Full Disclosure mailing list archives
TiVo , msn TV & Big Brother
From: "meme-boi" <meme-boi () nothotmail org>
Date: Wed, 4 Jun 2003 15:56:40 -0700 (PDT)
<snip> SAN JOSE, California (AP) -- TiVo, the leading maker of digital television recorders, is offering advertisers and broadcasters information on the commercials and shows its users are watching. TiVo executives said this week they will gather viewing information only in aggregate, such as by ZIP code, rather than individually. The habits of individual users will remain anonymous. http://www.cnn.com/2003/TECH/ptech/06/04/tivo.patterns.ap/index.html </end snip> I say shame on them! For one, after selling a product to a consumer the device should be his and not be used to further fatten the pockets of immoral pirates such at these. So , after letting my anger die down a bit , I decided to go do a little reading to see if I could poke a hole the preposterous claim that the all mighty TiVo could protect its users sensitive data. Let's take a look. After visiting the TiVo developer site , I learned a few things , the most immediately useful being the fact that it sent IGMP v2 Multicast Membership reports , which are pretty simple to sort out on your average cable network segment. I started with: tcpdump -i eth0 -e -v | grep igmp > tv.txt After about an hour I went through the file looking for something besides the routers from my ISP and , while I didn't find any TiVo subscribers on my wire , I did find several: 12:48:19.004264 0:30:c1:ad:91:97 1:0:5e:0:1:3c ip 60: *.*.*.* TVE-ANNOUNCE.MCAST.NET: igmp v2report TVE-ANNOUNCE.MCAST.NET [ttl 1] (id 3884, len 28) packets from a subscriber on my segment leaving for: TVE-ANNOUNCE.MCAST.NET google turns up: tcp, udp tve-announce TVE Announce corp.webtv.net which happens to be owned by msnTV ------------------------------------------------ Theoretical attack on packet video subscribers that are targeted for ILLEGAL marketing studies ----------------------------------------------- Step 1: Grep network segment for subscribers using above method. Step 2: Set up snort to watch all multicast traffic coming from subscribers found using step 1. Step 3: Write a filter to watch all non multicast traffic and determine the time intervals non "membership report" packets are leaving the devices. Step 4: Set up a cron job based on a snort rule set to poison the ARP cache of the subscriber , snag a copy of the information and forward to prov- ider like nothing has happened ( man in the middle). Now , we might not be talking about state secrets, and this may sound like another useless rant , but imagine if you will TIA's initiative to force isp's to sniff data for them , and a massive theft of supposed marketing data by a government agency. Also , I should mention that it isn't a flaw in the actual multicast providers I am attacking , but TiVo's ridiculous claim that they can "protect the information of individuals" over networks they have NO CONTROL OVER. sleep well -meme boi <snip> A video-on-demand broadcast will typically connect thousands of users to the same video source using multicasting techniques. Therefore, packet networks must accommodate both many-to-many and one-to-many models. http://www.atmforum.com/aboutatm/video.html#categories </end snip> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- TiVo , msn TV & Big Brother meme-boi (Jun 04)