Re: [SE-2011-01] Security vulnerabilities in a digital satellite TV platform

[Security Explorations <contact () security-explorations com>]

Dear Bugtraq,

I would like to clarify a few things with respect to information about
security vulnerabilities in a digital satellite TV platform published
by me on Bugtraq on Jan 03 2012.

The reason for it is that we've been receiving information that the
issues discovered were not clear enough for some audience. Thus, this
post.

1) 24 vulnerabilities mentioned in the initial Bugtraq post and on our
   website were discovered both in software and hardware.

   The weaknesses found span across multiple vendors, whose software /
   hardware products were used to create digital satellite platform "N".
   The platform here has more generic meaning - it is about devices,
   but also about network and services.

   Profiles of the vendors that received our vulnerability notices differ
   very much as illustrated below:
   a) Onet.pl S.A (Internet company, runs one of the largest web portals
      in Poland),
      the company received information about 4 bugs,
   b) Advanced Digital Broadcast (the Swiss maker of equipment needed
      to view digital television, it developed investigated set-top-boxes
      for ITI Neovision),
      the company received information about 12 bugs,
   c) STMicroelectronics (the Swiss semiconductor company),
      the company received information about 3 bugs,
   d) ITI Neovision (polish digital satellite TV provider, one of the
      major players in Poland),
      the company received information about 2 bugs,
   e) Conax AS (it provides conditional access system for satellite
      TV),
      the company received information about 2 bugs,
   f) DreamLab Onet.pl S.A. (sister company of Onet.pl S.A., does many
      software developments for Onet.pl S.A.),
      the company received information about 1 bug,

   In the group above, Advanced Digital Broadcast is the only set-top
   box manufacturer and Security Explorations worked with their devices
   only. These were set-top-box device models ITI5800S, ITI5800SX,
   ITI2850ST and ITI2849ST. They all run dedicated Java middleware atop
   of the OS.

   Taking the above into account, Conax AS or Onet.pl S.A. should not be
   identified as set-top-box manufacturers as they are not.

   We identified 12 security issues in a set-top-box software. The 
remaining
   12 security issues found affect products / services of other companies.

2) as for now, this is the case about "multiple vulnerabilities in a
   digital satellite TV platform", not about "Multiple Digital Satellite
   TV Platforms".

   Security Explorations worked with the equipment of only one digital
   satellite TV operator (Platform "N").

   Although we found some clues [1][2][3] that let us think that equipment
   of some other digital satellite TV operators might be also vulnerable
   to some of the issues found, we would not like to go that far with our
   claims at the moment.

   Information about the real impact of the flaws requires verification
   with the vendors (set-top-box manufacturer and semiconductor company
   in particular).

3) Security Explorations didn't release any proof of concept code for
   the security issues discovered in a digital satellite TV platform.

   There are pages dedicated to our proof of concept code at our website,
   but these pages only describe the functionality of the PoC we developed
   during our research and give some textual samples of its operation
   (to be precise, some short MPEG captures of a real satellite TV 
programming
   are also given). Nothing else was published with respect to the proof
   of concept code at the moment.

4) Chipset pairing technology was invented to protect against hacking
   satellite TV. Chipset pairing uniquely ties a given subscriber's 
smartcard
   with a corresponding set-top-box equipment. The pairing has a form of a
   cryptographic function. It is usually implemented in a silicon (DVB
   chipset). The goal of the latter is to prevent set-top-box hijacking
   and unauthorized sharing / distribution of a satellite TV programming.

   The weaknesses in a chipset pairing technology may be used by intruders
   (or malware code) to silently share access to premium content (such as
   HBO, Cinemax, BBC, Discovery, etc.) with other, non paying users. This
   obviously poses a great security threat to the revenue of digital 
satellite
   TV operators and content providers.

   We take this opportunity and would like to emphasize that the chipset
   pairing attack was not our initial goal. We are not satellite TV 
pirates,
   but security researchers.

I hope the above clarifications put more light into our research project and
that they help better understand the nature of security issues discovered.

Thank You.

Best Regards,
Adam Gowdiak

---------------------------------------------
Security Explorations
http://www.security-explorations.com
"We bring security research to the new level"
---------------------------------------------

References:
[1] "STMicroelectronics Enables Dish TV Digital Set-Top Boxes as India’s 
Direct-To-Home Leader Targets Growth Through Innovation"

(http://www.prnewswire.com/news-releases/stmicroelectronics-enables-dish-tv-digital-set-top-boxes-as-indias-direct-to-home-leader-targets-growth-through-innovation-99769204.html)

[2] "New Spanish Satellite Pay Platform Sets Launch Date"

(http://www.isuppli.com/Media-Research/MarketWatch/Pages/New-Spanish-Satellite-Pay-Platform-Sets-Launch-Date.aspx)

[3] "STMicroelectronics Strengthens Position in Polish Direct-To-Home 
Digital TV Arena with Latest High-Definition Set-Top-Box Design Win"

(http://www.prnewswire.com/news-releases/stmicroelectronics-strengthens-position-in-polish-direct-to-home-digital-tv-arena-with-latest-high-definition-set-top-box-design-win-102437724.html)