Re: [NOISE] Cable-TV-Piracy-Punks
"David K. Merriman" <merriman@arn.net> writes:
At 01:34 AM 03/28/96 +0000, you wrote:
I've been looking for a file on how to make PPV descramblers and havn't found any. Commercial descramblers cost around $200 base price. If anyone has a file on how to make them please e-mail me one. Thanks.
This is cypherpunks. Not Cable-TV-Piracy-Punks.
ObCrypto: Scrambling TV signals sometimes makes use of encryption, so perhaps a brief discussion of how this is done could be tolerated.
If you are talking about recovering signals from completely encrypted digital MPEG-2 streams, such as those used by the DBS folks, you are probably out of luck. The relevant processing in the decoder exists on a small card which has so far resisted attempts at reverse engineering.
The DSS smart card has been reverse-engineered for at least six months now and pirate devices are in the market. The encryption used on those systems is good but it does not stand up to a well financed attack. In the European version of the system, the encryption routines were using a hashing function. The input packet also carried the authorisation data so it was using this as an input packet. The DSS routine is probably based on a similar hashing routine.
There are a variety of techniques for scrambling audio. The most expensive is to DES encrypt the sound and place it in the horizontal blanking interval. The regular sound channel can then be used for advertising. This requires a bit of processing at both ends, and is generally used for satellite to ground transmission of cable signals. The other common method is to modulate the sound on a subcarrier, usually the one transmitted in phase with the missing sync.
Using DES to encrypt the audio on the fly is an old technique and was used in the VideoCipher II system. Most of the more recent systems use a PRNBSG EXORed with the digital audio data stream.
Of course, once television transmission goes completely digital, and strong encryption is used on both audio and video, the opportunity for such simple attacks will vanish.
The problem of piracy will still exist on digital systems. The DSS system is a completely digital system and it too is hacked. Admittedly some of the elements of security in the DSS are good, most can be rendered void by hackers. The problem for DSS is that the smart card they used is not secure enough. It was a Motorola 6805 type. What appears to be the pattern with the hacks on more recent smart card systems is an inversion of the original pattern on the simple analogue systems. The original pattern was that some hobbyists would figure out how to hack the system and then the hack would be commercialised. With the smart card hacks - the pattern is inverted so that it becomes a trickle down pattern. The professional hackers reverse and emulate the smart card and then the code is sometimes hacked from the emulator card and then distributed among hobbyists. The most dangerous thing in all this is that the smart cards that have been hacked in Pay TV systems throughout the world are also used in other applications. The expertise and the knowledge of reversing smart cards is now more common in the Pay TV piracy business. There is always the possibility that these skills could be applied elsewhere. Regards...jmcc ******************************************** John McCormac * Hack Watch News jmcc@hackwatch.com * 22 Viewmount, Voice&Fax: +353-51-73640 * Waterford, BBS: +353-51-50143 * Ireland ******************************************** -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6 mQCNAzAYPNsAAAEEAPGTHaNyitUTNAwF8BU6mF5PcbLQXdeuHf3xT6UOL+/Od+z+ ZOCAx8Ka9LJBjuQYw8hlqvTV5kceLlrP2HPqmk7YPOw1fQWlpTJof+ZMCxEVd1Qz TRet2vS/kiRQRYvKOaxoJhqIzUr1g3ovBnIdpKeo4KKULz9XKuxCgZsuLKkVAAUX tCJKb2huIE1jQ29ybWFjIDxqbWNjQGhhY2t3YXRjaC5jb20+tBJqbWNjQGhhY2t3 YXRjaC5jb20= =sTfy -----END PGP PUBLIC KEY BLOCK-----
kooltek@iol.ie (Hack Watch News) writes:
The DSS smart card has been reverse-engineered for at least six months now and pirate devices are in the market. The encryption used on those systems is good but it does not stand up to a well financed attack.
This is indeed good news. I haven't followed the satellite wars for a while, and although I was aware that the earlier European system had been broken, I didn't know that the one used by the DSS folks had by now also met a similar fate. This is interesting, since the technology to do unbreakable encryption and authorization certainly exists. Perhaps the DSS folks should have brought in a few Cypherpunks as quality control consultants. :)
Using DES to encrypt the audio on the fly is an old technique and was used in the VideoCipher II system. Most of the more recent systems use a PRNBSG EXORed with the digital audio data stream.
Again, it's been a while since I looked at the industry, but I was under the impression that the VideoCipher II was still used by Satellite dish owners to receive CNN, HBO, SHO, TMC, and the rest of the ordinary analog pay cable channels. Has everyone now been forced to upgrade to something "new and improved?"
The problem of piracy will still exist on digital systems. The DSS system is a completely digital system and it too is hacked.
