lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 08 Jun 2018 09:16:19 +0200
From: Security Explorations <contact@...urity-explorations.com>
To: bugtraq@...urityfocus.com, fulldisclosure@...lists.org
Subject: [FD] [SRP-2018-01] Reverse engineering tools for ST DVB chipsets
 (public release)


Hello All,

We have decided to release to the public domain our SRP-2018-01 security
research project related to the security of STMicroelectronics chipsets.

The research material (70+ pages long technical paper accompanied by two
reverse engineering tools) can be downloaded from the SRP section of our
portal (Past SRP materials):

http://www.security-explorations.com/en/srp.html

The release of SRP-2018-01 is a direct consequence of the following:
1) no response to our inquiries regarding the impact of ST issues from
    a SAT TV ecosystem [1] (STMicroelectronics, NC+, Canal+, Vivendi),
2) no will to provide assistance to obtain information pertaining to
    the impact and addressing [2] of the issues from STMicroelectronics,
    we asked for help CERT-FR (French governmental CSIRT), IT-CERT (CERT
    Nazionale Italia) and US-CERT (US government CERT), but all of them
    stopped responding to our messages [1],
3) a statement received from a major vendor in a SAT TV CAS / security
    field indicating that its "goal is to remove the marketplace from
    our materials",
4) us completely breaking security of ADB [3] set-top-boxes in use by
    NC+ SAT TV platform (Canal Digital makes use of similar boxes) and
    gaining access to vulnerable ST chipsets again [4] (we verified that
    6 years following the disclosure Canal+ owned NC+ still relies on /
    offers to customers STBs vulnerable to ST flaws, which likely violates
    security requirements of agreements signed with content providers).

In that context, we see no reason to continue keeping SRP-2018-01 material
under wraps.

Thank you.

Best Regards,
Adam Gowdiak

---------------------------------------------
Security Explorations
http://www.security-explorations.com
"We bring security research to a new level"
---------------------------------------------

References:
[1] SE-2011-01 Vendors status
     http://www.security-explorations.com/en/SE-2011-01-status.html
[2] The origin and impact of security vulnerabilities in ST chipsets
     http://www.security-explorations.com/materials/se-2011-01-st-impact.pdf
[3] ADB
     https://www.adbglobal.com/
[4] SRP-2018-02 Exploitation Framework for STMicroelectronics DVB chipsets
     http://www.security-explorations.com/materials/SRP-2018-02.pdf


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists