lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 22 Jan 2019 11:21:41 -0800
From: Security Explorations <contact@...urity-explorations.com>
To: bugtraq@...urityfocus.com, fulldisclosure@...lists.org
Subject: [FD] [SRP-2018-02] Security of NC+ SAT TV platform and ST chipsets


Hello All,

The report presenting the results of our SRP-2018-02 research
into security of a digital satellite TV platform NC+ [1] is
now available to general public from the following location:

http://www.security-explorations.com/ncplus_sat_general_info.html

In 2017 / 2018, we tried to obtain information regarding the
impact and addressing of security weaknesses of STMicroelectronics
chipsets [2]. We asked for the information at the chipset vendor
and SAT TV operator in particular, but they were not willing to
share any details with us. We also asked for help national CERTs
from France, Italy and the US, but were ignored by all of them [3].

The above lied at the base of a decision to make an attempt and
acquire missing information on our own.

In order to verify whether the vulnerabilities affecting ST DVB
chipsets have been addressed in the environment of NC+ operator,
we simply needed to completely break their security again.

This goal was achieved and we again got access to NC+ set-top-boxes
(OS root, JVM root, full kernel memory and ST chipset access) with
the use of new vulnerabilities in Multiroom service and ST Linux
device driver.

We successfully verified that 7 years following the disclosure the
issues affecting STMicroelectronics chipsets have not been addressed
at all on vulnerable NC+ STB devices.

Additionally, we discovered yet another vulnerability in what seems
to be a fixed version of STi7111 chipset used by ITI-2851S device.
As a result, the very same security compromise of Conax CAS [4]
implementation with chipset pairing could be achieved as in 2012
(plaintext values of CWPK and CW keys could be obtained).

On top of that, we found several issues in the implementation of
NC+ GO TV service (NC+ Internet VOD service) of which some dated
back to 2012 (reported to the vendor, but ignored and not fixed).

NC+ GO TV makes it possible to access VOD content on behalf of
other subscribers and in some way on their cost as their paid
subscriptions are abused for that purpose (their identities are
spoofed). It also puts NC+ subscribers at risk of becoming a
victim of a fraudulent charges as VOD content could be purchased
on their behalf and without their consent.

It's not the worst thing when it comes to NC+ VOD implementaiton
from a security point of view. Content providers might be a little
bit shocked to learn that in NC+ environment all security related
access checks to VOD content are conducted on a client side (in
the web browser app). What this means is that a compromise of NC+
STB device opens access to all of its VOD collections (including
premium one such as HBO, Canal+ VOD, Disney, etc.).

The published report contains detailed technical description of
unpublished discovered security weaknesses and their exploitation
techniques with respect to ADB set-top-box devices [5], ST Linux
and Internet VOD services used by a digital satellite TV provider
NC+.

At the end, we would like to emphasize that vulnerabilities,
attacks and techniques described in this research should not be
treated as complete. There were many topics we decided not to
include in a final version of this already overlong paper. This
include, but is not limited to some confirmed  vulnerabilities,
existing tools or attack ideas pertaining to MS Play Ready,
VOD services (NC+ and HB GO), ST chipset and Conax CAS.

Regardless of the above, we hope the research in its current
form still constitutes a valuable contribution and perspective
(along an interesting read) pertaining to the area of a SAT TV
security and its current state of the art.

Thank you.

Best Regards,
Adam Gowdiak

---------------------------------------------
Security Explorations
http://www.security-explorations.com
"We bring security research to a new level"
---------------------------------------------

References:
[1] NC+
     https://ncplus.pl/
[2] Security vulnerabilities of Digital Video Broadcast chipsets, HITB 
talk #2
http://www.security-explorations.com/materials/se-2011-01-hitb2.pdf
[3] Digital satellite TV platform, Vendors status
     http://www.security-explorations.com/tv_platform_vendors.html
[4] Conax CAS
     https://dtv.nagra.com/
[5] Advanced Digital Broadcast SA
     https://www.adbglobal.com


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists