Hello All, Technical details of ST chipset vulnerability has been released and are now included in our technical report pertaining to the security of NC+ SAT TV platform. As indicated last week, the release is made as a direct result of no interest in this research. Updated version of the report, associated Proof of Concept codes and tools can be downloaded from SRP-2018-02 project location: http://www.security-explorations.com/ncplus_sat_general_info.html The final version of our report has 164 pages and contains several updates with respect to the discovered vulnerabilities. These are briefly described below. 1) we verified that client side security checks affected all available NC+ GO VOD content including premium movie rentals, a change of one JavaScript variable to false made it possible to get access to 700+ VOD rental movie without the need of any purchase / order, 2) we verified that the VOD order API accepted user provided price input, as a result orders accompanied by invalid price value (such as very small or excessively large) could be billed to completely unaware NC+ subscribers. As for the ST chipset vulnerability, it is worth to note that it is the 3rd vulnerability discovered in STi7111 DVB chipset used to secure PayTV content. It could constitute a bypass of a fix / mitigation for old ST flaws (those we found in 2012). Unfortunately, we don't know this for sure as ST has been persistently refusing to provide us with any details pertaining to the impact and fixing process of the vulnerabilities from 2012. The new ST vulnerability is related to the non-atomic loading of crypto keys. The non-atomicity of a key loading operation makes it possible to discover parts of secret key's content. As a result, both chipset pairing key CWPK (that tie the smartcard with a set-top-box device) and CW keys (that protect SAT signal / premium PayTV content) could be discovered. We belive the new ST vulnerability is related to the design of STi7111 chipset. The detailed reasoning behind this thesis is included in the report. It probably cannot be fixed. It could be only mitigated. The final version of the report also contains information about responses (or I should say their lack of) from ST long-standing partners (TV operators, STB and CAS vendors) we inquired about old ST vulnerabilities in a hope this would give us hints about the nature and impact of the new ST chipset flaw. Out of 20+ companies inquired only DirectTV (ATT), Irdeto and Arris bothered to responded to our inquiries. None of the companies inquired reveled whether they were affected to old ST issues and whether the issues have been addressed in their products (whether ST provided fixed, etc.). Arris spokesperson asked twice for more time to respond (first to investigate the issue, then to authorize the statement), just to provide a generic sentence that did not refer in any way to our inquiry. Microsoft was not willing to comment on our claim that its DRM (MS PlayReady) technology didn't matter much in the context of a demonstrated STB compromise (and underlying ST chipset hack). We also have asked several premium content providers such as HBO, Disney and Vivendi for a comment with respect to the fact that their content (broadcast TV signal and VOD assets) have not been properly safeguarded in the environment of NC+ SAT TV operator. As part of our inquiry, we provided HBO with a list of 9000+ HBO movies (automatically generated in a form: original title, year and duration) that could be accessed in an unauthorized manner in the environment of NC+. HBO response indicated that our message (and copyright violation tip) were treated in terms of the unsolicited message and that we should "not attempt to contact any other person at HBO". It looks that when a large SAT TV operator is caught red-handed (proven severe negligence regarding obligation to secure premium content) HBO does not want to know / comment about it. Thank you. Best Regards, Adam Gowdiak --------------------------------------------- Security Explorations http://www.security-explorations.com "We bring security research to a new level" ---------------------------------------------
