[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] [SE-2011-01] Regarding liabilities in SW / HW (ST chipsets flaws' case)
- From: Security Explorations <contact AT security-explorations.com>
- Subject: [FD] [SE-2011-01] Regarding liabilities in SW / HW (ST chipsets flaws' case)
- Date: Mon, 19 Feb 2018 14:58:08 +0100
- Arc-authentication-results: i=1; mx.google.com; dkim=neutral (body hash did not verify) email@example.com header.s=s2048 header.b=sHs1Pmey; spf=pass (google.com: domain of fulldisclosure-bounces AT seclists.org designates 2600:3c01::f03c:91ff:fe98:ff4e as permitted sender) smtp.mailfrom=fulldisclosure-bounces AT seclists.org
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-unsubscribe:list-id:precedence:subject:to :mime-version:user-agent:from:date:message-id:dkim-signature :delivered-to:arc-authentication-results; bh=26E/6QIpklYa3b3Z7PunOALz4HZBgTA/1LDSS0faKDo=; b=QsL0lJF2osZTZ+YBPQLBKLFkSKbQqUR4bLjr2oyYMfUKtdsHCgPPLcziMenJbPTPaQ INhpLaxV6ZrOZEeC8eAaPt6CjA50H8QNS3Ka+p5wtx92FKrCXCHtSa/3qegrWD5ab9x4 rV9bNQXyyT/rNmsErrHi5aHa2I9LbWGXOTjV/b5eblGVY/RiGQjLLQrhsDeul/HFZpw+ //sz4d7BxUu3CxyySJSRuw0om3oHGb6O/tQqzucUF78kXHAUror18k3pEKY2ZQwqh/am u8dpMGtLHH3M6mAURZTupyRrgtmMYppbdwLR8H0JWLOjooNjDGgAC2rA6jywL4a+5UnU cP0g==
- Arc-seal: i=1; a=rsa-sha256; t=1519049367; cv=none; d=google.com; s=arc-20160816; b=RxiwuosFlAM51lnYRiIVgShbHnmE3pC10DWQwhBnfM2Nd6wQmCnvcw9L7UTGam0yKh uZoajl6JeKA6ed/gmh5Ipb2O2IbkKHebeFhKW5UeUAKgnR3dmxqURDpQKpojZOZlt5cr xHdu2OJ+mwB1ArtugOh/u/vxsF5K2z+wxi1gJN2KU1anpux6tbLNRwWqv5b9r8WYSzjB HbaIQ317ARTbBqzZkBHNZxvS14Ug3O7MuL94uxiw+cukhwHhfinGyipX6k7J4rBlvvE7 dUAyAV5icg35XBO7NlJe1zE2DnwnBGgv63RlNPXc7Sw4qjDy70WDU+qk0grAlU0iSC4N eT6A==
- Sender: "Fulldisclosure" <fulldisclosure-bounces AT seclists.org>
- To: bugtraq AT securityfocus.com, fulldisclosure AT seclists.org
Today, Security Explorations sent an official inquiry to NC+ operator
regarding the replacement process of set-top-box devices conducted by
the company in Poland (whether STBs vulnerable to STMicroelectronics
vulnerabilities are replaced, whether the replacement process is
required by content providers, how many vulnerable STB's got replaced,
what were the costs incurred by end users, etc.).
NC+ fleet of STB's contains 4 models vulnerable to hardware flaws in
ST DVB chipsets (secret and pairing key extraction making satellite TV
piracy possible ).
NC+ is likely obliged to fulfill the requirements for high security of
paid TV content posed by content providers. NC+ however encourages end
users to replace old, vulnerable devices to new models for a monthly
We believe this should not happen (the costs to deal with addressing
security vulnerabilities is a liability of a vendor / STB manufacturer
and/or a operator), not the end user (just think, VW diesel gate case).
Thus our official inquiry to NC+ along a note to the Polish Government
authority responsible for consumer rights (UOkiK , which corresponds
to FTC in the US).
This goes along our conclusion expressed during a JavaLand talk in 2016
(slide 53 ) after FTC started investigation against Oracle:
"Government authorities putting vendors to order over poor / deceptive
security practices can pave the way for SW liabilities".
The status of the communication will be visible at our SE-2011-01 project
"We bring security research to a new level"
 "Security vulnerabilities of Digital Video Broadcast chipsets", HITB
 UOKiK - Office of Competition and Consumer Protection
 Java in(security), JavaLand Conference, Mar 7-9, 2016, Bruhl, Germany
Sent through the Full Disclosure mailing list
Web Archives & RSS: http://seclists.org/fulldisclosure/