Re: [SE-2011-01] Security vulnerabilities in a digital satellite- TV platform

From: Security Explorations <>
Subject: Re: [SE-2011-01] Security vulnerabilities in a digital satellite- TV platform

Dear Bugtraq,

I would like to clarify a few things with respect to information about
security vulnerabilities in a digital satellite TV platform published
by me on Bugtraq on Jan 03 2012.

The reason for it is that we've been receiving information that the
issues discovered were not clear enough for some audience. Thus, this

1) 24 vulnerabilities mentioned in the initial Bugtraq post and on our
    website were discovered both in software and hardware.

    The weaknesses found span across multiple vendors, whose software /
    hardware products were used to create digital satellite platform "N".
    The platform here has more generic meaning - it is about devices,
    but also about network and services.

    Profiles of the vendors that received our vulnerability notices differ
    very much as illustrated below:
    a) S.A (Internet company, runs one of the largest web portals
       in Poland),
       the company received information about 4 bugs,
    b) Advanced Digital Broadcast (the Swiss maker of equipment needed
       to view digital television, it developed investigated set-top-boxes
       for ITI Neovision),
       the company received information about 12 bugs,
    c) STMicroelectronics (the Swiss semiconductor company),
       the company received information about 3 bugs,
    d) ITI Neovision (polish digital satellite TV provider, one of the
       major players in Poland),
       the company received information about 2 bugs,
    e) Conax AS (it provides conditional access system for satellite
       the company received information about 2 bugs,
    f) DreamLab S.A. (sister company of S.A., does many
       software developments for S.A.),
       the company received information about 1 bug,

    In the group above, Advanced Digital Broadcast is the only set-top
    box manufacturer and Security Explorations worked with their devices
    only. These were set-top-box device models ITI5800S, ITI5800SX,
    ITI2850ST and ITI2849ST. They all run dedicated Java middleware atop
    of the OS.

    Taking the above into account, Conax AS or S.A. should not be
    identified as set-top-box manufacturers as they are not.

    We identified 12 security issues in a set-top-box software. The 
    12 security issues found affect products / services of other companies.

2) as for now, this is the case about "multiple vulnerabilities in a
    digital satellite TV platform", not about "Multiple Digital Satellite
    TV Platforms".

    Security Explorations worked with the equipment of only one digital
    satellite TV operator (Platform "N").

    Although we found some clues [1][2][3] that let us think that equipment
    of some other digital satellite TV operators might be also vulnerable
    to some of the issues found, we would not like to go that far with our
    claims at the moment.

    Information about the real impact of the flaws requires verification
    with the vendors (set-top-box manufacturer and semiconductor company
    in particular).

3) Security Explorations didn't release any proof of concept code for
    the security issues discovered in a digital satellite TV platform.

    There are pages dedicated to our proof of concept code at our website,
    but these pages only describe the functionality of the PoC we developed
    during our research and give some textual samples of its operation
    (to be precise, some short MPEG captures of a real satellite TV 
    are also given). Nothing else was published with respect to the proof
    of concept code at the moment.

4) Chipset pairing technology was invented to protect against hacking
    satellite TV. Chipset pairing uniquely ties a given subscriber's 
    with a corresponding set-top-box equipment. The pairing has a form of a
    cryptographic function. It is usually implemented in a silicon (DVB
    chipset). The goal of the latter is to prevent set-top-box hijacking
    and unauthorized sharing / distribution of a satellite TV programming.

    The weaknesses in a chipset pairing technology may be used by intruders
    (or malware code) to silently share access to premium content (such as
    HBO, Cinemax, BBC, Discovery, etc.) with other, non paying users. This
    obviously poses a great security threat to the revenue of digital 
    TV operators and content providers.

    We take this opportunity and would like to emphasize that the chipset
    pairing attack was not our initial goal. We are not satellite TV 
    but security researchers.

I hope the above clarifications put more light into our research project and
that they help better understand the nature of security issues discovered.

Thank You.

Best Regards,
Adam Gowdiak

Security Explorations
"We bring security research to the new level"

[1] "STMicroelectronics Enables Dish TV Digital Set-Top Boxes as India\u2019s 
Direct-To-Home Leader Targets Growth Through Innovation"


[2] "New Spanish Satellite Pay Platform Sets Launch Date"


[3] "STMicroelectronics Strengthens Position in Polish Direct-To-Home 
Digital TV Arena with Latest High-Definition Set-Top-Box Design Win"


Copyright © 1995-2020 All rights reserved.