Hello All,
We have published an initial document describing the origin and impact
of the vulnerabilities discovered in ST chipsets along some rationale
indicating why it's worth to dig further into this case:
http://www.security-explorations.com/materials/se-2011-01-st-impact.pdf
This document is a work in progress. As such, it will be updated once
new information is acquired regarding the impact of the issues found.
ST vulnerabilities are still a mystery to many and we keep receiving
inquiries about them regardless of the fact that almost 6 years had
passed since the disclosure. STMicroelectronics, although out of STB
and DVB chipset business, has not provided us with any details regarding
the impact of the issues found.
We have reasons to believe that vulnerable IP (TKD Crypto core of STi7111
SoC) might be part of other ST chipsets and/or part of other vendors'
solutions, not necessarily related to PayTV industry (e-passports, banking
cards and SIM cards).
We have reasons to believe that ST actions were aimed to hide the impact
of the issues found, that company's shareholders were not aware of these
vulnerabilities, their impact and associated liabilities. We have reasons
to believe that the issues have not been resolved up to this day.
In Mar 2018, we asked CERT-FR (French governmental CSIRT) and IT-CERT
(CERT Nazionale Italia) for assistance aimed at obtaining information
from STMicroelectronics regarding security issues found in their chipsets
(ST is a French-Italian company and both French and Italian governments
hold 13.8% of its stake each). For some unknown reason, both CERTs have
stopped responding to our messages [1]. We are still to hear from US-CERT.
Over the last 20+ years, we have been dealing with various vendors and
ecosystems (desktop, cloud, mobile, etc.). The case of STMicroelectronics
vulnerabilities is however truly unique as we have never met with such
a persistent and long-term refusal to provide information pertaining to
the impact and addressing of security vulnerabilities found.
The usual "crisis management" conducted by vendors for disclosures of high
impact flaws involve carefully-worded statements indicating that the issues
affect older products only or in case of low / limited impact flaws, a
vendor
usually publishes a list of vulnerable products to clearly emphasize the
low nature of the issues found.
ST refusal to provide any information pertaining to the impact of the flaws
found in its chipsets can be perceived in terms of intentionally hiding the
impact of a much larger magnitude than anticipated by the reporting party,
customers or the public. It could be that these actions are aimed at
avoiding
the liabilities associated with manufacturing flawed products, the costs of
their recalls and/or replacements.
ST has all the means to end any speculation pertaining to the nature of the
issues found in its chipsets and their impact by simply delivering clear
impact information to general public (vulnerable chipset models, whether
vulnerable IP is used in other products, possible remediation steps, etc).
Security Explorations will continue engaging various entities such as
US-CERT
in a goal to acquire accurate information pertaining to the impact and
addressing
of ST vulnerabilities. The newly published document and our SE-2011-01
Vendor
Status page will reflect any new information acquired and the steps taken to
obtain it.
We are also ready to release to the public all unpublished bits
pertaining to
our research of ST chipsets such as SRP-2018-01 [2] material if deemed
necessary.
Thank you.
Best Regards,
Adam Gowdiak
---------------------------------------------
Security Explorations
http://www.security-explorations.com
"We bring security research to a new level"
---------------------------------------------
References:
[1] SE-2011-01 Vendors status
http://www.security-explorations.com/en/SE-2011-01-status.html
[2] SRP-2018-01 Reverse engineering tools for ST DVB chipsets
http://www.security-explorations.com/materials/SRP-2018-01.pdf
