lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 08 Jun 2018 09:16:19 +0200
From: Security Explorations <>
Subject: [FD] [SRP-2018-01] Reverse engineering tools for ST DVB chipsets
 (public release)

Hello All,

We have decided to release to the public domain our SRP-2018-01 security
research project related to the security of STMicroelectronics chipsets.

The research material (70+ pages long technical paper accompanied by two
reverse engineering tools) can be downloaded from the SRP section of our
portal (Past SRP materials):

The release of SRP-2018-01 is a direct consequence of the following:
1) no response to our inquiries regarding the impact of ST issues from
    a SAT TV ecosystem [1] (STMicroelectronics, NC+, Canal+, Vivendi),
2) no will to provide assistance to obtain information pertaining to
    the impact and addressing [2] of the issues from STMicroelectronics,
    we asked for help CERT-FR (French governmental CSIRT), IT-CERT (CERT
    Nazionale Italia) and US-CERT (US government CERT), but all of them
    stopped responding to our messages [1],
3) a statement received from a major vendor in a SAT TV CAS / security
    field indicating that its "goal is to remove the marketplace from
    our materials",
4) us completely breaking security of ADB [3] set-top-boxes in use by
    NC+ SAT TV platform (Canal Digital makes use of similar boxes) and
    gaining access to vulnerable ST chipsets again [4] (we verified that
    6 years following the disclosure Canal+ owned NC+ still relies on /
    offers to customers STBs vulnerable to ST flaws, which likely violates
    security requirements of agreements signed with content providers).

In that context, we see no reason to continue keeping SRP-2018-01 material
under wraps.

Thank you.

Best Regards,
Adam Gowdiak

Security Explorations
"We bring security research to a new level"

[1] SE-2011-01 Vendors status
[2] The origin and impact of security vulnerabilities in ST chipsets
[3] ADB
[4] SRP-2018-02 Exploitation Framework for STMicroelectronics DVB chipsets

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists