lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 13 Feb 2019 17:24:57 -0800
From: Security Explorations <>
Subject: Re: [FD] [SRP-2018-02] Security of NC+ SAT TV platform and ST

Hello All,

Due to no interest in our SAT TV security research, the remaining
bits of SRP-2018-02 material including the following:
- technical details of a new ST chipset vulnerability,
- Proof of Concept code for the above vulnerability,
- Proof of Concept codes for set-top-box and ST chipset access,
- SLIMCore assembler and compiler stubs generator tools,
- responses (or their lack of) to our inquiries from 20+ companies
   (content providers, STB vendors and CAS vendors)

are scheduled to be released to the public next week.

Thank you.

Best Regards,
Adam Gowdiak

Security Explorations
"We bring security research to a new level"

W dniu 22.01.2019 o 11:21, Security Explorations pisze:
> Hello All,
> The report presenting the results of our SRP-2018-02 research
> into security of a digital satellite TV platform NC+ [1] is
> now available to general public from the following location:
> In 2017 / 2018, we tried to obtain information regarding the
> impact and addressing of security weaknesses of STMicroelectronics
> chipsets [2]. We asked for the information at the chipset vendor
> and SAT TV operator in particular, but they were not willing to
> share any details with us. We also asked for help national CERTs
> from France, Italy and the US, but were ignored by all of them [3].
> The above lied at the base of a decision to make an attempt and
> acquire missing information on our own.
> In order to verify whether the vulnerabilities affecting ST DVB
> chipsets have been addressed in the environment of NC+ operator,
> we simply needed to completely break their security again.
> This goal was achieved and we again got access to NC+ set-top-boxes
> (OS root, JVM root, full kernel memory and ST chipset access) with
> the use of new vulnerabilities in Multiroom service and ST Linux
> device driver.
> We successfully verified that 7 years following the disclosure the
> issues affecting STMicroelectronics chipsets have not been addressed
> at all on vulnerable NC+ STB devices.
> Additionally, we discovered yet another vulnerability in what seems
> to be a fixed version of STi7111 chipset used by ITI-2851S device.
> As a result, the very same security compromise of Conax CAS [4]
> implementation with chipset pairing could be achieved as in 2012
> (plaintext values of CWPK and CW keys could be obtained).
> On top of that, we found several issues in the implementation of
> NC+ GO TV service (NC+ Internet VOD service) of which some dated
> back to 2012 (reported to the vendor, but ignored and not fixed).
> NC+ GO TV makes it possible to access VOD content on behalf of
> other subscribers and in some way on their cost as their paid
> subscriptions are abused for that purpose (their identities are
> spoofed). It also puts NC+ subscribers at risk of becoming a
> victim of a fraudulent charges as VOD content could be purchased
> on their behalf and without their consent.
> It's not the worst thing when it comes to NC+ VOD implementaiton
> from a security point of view. Content providers might be a little
> bit shocked to learn that in NC+ environment all security related
> access checks to VOD content are conducted on a client side (in
> the web browser app). What this means is that a compromise of NC+
> STB device opens access to all of its VOD collections (including
> premium one such as HBO, Canal+ VOD, Disney, etc.).
> The published report contains detailed technical description of
> unpublished discovered security weaknesses and their exploitation
> techniques with respect to ADB set-top-box devices [5], ST Linux
> and Internet VOD services used by a digital satellite TV provider
> NC+.
> At the end, we would like to emphasize that vulnerabilities,
> attacks and techniques described in this research should not be
> treated as complete. There were many topics we decided not to
> include in a final version of this already overlong paper. This
> include, but is not limited to some confirmed  vulnerabilities,
> existing tools or attack ideas pertaining to MS Play Ready,
> VOD services (NC+ and HB GO), ST chipset and Conax CAS.
> Regardless of the above, we hope the research in its current
> form still constitutes a valuable contribution and perspective
> (along an interesting read) pertaining to the area of a SAT TV
> security and its current state of the art.
> Thank you.
> Best Regards,
> Adam Gowdiak
> ---------------------------------------------
> Security Explorations
> "We bring security research to a new level"
> ---------------------------------------------
> References:
> [1] NC+
> [2] Security vulnerabilities of Digital Video Broadcast chipsets, HITB 
> talk #2
> [3] Digital satellite TV platform, Vendors status
> [4] Conax CAS
> [5] Advanced Digital Broadcast SA

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists