Full Disclosure mailing list archives
[SE-2011-01] Regarding liabilities in SW / HW (ST chipsets flaws' case)
From: Security Explorations <contact () security-explorations com>
Date: Mon, 19 Feb 2018 14:58:08 +0100
Hello All, Today, Security Explorations sent an official inquiry to NC+ operator regarding the replacement process of set-top-box devices conducted by the company in Poland (whether STBs vulnerable to STMicroelectronics vulnerabilities are replaced, whether the replacement process is required by content providers, how many vulnerable STB's got replaced, what were the costs incurred by end users, etc.). NC+ fleet of STB's contains 4 models vulnerable to hardware flaws in ST DVB chipsets (secret and pairing key extraction making satellite TV piracy possible [1]). NC+ is likely obliged to fulfill the requirements for high security of paid TV content posed by content providers. NC+ however encourages end users to replace old, vulnerable devices to new models for a monthly fee. We believe this should not happen (the costs to deal with addressing security vulnerabilities is a liability of a vendor / STB manufacturer and/or a operator), not the end user (just think, VW diesel gate case). Thus our official inquiry to NC+ along a note to the Polish Government authority responsible for consumer rights (UOkiK [2], which corresponds to FTC in the US). This goes along our conclusion expressed during a JavaLand talk in 2016 (slide 53 [3]) after FTC started investigation against Oracle: "Government authorities putting vendors to order over poor / deceptive security practices can pave the way for SW liabilities". The status of the communication will be visible at our SE-2011-01 project pages: http://www.security-explorations.com/en/SE-2011-01-status.html Thank you. Best Regards, Adam Gowdiak --------------------------------------------- Security Explorations http://www.security-explorations.com "We bring security research to a new level" ---------------------------------------------[1] "Security vulnerabilities of Digital Video Broadcast chipsets", HITB Talk #2
http://www.security-explorations.com/materials/se-2011-01-hitb2.pdf [2] UOKiK - Office of Competition and Consumer Protection https://uokik.gov.pl/home.php [3] Java in(security), JavaLand Conference, Mar 7-9, 2016, Bruhl, Germany http://www.security-explorations.com/materials/se-javaland.pdf _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- [SE-2011-01] Regarding liabilities in SW / HW (ST chipsets flaws' case) Security Explorations (Feb 19)