[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] [SE-2011-01] A security issue with a Multiroom service of NC+ SAT TV platform

Hello All,

A couple of weeks ago, Platform NC+ [1], one of the major digital SAT
TV providers in Poland issued an official message [2] to subscribers
about the policy of content security. Among other things, the following
statements were included in it:

"Platform nc+ as a technology leader in the market and an operator with
a rich program offer conducts many activities aimed at providing a high
security of the offered content".

"In order to fulfill the requirements of content providers, platform nc+
is obliged to completely secure the Multiroom service".

We decided to have a look underneath the implementation of the security
of Multiroom service and found out that the above claims hardly reflect
the reality.

More specifically we discovered that a shared AES key used to secure the
Multiroom service of NC+ operator can be discovered. This is due to the
1) MPEG broadcast stream containing SSU image for certain NC+ devices is
   not encrypted (software upgrade image can be downloaded regardless of
   the presence of a Conax card in the STB device - there is no need to
   decrypt MPEG stream with the use of Control Words).
2) software upgrade image for ITI-5800S Multiroom client device, although
   encrypted can be easily decrypted (in 2012, we published information
   about plaintext SW upgrade keys being broadcasted along the upgrade
   image [3][4], this issue hasn't been addressed),
3) ITI-5800s upgrade file embeds Compressed ROMFS image containing root
   filesystem for ITI-5800S device, this image can be extracted under
   Linux OS,
4) the binary of a main STB application embeds a custom Java File System
   (ROMFS), which can be also successfully extracted / unpacked,
5) ROMFS filesystem contains obfuscated Java classes of which one includes
   a hardcoded initialization vector and AES key used to secure Multiroom
   service of NC+ operator (this key is used to encrypt / decrypt a file
   carrying authorization data for a client device).

Full report along a Proof of Concept code illustrating our findings can be
downloaded from the following locations:


We usually follow our Disclosure Policy [5] (modified recently to reflect
SRP research [6]) when it comes to reporting and disclosing vulnerabilities.
We do not when experiencing issues like that [7]:

"Vendors not responding to our email messages for 7+ days:
- Advanced Digital Broadcast (set-top-box vendor)
  awaiting response to the message from 11-Jan-2012
- ITI Neovision (SAT TV operator)
  awaiting response to the message from 01-Feb-2012".

Thank you.

Best Regards,
Adam Gowdiak

Security Explorations
"We bring security research to a new level"

[1] NC+ Platform
[2] Polityka Zabezpieczenia Treści
[3] SE-2011-01 Issues #5-16,#25-32 (Advanced Digital Broadcast),
[4] "Security threats in the world of digital satellite television”
[5] Security Explorations - Disclosure Policy
[6] Security Research Program
[7] SE-2011-01 Vendors status

Sent through the Full Disclosure mailing list
Web Archives & RSS: http://seclists.org/fulldisclosure/