Media Receiver 500 Sat Hack
Satellite television is prevalent in Europe and Northern Africa. This is delivered through a Set Top Box (STB) which uses a card reader to decode the scrambled satellite signals. You need to buy a card if you want to watch. But you know how people like to get something for nothing. This is being exploited by hackers and the result is millions of these Set Top Boxes just waiting to form into botnets.
This was the topic of Sofiane Talmat’s talk at DEF CON 23. He also gave this talk earlier in the week at BlackHat and (PDF).
The Hardware in Satellite receivers is running Linux. They use a card reader to pull in a Code Word (CW) which decodes the signal coming in through the satellite radio. An entire black market has grown up around these Code Words. Instead of purchasing a valid card, people are installing plugins from the Internet which cause the system to phone into a server which will supply valid Code Words. This is known as “card sharing”. On the user side of things this just works; the user watches TV for free. It might cause more crashes than normal, but the stock software is buggy anyway so this isn’t a major regression.
Pay-TV smartcard hacking – how easy is it. Smartcards and electronics and computer code inside a satellite or cable-TV receiver (or “decoder”). We don’t really know what’s there.
The problem is that now these people have exposed a network-connected Linux box to the Internet and installed non-verified code from unreputable sources to run on the thing. Sofiane demonstrated how little you need to know about this system to create a botnet:. Build a plugin in C/C. Host a card-sharing server. Botnet victims come to you (profit) It is literally that easy. The toolchain to compile the STLinux binaries (gcc) is available in the Linux repos. The STB will look for a “bin” directory on a USB thumb drive at boot time, the binary in that folder will be automatically installed.
Since the user is getting free TV they voluntarily install this malware. Click through for more on the STB Hacks. Here’s a prime example of why you always want to verify the checksum when you download software to install on your own system. Sofaine researched the “same” software package for card sharing across many download sites on the internet and there were multiple different checksums. The assumption is that these are carrying different malware payloads. In addition to this easy exploit, the boxes are broken by design anyway.
There are no firewalls, there are secondary root accounts (backdoors), there are FTP servers running by default with root privileges and no password. The most laughable vulnerability for me is that updates from the manufacturer don’t do anything to patch or improve the OS, they’re 100% user experience updates.
The BusyBox build running on the demo machine was from 2012 and has multiple known vulnerabilities. Even if you don’t want to use a card sharing service, the device can be compromised just by being connected to the Internet. This talk was presented in the IoT villiage, not on a main stage. This a great example of why you should take these talks seriously. You’ll get a much grittier explanation and demonstration of the hacks than on the highly-polished “Track” talks. You also have the opportunity to ask questions and it’s less likely people will be asking questions just to hear themselves talk (which happens far too often here). Posted in, Tagged, Post navigation.
Media Receiver 500 Sat Hack
This is the year 2015, which came after the year 2014. That was the year that Telekom, Germany’s ex-monopolist and still biggest ISP, announced they will have a 176GB/month/customer cap. So much for IPTV for you and your family. Of course, as people mentioned, this only applies to you if you live in a city; rural areas and even parts of town that don’t have the highest population density often get only 1 or 2 Mbps, still. And this is high-tech paradise Germany, of course.
(We really suck compared to other European countries, but then again, we’re not a country with low population density, so things aren’t quite catastrophic around here) Good luck getting IPTV-capable ISP in the rural parts of former Eastern Germany and if that’s even possible, at a price nearly competitive to just Satellite TV (which, by the way, doesn’t require code cards — it’s free to watch, aside from the few channels that are not, and they don’t have a significant market share aside from specific sports). So, ok, I have 16Mb/s up and 2Mb/s down, living in a 300kPeople city. My father lives in a 100kPeople part of an 1.6MPeople city. And he get’s a friggin 6MS/s down on the paper, only that it’s more like 2MS/s normally. Again, this is a 1Million people city. Friends of mine who come from rural parts (Schwarzwald/Black Forest) often only got “DSL lite” at home, aka.
384 kb/s or 768 kb/s, depending on how far out your home is. Law has it that the companies that bought LTE spectrum licenses must reach rural areas first where there is no broadband fixed internet, but of course lobbying led to legislation forgetting to specify what bandwidth that actually would imply; not to mention, of course, that 3GB/month high speed internet is extremely costly, so this would not even be an option if the LTE coverage.would.
exist. Satellite dishes are a very common phenomenon in cities, especially in apartment towers with lower rent; that might have something to do with families with migration background wanting to watch “home” TV, but the percentage of flats with dishes in my perception is higher than the percentage of immigrants, usually (notice: I’m not a walking statistics tool, so take this with a grain of salt). You might consider this calculation, valid for where I’m from :. cable contract: 18,90€ /month (minimum contract duration 12 mo).
single time activation: 30€. no hardware included, but most TVs nowaday can deal with DVB-C directly hence: cost of one year ownership: 256.80€. Channels: 7 “serious, non infomercial” HD channels, and about 34 relevant SD channels, not counting these that are also available in HD. So, comparing this to satellite TV (excuse me if my prices are high, I’m not good at getting “bad deals”, but I’m trying to figure out what my dad would spend if he went out and bought something like this; and he’s definitely relatively tech-savvyy and won’t buy all the bullshit the guy at the store tries to sell him):. no contract, no activation. satellite dish: 60cm ca 50€ (saturn.de). LNB: 10€.
lots and lots of coax cable: 30€ Price of one year of ownership: ca 90€. Number of channels: around all there are? You do the math. I’m not watching any TV, so it’s the first time I calculated this. I can’t just believe how bad it is.