Digital systems eliminate the main drawback of analog ones for using cryptography, namely that there is no way to strongly encrypt the video and ship it out using the same modulation technique which originally encoded it. Once you have both audio and video streams in digital form, having ones encryption "hacked" is more a function of cluelessness on the part of those engineering the encryption and authentication mechanism than some latent vulnerability on the part of the technology. I'm really surprised that DSS got hacked, given that the hacking of the European digital system was well known while DSS was being constructed. Sounds like a very slow learning curve somewhere in the engineering process.
Admittedly some of the elements of security in the DSS are good, most can be rendered void by hackers. The problem for DSS is that the smart card they used is not secure enough. It was a Motorola 6805 type. What appears to be the pattern with the hacks on more recent smart card systems is an inversion of the original pattern on the simple analogue systems. The original pattern was that some hobbyists would figure out how to hack the system and then the hack would be commercialised. With the smart card hacks - the pattern is inverted so that it becomes a trickle down pattern. The professional hackers reverse and emulate the smart card and then the code is sometimes hacked from the emulator card and then distributed among hobbyists.
In a well engineered smart card system for authorizing individual viewers of a digital audio/video stream, each card contains a unique serial number and a random cryptographic key stored during the manufacturing process in a manner which cannot be obtained even by destructive reverse engineering of a particular card. The originating system then uses this information to embed messages in the transmitted data stream permitting individual cards to decrypt and recover the random and frequently changing session key with which the channel bitstream has been strongly encrypted. If such a system has been properly implemented, all the specifications for it should be able to be published without compromising it. Emulators for the software used in the cards shouldn't be a problem as long as serial#/key pairs for specific cards are not disclosed.
The most dangerous thing in all this is that the smart cards that have been hacked in Pay TV systems throughout the world are also used in other applications. The expertise and the knowledge of reversing smart cards is now more common in the Pay TV piracy business. There is always the possibility that these skills could be applied elsewhere.
Perhaps in the private sector, where snake oil abounds. I suspect military types do things a bit more cleverly than the prior scenario implies. BTW - what is the legal status of hacking DSS? It's not like cable, where you are tapping into a municipal service illegally. You own the dish, the decoder, and the photons with which the satellite is irradiating your back yard. Can the government really regulate how you choose to process photons found on your own private property with equipment you own? Have there been any test cases? -- Mike Duvos $ PGP 2.6 Public Key available $ mpd@netcom.com $ via Finger. $
Mike Duvos writes:
Once you have both audio and video streams in digital form, having ones encryption "hacked" is more a function of cluelessness on the part of those engineering the encryption and authentication mechanism than some latent vulnerability on the part of the technology.
Not true at all, Mike. Consider the threat model. You have a single satelite sending out a single encrypted stream to millions of people. Your goal is to let some people view the signal and others not view the signal in spite of the fact that some of the people viewing the signal might be willing to leak information (such as the keys!) to the people who aren't supposed to view it. In other words, you are trying to do something that no amount of technology can really do. At best, by using enough tamperproof equipment you can stave off the inevitable for a while. Perry
The big latent assumption here being that you have only one-way communication with the subscribers. DSS has a modem. It could get a new key from a distribution center frequently - i.e. every day. Then the pirates would somehow have to update their keys daily, in real time. Once we have live packet communication (cable modems or ISDN D-channel, for example) the keys can be changed minute by minute, if necessary. Each new-key request is checked with a digital signature from the box's key, and the KDC will not accept two requests for the same key. If you clone the box, one or the other won't get a key. The pirates will have to run their own network parallel to the legitimate one to distribute the keys. Therefore piracy requires an ongoing organization, and is subject to being tracked down. Mike
Mike Duvos writes:
Once you have both audio and video streams in digital form, having ones encryption "hacked" is more a function of cluelessness on the part of those engineering the encryption and authentication mechanism than some latent vulnerability on the part of the technology.
Not true at all, Mike. Consider the threat model.
You have a single satelite sending out a single encrypted stream to millions of people. Your goal is to let some people view the signal and others not view the signal in spite of the fact that some of the people viewing the signal might be willing to leak information (such as the keys!) to the people who aren't supposed to view it.
In other words, you are trying to do something that no amount of technology can really do. At best, by using enough tamperproof equipment you can stave off the inevitable for a while.
Perry
Mike Ingle writes:
The big latent assumption here being that you have only one-way communication with the subscribers. DSS has a modem.
I am assuming that you mean that DSS has a phone line attached and can call home. If this is merely a two way satelite communication it isn't useful for this purpose.
It could get a new key from a distribution center frequently - i.e. every day. Then the pirates would somehow have to update their keys daily, in real time.
You mean, perhaps the pirates would have to distribute keys over the internet or some such? How horrid. The problem is, as I said, insoluble. You cannot defend against hostile users of the system because each user gets the same encrypted data stream.
Once we have live packet communication (cable modems or ISDN D-channel, for example) the keys can be changed minute by minute, if necessary.
And could be updated to millions of people getting the signal illegally via the same mechanism.
The pirates will have to run their own network parallel to the legitimate one to distribute the keys. Therefore piracy requires an ongoing organization, and is subject to being tracked down.
No one said it wasn't subject to being tracked down, although the use of offshore packet laundries might make it hard. Cellphone fraud is subject to being tracked down, too, and yet it happens to the tune of billions a year. Perry
"Perry E. Metzger" <perry@piermont.com> writes:
Not true at all, Mike. Consider the threat model.
You have a single satelite sending out a single encrypted stream to millions of people.
That is correct.
Your goal is to let some people view the signal and others not view the signal...
That is also correct.
...in spite of the fact that some of the people viewing the signal might be willing to leak information (such as the keys!) to the people who aren't supposed to view it.
Certainly anyone authorized to view the program can "leak" that program to other users. Indeed, with the European system, people have set up transmitters which simply run off a decoder that subscribes to every program. Not exactly subtle, but in jurisdictions where such activity carries no significant legal sanctions, an efficient approach to the problem. Much like the case of sending an encrypted PGP message to multiple recipients. One or more of the legitimate recipients can tell others what the message says. Not a negative reflection on the strength of PGP, and certainly not something I spend a lot of time worrying about. In the system I described, a person might make a lower bandwidth attempt to defeat the system by leaking either the periodically changing random session key used to encrypt the video stream, or the unique cryptographic key belonging to a particular smart card authorized to view the program. We have postulated that the latter is not recoverable even by destructive reverse engineering of a specific card, and were such information to be compromised upstream where the programming originates, it would only be necessary to reissue new cards to the affected subscribers and cancel the old ones. Leakage of the periodically changing random session key directly would require significant surgery to a working smart card, although it might be recovered by tapping appropriate points in the circuitry. However, anyone using such information for unauthorized reception would require a constant connection to a provider to continually update the key, which would be awkward, and not likely to be done by a large population of people in a way which was inconspicuous to LEAs. I can't imagine that a significant market for pirate equipment could be built around any of the attacks described above. Indeed, a significant market exists only for ersatz smartcards which a person can purchase for a fixed price, stick in their decoder, and then forget about. The system I described would certainly preclude such a device from being built. I spent a bit of time on the Web last night reading up on the various attacks which were mounted against DSS and the earlier European VideoCrypt system. The implementors put what they though were a lot of cute features into the cards, including the ability to reprogram them from upstream when software updates were needed. Unfortunately, rather than relying totally upon strong cryptography within a tamperproof module, they also employed easily forged checksums to validate commands sent to the cards, and "security through obscurity" as to what those commands were. The ultimate result was that the cards were being updated with new software almost constantly, and the hackers were issuing updates to the pirate versions within hours each time this was done. Given the way the system had been implemented, there was really no way prevent this from happening.
In other words, you are trying to do something that no amount of technology can really do. At best, by using enough tamperproof equipment you can stave off the inevitable for a while.
If what you are trying to do is make sure no subscriber will ever disclose, by any means, the contents of a program to a non-subscriber, then of course you are right. There is no technology which can prevent this. If, on the other hand, you wish to prevent clever engineers from looking at the system with instrumentation, and then trotting off and stamping out millions of their own smart cards, which interoperate with the legitimate ones and decode all programming transmitted, this is something that can certainly be done by using strong cryptography correctly. It is this latter goal which the VideoCrypt system, and now apparently the DSS one as well, failed to accomplish. -- Mike Duvos $ PGP 2.6 Public Key available $ mpd@netcom.com $ via Finger. $
Mike Duvos writes:
In the system I described, a person might make a lower bandwidth attempt to defeat the system by leaking either the periodically changing random session key used to encrypt the video stream, or the unique cryptographic key belonging to a particular smart card authorized to view the program. We have postulated that the latter is not recoverable even by destructive reverse engineering of a specific card,
Why not? If the card knows its own key, then someone else can probably get the key out by some nasty mechanism. .pm
.pm writes:
Why not? If the card knows its own key, then someone else can probably get the key out by some nasty mechanism.
One of the earliest breaks of the Videocipher II analog satellite descrambler back in 1986 was based on twidling with the timing and electrical characteristics of the chip clock on the supposedly tamperproof TMS 7000 crypto microprocessor until it stared to misexecute instructions. By chance, some PROM code that allowed reading the secret seed keys used by each individual box to decode master keying messages addressed to it happened to be a few instructions after some other code normally accessible by issuing commands to the chip. One kept issuing those commands while corrupting the clock until the chip misexecuted the branch at the end of the public code and fell into the otherwise inaccessible code that allowed access to the seed keys. So yes, this has already been done in one real case of cryptosystem defeat. For a while, it was the standard method of obtaining seed keys from VC-II boards. Later versions of the ROM code removed that vulnerability. Dave
participants (5)
-
Dave Emery -
kooltek@iol.ie -
Mike Ingle -
mpd@netcom.com -
Perry E. Metzger