[SE-2011-01] Security vulnerabilities in a digital satellite TV platform Jan 03 2012 05:51PM
Security Explorations (contact security-explorations com) (1 replies)
Re: [SE-2011-01] Security vulnerabilities in a digital satellite TV platform Jan 09 2012 07:02PM
Security Explorations (contact security-explorations com)

Dear Bugtraq,

I would like to clarify a few things with respect to information about
security vulnerabilities in a digital satellite TV platform published
by me on Bugtraq on Jan 03 2012.

The reason for it is that we've been receiving information that the
issues discovered were not clear enough for some audience. Thus, this

1) 24 vulnerabilities mentioned in the initial Bugtraq post and on our
website were discovered both in software and hardware.

The weaknesses found span across multiple vendors, whose software /
hardware products were used to create digital satellite platform "N".
The platform here has more generic meaning - it is about devices,
but also about network and services.

Profiles of the vendors that received our vulnerability notices differ
very much as illustrated below:
a) Onet.pl S.A (Internet company, runs one of the largest web portals
in Poland),
the company received information about 4 bugs,
b) Advanced Digital Broadcast (the Swiss maker of equipment needed
to view digital television, it developed investigated set-top-boxes
for ITI Neovision),
the company received information about 12 bugs,
c) STMicroelectronics (the Swiss semiconductor company),
the company received information about 3 bugs,
d) ITI Neovision (polish digital satellite TV provider, one of the
major players in Poland),
the company received information about 2 bugs,
e) Conax AS (it provides conditional access system for satellite
the company received information about 2 bugs,
f) DreamLab Onet.pl S.A. (sister company of Onet.pl S.A., does many
software developments for Onet.pl S.A.),
the company received information about 1 bug,

In the group above, Advanced Digital Broadcast is the only set-top
box manufacturer and Security Explorations worked with their devices
only. These were set-top-box device models ITI5800S, ITI5800SX,
ITI2850ST and ITI2849ST. They all run dedicated Java middleware atop
of the OS.

Taking the above into account, Conax AS or Onet.pl S.A. should not be
identified as set-top-box manufacturers as they are not.

We identified 12 security issues in a set-top-box software. The
12 security issues found affect products / services of other companies.

2) as for now, this is the case about "multiple vulnerabilities in a
digital satellite TV platform", not about "Multiple Digital Satellite
TV Platforms".

Security Explorations worked with the equipment of only one digital
satellite TV operator (Platform "N").

Although we found some clues [1][2][3] that let us think that equipment
of some other digital satellite TV operators might be also vulnerable
to some of the issues found, we would not like to go that far with our
claims at the moment.

Information about the real impact of the flaws requires verification
with the vendors (set-top-box manufacturer and semiconductor company
in particular).

3) Security Explorations didn't release any proof of concept code for
the security issues discovered in a digital satellite TV platform.

There are pages dedicated to our proof of concept code at our website,
but these pages only describe the functionality of the PoC we developed
during our research and give some textual samples of its operation
(to be precise, some short MPEG captures of a real satellite TV
are also given). Nothing else was published with respect to the proof
of concept code at the moment.

4) Chipset pairing technology was invented to protect against hacking
satellite TV. Chipset pairing uniquely ties a given subscriber's
with a corresponding set-top-box equipment. The pairing has a form of a
cryptographic function. It is usually implemented in a silicon (DVB
chipset). The goal of the latter is to prevent set-top-box hijacking
and unauthorized sharing / distribution of a satellite TV programming.

The weaknesses in a chipset pairing technology may be used by intruders
(or malware code) to silently share access to premium content (such as
HBO, Cinemax, BBC, Discovery, etc.) with other, non paying users. This
obviously poses a great security threat to the revenue of digital
TV operators and content providers.

We take this opportunity and would like to emphasize that the chipset
pairing attack was not our initial goal. We are not satellite TV
but security researchers.

I hope the above clarifications put more light into our research project and
that they help better understand the nature of security issues discovered.

Thank You.

Best Regards,
Adam Gowdiak

Security Explorations
"We bring security research to the new level"

[1] "STMicroelectronics Enables Dish TV Digital Set-Top Boxes as India?s
Direct-To-Home Leader Targets Growth Through Innovation"


[2] "New Spanish Satellite Pay Platform Sets Launch Date"


[3] "STMicroelectronics Strengthens Position in Polish Direct-To-Home
Digital TV Arena with Latest High-Definition Set-Top-Box Design Win"


[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus