lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 13 Feb 2019 17:24:57 -0800
From: Security Explorations <contact@...urity-explorations.com>
To: bugtraq@...urityfocus.com, fulldisclosure@...lists.org
Subject: Re: [FD] [SRP-2018-02] Security of NC+ SAT TV platform and ST
	chipsets


Hello All,

Due to no interest in our SAT TV security research, the remaining
bits of SRP-2018-02 material including the following:
- technical details of a new ST chipset vulnerability,
- Proof of Concept code for the above vulnerability,
- Proof of Concept codes for set-top-box and ST chipset access,
- SLIMCore assembler and compiler stubs generator tools,
- responses (or their lack of) to our inquiries from 20+ companies
   (content providers, STB vendors and CAS vendors)

are scheduled to be released to the public next week.

Thank you.

Best Regards,
Adam Gowdiak

---------------------------------------------
Security Explorations
http://www.security-explorations.com
"We bring security research to a new level"
---------------------------------------------

W dniu 22.01.2019 o 11:21, Security Explorations pisze:
>
> Hello All,
>
> The report presenting the results of our SRP-2018-02 research
> into security of a digital satellite TV platform NC+ [1] is
> now available to general public from the following location:
>
> http://www.security-explorations.com/ncplus_sat_general_info.html
>
> In 2017 / 2018, we tried to obtain information regarding the
> impact and addressing of security weaknesses of STMicroelectronics
> chipsets [2]. We asked for the information at the chipset vendor
> and SAT TV operator in particular, but they were not willing to
> share any details with us. We also asked for help national CERTs
> from France, Italy and the US, but were ignored by all of them [3].
>
> The above lied at the base of a decision to make an attempt and
> acquire missing information on our own.
>
> In order to verify whether the vulnerabilities affecting ST DVB
> chipsets have been addressed in the environment of NC+ operator,
> we simply needed to completely break their security again.
>
> This goal was achieved and we again got access to NC+ set-top-boxes
> (OS root, JVM root, full kernel memory and ST chipset access) with
> the use of new vulnerabilities in Multiroom service and ST Linux
> device driver.
>
> We successfully verified that 7 years following the disclosure the
> issues affecting STMicroelectronics chipsets have not been addressed
> at all on vulnerable NC+ STB devices.
>
> Additionally, we discovered yet another vulnerability in what seems
> to be a fixed version of STi7111 chipset used by ITI-2851S device.
> As a result, the very same security compromise of Conax CAS [4]
> implementation with chipset pairing could be achieved as in 2012
> (plaintext values of CWPK and CW keys could be obtained).
>
> On top of that, we found several issues in the implementation of
> NC+ GO TV service (NC+ Internet VOD service) of which some dated
> back to 2012 (reported to the vendor, but ignored and not fixed).
>
> NC+ GO TV makes it possible to access VOD content on behalf of
> other subscribers and in some way on their cost as their paid
> subscriptions are abused for that purpose (their identities are
> spoofed). It also puts NC+ subscribers at risk of becoming a
> victim of a fraudulent charges as VOD content could be purchased
> on their behalf and without their consent.
>
> It's not the worst thing when it comes to NC+ VOD implementaiton
> from a security point of view. Content providers might be a little
> bit shocked to learn that in NC+ environment all security related
> access checks to VOD content are conducted on a client side (in
> the web browser app). What this means is that a compromise of NC+
> STB device opens access to all of its VOD collections (including
> premium one such as HBO, Canal+ VOD, Disney, etc.).
>
> The published report contains detailed technical description of
> unpublished discovered security weaknesses and their exploitation
> techniques with respect to ADB set-top-box devices [5], ST Linux
> and Internet VOD services used by a digital satellite TV provider
> NC+.
>
> At the end, we would like to emphasize that vulnerabilities,
> attacks and techniques described in this research should not be
> treated as complete. There were many topics we decided not to
> include in a final version of this already overlong paper. This
> include, but is not limited to some confirmed  vulnerabilities,
> existing tools or attack ideas pertaining to MS Play Ready,
> VOD services (NC+ and HB GO), ST chipset and Conax CAS.
>
> Regardless of the above, we hope the research in its current
> form still constitutes a valuable contribution and perspective
> (along an interesting read) pertaining to the area of a SAT TV
> security and its current state of the art.
>
> Thank you.
>
> Best Regards,
> Adam Gowdiak
>
> ---------------------------------------------
> Security Explorations
> http://www.security-explorations.com
> "We bring security research to a new level"
> ---------------------------------------------
>
> References:
> [1] NC+
>     https://ncplus.pl/
> [2] Security vulnerabilities of Digital Video Broadcast chipsets, HITB 
> talk #2
> http://www.security-explorations.com/materials/se-2011-01-hitb2.pdf
> [3] Digital satellite TV platform, Vendors status
>     http://www.security-explorations.com/tv_platform_vendors.html
> [4] Conax CAS
>     https://dtv.nagra.com/
> [5] Advanced Digital Broadcast SA
>     https://www.adbglobal.com

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists