STMicroelectronics to mitigate the issues).
Last update: May-28-2012
Characteristics of the Proof of Concept (PoC) code developed during the research of digital satellite TV platform's security:
Commands implemented by Security Explorations' proof of concept code illustrate the following:
This page presents details of security vulnerabilities discovered as a result of our digital satellite TV research project. These details are provided in a form of presentation slides for the two talks that were given by Adam Gowdiak on 24 May 2012 at Hack In The Box Security Conference in Amsterdam.
Additionally, the slides for a keynote talk given at JavaLand conference in 2016 are also provided. This talk referred to SE-2011-01 and our other research projects while discussing key problems related to Java platform security, its ecosystem and vendors.
Proof of Concept Codes below are provided purely for educational purposes only. It is expressly forbidden to use them for any purposes that would violate any domestic or international laws. If you do not agree with this policy, please leave this page.
This page presents current status of the communication process with vendors of affected technologies.