[SRP-2018-01] Reverse engineering tools for ST DVB chipsets (public- release)

From: Security Explorations <contact@security-explorations.com>
To: bugtraq@securityfocus.com,fulldisclosure@seclists.org
Cc:
Subject: [SRP-2018-01] Reverse engineering tools for ST DVB chipsets (public- release)
Date:



Hello All,

We have decided to release to the public domain our SRP-2018-01 security
research project related to the security of STMicroelectronics chipsets.

The research material (70+ pages long technical paper accompanied by two
reverse engineering tools) can be downloaded from the SRP section of our
portal (Past SRP materials):

http://www.security-explorations.com/en/srp.html

The release of SRP-2018-01 is a direct consequence of the following:
1) no response to our inquiries regarding the impact of ST issues from
    a SAT TV ecosystem [1] (STMicroelectronics, NC+, Canal+, Vivendi),
2) no will to provide assistance to obtain information pertaining to
    the impact and addressing [2] of the issues from STMicroelectronics,
    we asked for help CERT-FR (French governmental CSIRT), IT-CERT (CERT
    Nazionale Italia) and US-CERT (US government CERT), but all of them
    stopped responding to our messages [1],
3) a statement received from a major vendor in a SAT TV CAS / security
    field indicating that its "goal is to remove the marketplace from
    our materials",
4) us completely breaking security of ADB [3] set-top-boxes in use by
    NC+ SAT TV platform (Canal Digital makes use of similar boxes) and
    gaining access to vulnerable ST chipsets again [4] (we verified that
    6 years following the disclosure Canal+ owned NC+ still relies on /
    offers to customers STBs vulnerable to ST flaws, which likely violates
    security requirements of agreements signed with content providers).

In that context, we see no reason to continue keeping SRP-2018-01 material
under wraps.

Thank you.

Best Regards,
Adam Gowdiak

---------------------------------------------
Security Explorations
http://www.security-explorations.com
"We bring security research to a new level"
---------------------------------------------

References:
[1] SE-2011-01 Vendors status
     http://www.security-explorations.com/en/SE-2011-01-status.html
[2] The origin and impact of security vulnerabilities in ST chipsets
     http://www.security-explorations.com/materials/se-2011-01-st-impact.pdf
[3] ADB
     https://www.adbglobal.com/
[4] SRP-2018-02 Exploitation Framework for STMicroelectronics DVB chipsets
     http://www.security-explorations.com/materials/SRP-2018-02.pdf





Copyright © 1995-2018 LinuxRocket.net. All rights reserved.