On the other hand, you can also get internet through your TV cable (again, not in remote locations), and I used to have that, but then I cancelled my contract, because they didn’t manage to get reliability up, just because they tried to cramp too many users into too little backbone. When a caterpillar damaged one cable, about half a million households were offline; when I learned that there was absolutely zero redundancy, it was time to leave, since I earn my money partly through being able to access the net.sigh. if only German politicians read these comments.
They really don’t realize that fast internet is neither impossible nor a negligible competitional advantage I actually know of a company that had to.relocate. their accounting in the late 90’s because there literally was no access better than ISDN (64kb/s, or aggregate lines) available at the place, just because 20 or so employees needed Email access at once, and occasionally had to send technical documents. Nowadays it’s the same business: photographs and advertisment agencies can’t be operated from the outskirts of cities, let alone villages (which is the biggest bullshit), and companies.right in the center of Munich. pay 200+ €/Month for a little more than 50Mb/s, and still experienced multiple days of downtime during the three months I worked there. Great for a company that mainly works by writing emails, researching stuff on the internet and having Voip calls. I get 50 Mbit cable a month with a 300GB “usage guideline” It’s not a cap, as it you don’t get cut off or charged more, BUT if you exceed it for 3 months, you are forced to the next higher tier ($50/mo up to $75/mo for I think 70Mbit with a 400 GB “data guideline” It kinda makes me thankful for having a 720p TV and an old 480p TV and older Roku so that we can at least stream a reasonable amount of shows.
My wife’s PC though streams at the HQ 1080p as you can’t set resolution on the Nexflix app which eats through bandwidth like a teenager through a plate of pizza rolls. BTW, I know about the Low. Med, High settings, but I don’t want to limit everythign to DVD quality. IF there was a limit to 720p setting, I might consider that. Working in an industry that deploys embedded Linux (not entertainment), I see this lack of regard for security all around me; the assumption that if the network is private it can’t be hacked, or no-one would be interested in hacking a low volume industrial embedded controller anyway. The motivation is very much getting product developed as quickly as possible which goes a long way to justifying use of multi-user Linux: It’s very easy to build and get working vs.
Some closed source offerings (at the expense of very roughly double the memory footprint of the better commercial embedded OSs once a reasonable rootfs is built). What would be nice to have is peer reviewed best practices for hardening embedded Linux, providing update mechanisms, field logging and debugging, etc that everyone can adhere to without having to try and reinvent the wheel.
Read the hackaday article about gaining access by means of employing badly (or not at all) sandboxed game scripts? Imagine if someone who developed browsers said something like “Ok, this browser will only be used on machines that are especially well-equipped with CPU and probably have a very solid internet access bandwidth, ah and people will probably save their credit card data in this browser to pay for addons. I think we can clearly label this as uninteresting for attacks!”. That’s exactly what’s been happening to embedded systems in the last 10 years.
Luckily.many. router manufacturers have understood that and actually try to make their firmware safe. Of course, there’s exceptions. ISP branded firmware coders, I’m looking at you.
Yes, the one that the O2 DSL support team officially recommends using Internet Explorer to administrate the HTML interface. Because IE ignores the “SEGMENTATION FAULT” that comes before the start of the HTML document ON EVERY SINGLE PAGE. I guess it’s not critical to O2, because it only hits a few thousand people. This doesn’t affect people who’ve got the genuine boxes. They aren’t even connected to the internet. To the phone line sometimes (only if you pay to have more than one box in your house – they are programmed to occasionally ring home, just to check that you haven’t taken one round your friend’s house), but I’ve never heard of an autodialling botnet. The only people who will get caught out are those who have bought the dodgy Chinese receivers designed pretty much exclusively for this.
I suspect that the numbers are in the tens of thousands at the most, since the fact that you have to connect to some mystery remote server every few seconds just to watch TV scares off a lot of people. It’s nowhere near as anonymous as paying cash to buy a blackmarket card from a bloke in the pub. If satellite viewers in Europe still have the right to buy a common access module to use whichever receiver they like then that is CW security out the window in those countries. It can’t be enforced by law. The main providers in the UK are seeking security through chain of trust from a CPU embedded secure bootloader handing over ultimately to signed middleware.
It’s not completely secure yet, but it’s everything bad about security through obscurity. More so this bothers me a lot. I’m buying a computer and I’m not able to change the OS.
If microsoft was doing this there would be rioting. We are moving toward an internet centric media. Big providers like Amazon and Google are competing for space under our TVs and they are doing so with ever more generic hardware and a focus for ease of access to build subscribers. Right now two paths are diverging and I’m not sure I want to be on either of them. Scary, i had one of the first ST7100 based boxes available in NA. In the latest round of piracy killing methods (2008) hackers realized that emulating the new smartcards on the STB wasnt going to be practical, so they went back to smart card sharing, in real time, over the internet. There are likely millions of these STBs.
Normally a satelite provider will only allow, up to 6 smartcards per account. One of those cards could provide code words for 20 STBs. Multiple providers on one box.
5000 channels. They spent billions trying to stamp out satelite piracy, there were a couple boxes that had working fixes before the latest smartcard solution was fully implemented.
The fix has worked for years. Hackers even hacked a router to facilitate this process Jung Kwak made millions, until he got caught and they RICO’d his Lamborghini. Greetings from South Korea.
At home, I consistently get around 3550 Mbps download speeds, and with 250+ channel IPTV, I pay probably around US$35 a month for two set-top boxes for the 2 TVs at home. I Can’t imagine paying hundreds of dollars for internet and cable. Granted, Korea has very high population density, one of the highest in the world, but competition between 3 major providers has brought the price down.
You usually sign up for a 3 year contract, at which point, most people switch to a different provider. ISPs give away cash and gift certificates amounting to anywhere from US$300 to US$400 to new subscribers to poach from other ISPs, so on average, spreading this out to 3 years, most people end up paying around US$2530 per month for cable and internet, and internet phone can be added for a few dollars as well.