lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 22 Jan 2019 11:21:41 -0800 From: Security Explorations <contact@...urity-explorations.com> To: bugtraq@...urityfocus.com, fulldisclosure@...lists.org Subject: [SRP-2018-02] Security of NC+ SAT TV platform and ST chipsets Hello All, The report presenting the results of our SRP-2018-02 research into security of a digital satellite TV platform NC+ [1] is now available to general public from the following location: http://www.security-explorations.com/ncplus_sat_general_info.html In 2017 / 2018, we tried to obtain information regarding the impact and addressing of security weaknesses of STMicroelectronics chipsets [2]. We asked for the information at the chipset vendor and SAT TV operator in particular, but they were not willing to share any details with us. We also asked for help national CERTs from France, Italy and the US, but were ignored by all of them [3]. The above lied at the base of a decision to make an attempt and acquire missing information on our own. In order to verify whether the vulnerabilities affecting ST DVB chipsets have been addressed in the environment of NC+ operator, we simply needed to completely break their security again. This goal was achieved and we again got access to NC+ set-top-boxes (OS root, JVM root, full kernel memory and ST chipset access) with the use of new vulnerabilities in Multiroom service and ST Linux device driver. We successfully verified that 7 years following the disclosure the issues affecting STMicroelectronics chipsets have not been addressed at all on vulnerable NC+ STB devices. Additionally, we discovered yet another vulnerability in what seems to be a fixed version of STi7111 chipset used by ITI-2851S device. As a result, the very same security compromise of Conax CAS [4] implementation with chipset pairing could be achieved as in 2012 (plaintext values of CWPK and CW keys could be obtained). On top of that, we found several issues in the implementation of NC+ GO TV service (NC+ Internet VOD service) of which some dated back to 2012 (reported to the vendor, but ignored and not fixed). NC+ GO TV makes it possible to access VOD content on behalf of other subscribers and in some way on their cost as their paid subscriptions are abused for that purpose (their identities are spoofed). It also puts NC+ subscribers at risk of becoming a victim of a fraudulent charges as VOD content could be purchased on their behalf and without their consent. It's not the worst thing when it comes to NC+ VOD implementaiton from a security point of view. Content providers might be a little bit shocked to learn that in NC+ environment all security related access checks to VOD content are conducted on a client side (in the web browser app). What this means is that a compromise of NC+ STB device opens access to all of its VOD collections (including premium one such as HBO, Canal+ VOD, Disney, etc.). The published report contains detailed technical description of unpublished discovered security weaknesses and their exploitation techniques with respect to ADB set-top-box devices [5], ST Linux and Internet VOD services used by a digital satellite TV provider NC+. At the end, we would like to emphasize that vulnerabilities, attacks and techniques described in this research should not be treated as complete. There were many topics we decided not to include in a final version of this already overlong paper. This include, but is not limited to some confirmed vulnerabilities, existing tools or attack ideas pertaining to MS Play Ready, VOD services (NC+ and HB GO), ST chipset and Conax CAS. Regardless of the above, we hope the research in its current form still constitutes a valuable contribution and perspective (along an interesting read) pertaining to the area of a SAT TV security and its current state of the art. Thank you. Best Regards, Adam Gowdiak --------------------------------------------- Security Explorations http://www.security-explorations.com "We bring security research to a new level" --------------------------------------------- References: [1] NC+ https://ncplus.pl/ [2] Security vulnerabilities of Digital Video Broadcast chipsets, HITB talk #2 http://www.security-explorations.com/materials/se-2011-01-hitb2.pdf [3] Digital satellite TV platform, Vendors status http://www.security-explorations.com/tv_platform_vendors.html [4] Conax CAS https://dtv.nagra.com/ [5] Advanced Digital Broadcast SA https://www.adbglobal.com
Powered by blists - more mailing lists