Bugtraq mailing list archives
Re: [SE-2011-01] Security vulnerabilities in a digital satellite TV platform
From: Security Explorations <contact () security-explorations com>
Date: Mon, 09 Jan 2012 20:02:14 +0100
Dear Bugtraq, I would like to clarify a few things with respect to information about security vulnerabilities in a digital satellite TV platform published by me on Bugtraq on Jan 03 2012. The reason for it is that we've been receiving information that the issues discovered were not clear enough for some audience. Thus, this post. 1) 24 vulnerabilities mentioned in the initial Bugtraq post and on our website were discovered both in software and hardware. The weaknesses found span across multiple vendors, whose software / hardware products were used to create digital satellite platform "N". The platform here has more generic meaning - it is about devices, but also about network and services. Profiles of the vendors that received our vulnerability notices differ very much as illustrated below: a) Onet.pl S.A (Internet company, runs one of the largest web portals in Poland), the company received information about 4 bugs, b) Advanced Digital Broadcast (the Swiss maker of equipment needed to view digital television, it developed investigated set-top-boxes for ITI Neovision), the company received information about 12 bugs, c) STMicroelectronics (the Swiss semiconductor company), the company received information about 3 bugs, d) ITI Neovision (polish digital satellite TV provider, one of the major players in Poland), the company received information about 2 bugs, e) Conax AS (it provides conditional access system for satellite TV), the company received information about 2 bugs, f) DreamLab Onet.pl S.A. (sister company of Onet.pl S.A., does many software developments for Onet.pl S.A.), the company received information about 1 bug, In the group above, Advanced Digital Broadcast is the only set-top box manufacturer and Security Explorations worked with their devices only. These were set-top-box device models ITI5800S, ITI5800SX, ITI2850ST and ITI2849ST. They all run dedicated Java middleware atop of the OS. Taking the above into account, Conax AS or Onet.pl S.A. should not be identified as set-top-box manufacturers as they are not.We identified 12 security issues in a set-top-box software. The remaining
12 security issues found affect products / services of other companies. 2) as for now, this is the case about "multiple vulnerabilities in a digital satellite TV platform", not about "Multiple Digital Satellite TV Platforms". Security Explorations worked with the equipment of only one digital satellite TV operator (Platform "N"). Although we found some clues [1][2][3] that let us think that equipment of some other digital satellite TV operators might be also vulnerable to some of the issues found, we would not like to go that far with our claims at the moment. Information about the real impact of the flaws requires verification with the vendors (set-top-box manufacturer and semiconductor company in particular). 3) Security Explorations didn't release any proof of concept code for the security issues discovered in a digital satellite TV platform. There are pages dedicated to our proof of concept code at our website, but these pages only describe the functionality of the PoC we developed during our research and give some textual samples of its operation(to be precise, some short MPEG captures of a real satellite TV programming
are also given). Nothing else was published with respect to the proof of concept code at the moment. 4) Chipset pairing technology was invented to protect against hackingsatellite TV. Chipset pairing uniquely ties a given subscriber's smartcard
with a corresponding set-top-box equipment. The pairing has a form of a cryptographic function. It is usually implemented in a silicon (DVB chipset). The goal of the latter is to prevent set-top-box hijacking and unauthorized sharing / distribution of a satellite TV programming. The weaknesses in a chipset pairing technology may be used by intruders (or malware code) to silently share access to premium content (such as HBO, Cinemax, BBC, Discovery, etc.) with other, non paying users. Thisobviously poses a great security threat to the revenue of digital satellite
TV operators and content providers. We take this opportunity and would like to emphasize that the chipsetpairing attack was not our initial goal. We are not satellite TV pirates,
but security researchers. I hope the above clarifications put more light into our research project and that they help better understand the nature of security issues discovered. Thank You. Best Regards, Adam Gowdiak --------------------------------------------- Security Explorations http://www.security-explorations.com "We bring security research to the new level" --------------------------------------------- References:[1] "STMicroelectronics Enables Dish TV Digital Set-Top Boxes as India’s Direct-To-Home Leader Targets Growth Through Innovation"
(http://www.prnewswire.com/news-releases/stmicroelectronics-enables-dish-tv-digital-set-top-boxes-as-indias-direct-to-home-leader-targets-growth-through-innovation-99769204.html) [2] "New Spanish Satellite Pay Platform Sets Launch Date" (http://www.isuppli.com/Media-Research/MarketWatch/Pages/New-Spanish-Satellite-Pay-Platform-Sets-Launch-Date.aspx)[3] "STMicroelectronics Strengthens Position in Polish Direct-To-Home Digital TV Arena with Latest High-Definition Set-Top-Box Design Win"
(http://www.prnewswire.com/news-releases/stmicroelectronics-strengthens-position-in-polish-direct-to-home-digital-tv-arena-with-latest-high-definition-set-top-box-design-win-102437724.html)
Current thread:
- [SE-2011-01] Security vulnerabilities in a digital satellite TV platform Security Explorations (Jan 03)
- Message not available
- Re: [SE-2011-01] Security vulnerabilities in a digital satellite TV platform Security Explorations (Jan 04)
- Message not available
- Re: [SE-2011-01] Security vulnerabilities in a digital satellite TV platform Security Explorations (Jan 09)