[SE-2011-01] Security vulnerabilities in a digital satellite TV platform

From: Security Explorations <contact@security-explorations.com>
To: bugtraq@securityfocus.com
Subject: [SE-2011-01] Security vulnerabilities in a digital satellite TV platform

Dear Bugtraq,

The following information might be of interest for the readers of this

Security Explorations, a security and vulnerability research company
from Poland, discovered multiple security vulnerabilities in the major
polish digital satellite platform "N" [1]. The most serious of the
24 weaknesses uncovered allows for a remote attack against network
connected, satellite set-top-box equipment and for the persistent and
automatic malware code installation on it. As a result, full control
over the vulnerable set-top-box devices can be gained by attackers,
which could conduct all sorts of malicious activities on them. This
in particular includes unauthorized capture and sharing of a digital
satellite TV signal with arbitrary (non-paying) audience.

The latter turned out to be possible regardless of the advanced security
mechanisms such as Conax conditional access system [2][3] with chipset
pairing [4] implemented by the investigated set-top-boxes (ITI5800S,
ITI5800SX, ITI2850ST, ITI2849ST). The goal of the chipset pairing is
to prevent set-top-box hijacking and unauthorized sharing / distribution
of a satellite programming.

Security Explorations discovered several security weaknesses in the
implementation of the chipset pairing functionality used by the
aforementioned devices.

This is the first time, real malware threat is being demonstrated in
the context of a digital satellite TV platform. This is also the first
time successful attack against digital satellite set-top-box equipment
implementing Conax conditional access system with advanced cryptographic
pairing function is presented. The attack is achieved regardless of
the fact that all Conax Pairing set-top boxes / secure DVB chipsets
undergo a "rigorous evaluation and testing regime" [5].

More information about this project can be found at:

Best Regards
Adam Gowdiak

Security Explorations
"We bring security research to the new level"


[1] Digital satellite platform "N" (http://n.pl)
[2] Conax AS                       (http://www.conax.com/)
[3] Conditional Access System 
[4] Conax chipset pairing 
[5] Conax Client Device Security 

Copyright © 1995-2020 LinuxRocket.net. All rights reserved.