[SRP-2018-02] Details of a vulnerability in STMicroelectronics' chipset

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello All,

Technical details of ST chipset vulnerability has been released
and are now included in our technical report pertaining to the
security of NC+ SAT TV platform.

As indicated last week, the release is made as a direct result
of no interest in this research.

Updated version of the report, associated Proof of Concept codes
and tools can be downloaded from SRP-2018-02 project location:

http://www.security-explorations.com/ncplus_sat_general_info.html

The final version of our report has 164 pages and contains several
updates with respect to the discovered vulnerabilities. These are
briefly described below.
1) we verified that client side security checks affected all
   available NC+ GO VOD content including premium movie rentals,
   a change of one JavaScript variable to false made it possible
   to get access to 700+ VOD rental movie without the need of
   any purchase / order,
2) we verified that the VOD order API accepted user provided
   price input, as a result orders accompanied by invalid price
   value (such as very small or excessively large) could be
   billed to completely unaware NC+ subscribers.

As for the ST chipset vulnerability, it is worth to note that it
is the 3rd vulnerability discovered in STi7111 DVB chipset used
to secure PayTV content. It could constitute a bypass of a fix /
mitigation for old ST flaws (those we found in 2012). Unfortunately,
we don't know this for sure as ST has been persistently refusing
to provide us with any details pertaining to the impact and fixing
process of the vulnerabilities from 2012.

The new ST vulnerability is related to the non-atomic loading
of crypto keys. The non-atomicity of a key loading operation
makes it possible to discover parts of secret key's content. As
a result, both chipset pairing key CWPK (that tie the smartcard
with a set-top-box device) and CW keys (that protect SAT signal
/ premium PayTV content) could be discovered.

We belive the new ST vulnerability is related to the design of
STi7111 chipset. The detailed reasoning behind this thesis is
included in the report. It probably cannot be fixed. It could
be only mitigated.

The final version of the report also contains information about
responses (or I should say their lack of) from ST long-standing
partners (TV operators, STB and CAS vendors) we inquired about
old ST vulnerabilities in a hope this would give us hints about
the nature and impact of the new ST chipset flaw.

Out of 20+ companies inquired only DirectTV (ATT), Irdeto and
Arris bothered to responded to our inquiries.

None of the companies inquired reveled whether they were affected
to old ST issues and whether the issues have been addressed in
their products (whether ST provided fixed, etc.).

Arris spokesperson asked twice for more time to respond (first to
investigate the issue, then to authorize the statement), just to
provide a generic sentence that did not refer in any way to our
inquiry.

Microsoft was not willing to comment on our claim that its DRM
(MS PlayReady) technology didn't matter much in the context of
a demonstrated STB compromise (and underlying ST chipset hack).

We also have asked several premium content providers such as HBO,
Disney and Vivendi for a comment with respect to the fact that
their content (broadcast TV signal and VOD assets) have not been
properly safeguarded in the environment of NC+ SAT TV operator.

As part of our inquiry, we provided HBO with a list of 9000+ HBO
movies (automatically generated in a form: original title, year
and duration) that could be accessed in an unauthorized manner
in the environment of NC+.

HBO response indicated that our message (and copyright violation
tip) were treated in terms of the unsolicited message and that we
should "not attempt to contact any other person at HBO".

It looks that when a large SAT TV operator is caught red-handed
(proven severe negligence regarding obligation to secure premium
content) HBO does not want to know / comment about it.

Thank you.

Best Regards,
Adam Gowdiak

---------------------------------------------
Security Explorations
http://www.security-explorations.com
"We bring security research to a new level"
---------------------------------------------



[Index of Archives]     [Linux Security]     [Netfilter]     [PHP]     [Yosemite News]     [Linux Kernel]

  Powered by Linux