All demos are available here: http://vimeo.com/113053663
This is part of my DVB-C research I presented at , Nullcon, Ekoparty, HITB and GOS . In this paper we try to understand the Digital Video broadcasting standard and tries to find security vulnerabilities in design and implementation of dvb-c infrastructure.
7. Agenda
• Analog Cable Networks.
Architecture
Introduction and Attacks
• Digital Cable Networks .
Migration form Analog to Digital
Digital Network architecture
Application and Network layer bugs
8. Analog Cable Network The Basics
• FM Modulation And
Broadcasting [TV Station]
• Antenna Farm [ Cable
Operator End]
• IRD-Integrated Receiver
Decoders.
• Local cable network.
• TV
9. Analog Cable Network
Home TV
Local Cable TV
Operator
Decoder
Unit QAM Signal
Amplifier
Optical Fiber
Coaxial Cables
15. QAM: Quadrature amplitude modulation
• Analog + Digital Modulation
• Modulates the amplitudes of analog waves, using AM
• Modulates the amplitudes of digital waves, using ASK
• Modulated waves are summed
• Amplified and distributed via optic fiber
Source: http://en.wikipedia.org/wiki/Quadrature_amplitude_modulation
18. Cable Operation
• Each channel received would be under a particular frequency.
• Cable Operators could modulate to any frequency.
• FDMA is used to sent all the different channels to users.
• The transmission medium is Radio over Fiber.
• TV channels tunes in individual frequency and decodes them to audio
and video.
19. Attacking Analog Network
Home TV
Local Cable TV
Operator
Decoder
Unit QAM Signal
Amplifier
Optical Fiber
Coaxial Cables
MITM
20. MITM:~ Local Cable Operator$
• Easy MITM: No Encryption in Analog Network
• Physical access = Free cable connection.
Or
• You can even Broadcast your own signals.
21. DTK: Our MITM unit Operator end:~ Devices used
• Optical
Receiver
• Optical to
Coaxial
• RF modulator
• Amplifier
• Signal Tap
Total: 80 usd
23. Local cable operator
• Fiber optic is fast and reliable but expensive.
• Doing a Man-In-Middle on Fiber optic is expensive
[atleast for us].
• Local cable admins convert optic input to co-axial.
• Coaxial cable could be easily tapped.
Optical Receiver:~
26. The Process:~ For example
• BBC news would be in frequency A and Fox news on frequency
B.
• Both these frequency signals are sent over coaxial cable.
• TV knows how to decode each frequencies.
• So channel no 1 would be pre-set to display BBC [Frequency A]
and channel no 2 would be set to display “FOX NEWS ”
[Frequency B].
• As a hacker if I need to replace channels, one possibility is to
do a man in the middle attack and modulate my videos with
Star Movies frequency.
28. Avoiding Collision
• Let us shut down the original signal source.
• Shutting down the entire signal source will stop all the
channels.
• Signal cutter to the rescue – Block FOX news Only.
• Introduce our Video in Fox news Frequency
30. Digital TV Introduction
• In December 2011, the Lok Sabha passed Cable Television
Networks (Regulation) Amendment Bill.
• In the Act the addressable system may only transmit
encrypted signals.
• So with this Act it is mandatory to install set-top boxes on
every house for decoding the transmitted signals.
31. Digital TV Introduction
• Cable TV & Customers Upgrade to DVBC or IP network which
can now transmit encrypted signals.
• DVBC standard [Conditional Access] is an access control
mechanism.
• IPTV Networks are traditional TCP/IP Stack.
• Now Signals are encrypted or scrambled before sent on
wire.
• A set-top box device is needed to de-scramble the output
• STB decodes the scrambled input and produces the TV out.
32. STB :~ Set-Top Box
• Does QAM demodulation .
• DVB-C type set top boxes work on co-axial cable.
• IPTV set-top boxes need IPTV networks.
• IPTV boxes allows internet connectivity .
• Each STB has a unique identity either using MAC
address or using a smart card.
34. DVB-C Set-top box
• Works on Digital Video Broadcasting standard,
the same standard is used for satellite
broadcasting.
• Works based on [64,128, 256 QAM ]
modulation, a combination of amplitude and
phase modulation.
• DVB-C is used for broadcasting Audio, Video
signals.
Source: Understanding Digital Television: An Introduction to DVB Systems with
35. IPTV
• IP Set-Top Boxes enable Video Services
connected through IP network.
• Protocols like http, rtsp , igmp are used in
streaming the video.
• IPTV can carry Audio, video and data over the
wire aka [ Triple play].
• Internet Access is possible using IPTV.
36. Digital Cable Overall
• Satellite Content
• IRD decoders
• DRM Server
• Middleware Servers
• Video on Demand Server
• Billing Server
• Triple Play Convergence
• Switch
• QAM Modulator
• Network Infrastructure
• Micro PoP
• Access Switch
• Customer Premise Equipment
• Set Top Box
Source [ Head End ].
Management Network or Middlewares.
Home Network
38. Attacking Digital Network
Home TV Set-
Top Box
Local Cable TV
Operator
Decoder
Unit
Management Network
Scrambled Signal
on Optical Fiber
Coaxial Cables
Digital
Signal
40. Management Server [Middleware]
• Provides Billing and Customer Service.
• Attacks on Middleware are possible in both DVB-C and IPTV networks
Locating the Mother Program
• Network fingerprinting –Find IPTV Management service.
• Some are Internet facing !!
41. Bug 1:~ STB Hijack
• Application allows one operator to transfer STB to
another operator.
• This option lists all Existing operators.
• Transfer option based on an Access Key.
• The Access key implementation was flawed.
42. Spot the Bug
Old bug PHP < 5.3.* : Passing an array will bypass the check.
<?php
$
$apikey = "select api_key from apis where
username=.'mysql_escape($username)'";
$authenticated = strcmp($apikey, $_GET['key']);
if ($authenticated == 0) {
print "Logged IN !";
} else {
print "wrong API!";
}
?>
44. Bug 2: Cable TV Remote shutdown
• Cable TV Operators control Clients via UAKEY.
• This is accomplished via API Keys specific to the logged in
admin.
• The implementation was flawed.
• The bug allowed a remote cable operator visiting a
malicious webpage to remotely shutdown all Digital Tv
instances.
45. API Key Implementation
<script src=“load_secrets.js”></script>
They had some pretty cool anti-stealing code as well.
function checkUrl()
{
var url = get_current_url();
return url.match(url+'$') == 'flappybirds.com';
}
if(checkUrl())
{
var api_key = "77d11aea20ff61c6d1e23f044";alert(api_key);
populateFormFields(super_secret); // Injects this token into the hidden input fields
} else{
alert('Bad Domain !');
}
46. Lets do some cross-domain magic
• Attacker can load, <script src=“load_secrets.js”></script>
• But, checkAdmin() returns false.
• Attacker can bypass this using,
// From attacker.com
<script>
String.prototype.match = function()
{
return ["flappybirds.com"];
}
</script>
<script src=“http://cable-tv.com/api_keys/load_secrets.js”></script>
50. Fuzzing DVB [Mpeg 2 ] STB
• The DVB Transport stream use MPEG format.
• If we can find bugs in mpeg/DVB parsing, then we
can do remote attacks.
• Fuzz a particular PES program
52. Bug 3: STB DVB MPEG stream parsing
Segfault.
• SIGSEGV due to buffer overflow.
• Buffer over flow is due to memory overwrite
• This bug would cause the STB to restart .
54. DVB Transport stream Working
• DVB in Action:
• Provide Audio : Video streams to TV (Transport Stream).
• Provide Internet Connection [IP over DVB/MPEG ].
• Can provide multiple channels in a single stream.
• Payload of a Stream = [Audio + Video + Stream Info ]
• Stream Info = Ex : Program Association Table
• Program Association Table provide:
• PID values for (TS) packets corresponding (PMT) .
• PID stands for Packet Identifier .
• PMT (Program Map Table) provide location of cells that make up
each stream.
59. MITM Fuzzing breaking Encryption:
• The Transport Scrambling [2 bits] in TS header
indicates whether the packet is encrypted or
unencrypted.
• If both bits are set to zero , there is no scrambling.
• If one of the two is not zero they payload part is
scrambled.
• Most DVB STB implementations use this filed to
detect scrambling.
60. This way you can introduce Unencrypted cells to
DVBC stream and make STB parse them.
61. Demo: Poc crashing STB:
• Video removed visit
garage4hackers.com/blog.php?u=8
62. STB Firmware Update
• STB boots up and authenticates to Home
gateway.
• In case of DVB multicast it uses DSM-CC for
firmware delivery.
• In case of DVB [IPTV] unicast it checks a
middleware server for updates, if any available
download it via TFTP .
• Reboots and install new firmware.
64. DSM-CC [Data over DVB ]
• It is basically encapsulation of data in DVB transport
stream [MPEG 2 ].
Applications:
1. STB firmware updates.
2. STB application software download.
Television is a one- way medium unlike Internet.
So if someone hack into your TV provider and stream in a Video stating than a riot has started in the nearby village/city, that can cause enough panic.
We will explain both analog and digital cable networks.
We will see technologies behind these networks and show how to hack into them.
I am not even from the signals world, am just an application security guy.
But I find it bad not knowing how my TV works and calling myself a Hacker.
FM Modulation And Broadcasting [TV Station]
Antenna Farm [ Cable Operator End]
IRD-Integrated Receiver Decoders.
Local cable network.
TV
Multiple antennas are necessary for cable operators to capture individual channel signals from multiple satellites.
These signals are decoded using an IRD decoder units [Integrated Decoder] .
The decoded signal are modulated .
The modulators are connected together to sent the entire collected channels to a QAM.
To distribute signals optic fiber cables are used.
At a local cable distributor end the optic cable is replaced with co-axial cable.
Amplifiers were introduced in each nodes to keep signals strong.
The head end receives the radio signal and uses the IRD to tune and amplify the signal.
Once the signal is amplified, the IRD decodes the signal.
IRD Convert the RF signals to Analog signals.
Here each channel is frequency modulated by the modulator.
So HBO would be in a particular frequency and National channel would be in another.
IRD provider by the channel companies.
QAM stands for quadrature amplitude modulation, the format by which digital cable channels are encoded and transmitted via cable television providers.
http://en.wikipedia.org/wiki/QAM_(television)
Quadrature amplitude modulation (QAM) is both an analog and a digital modulation schem
It conveys two analog message signals, or two digital bit streams, by changing (modulating) the amplitudes of two carrier waves, using the amplitude-shift keying (ASK) digital modulation scheme or amplitude modulation (AM) analog modulation scheme.
The modulated waves are summed, and the resulting waveform is a combination of both phase-shift keying (PSK) and amplitude-shift keying (ASK)
The signals are amplified and distributed via optic fiber.
Each channel received would be under a particular frequency.
The cable operator can modulate it to a different frequency if they want and sent it on wire from head end.
Certain national channels need to go in the same frequency they came in.
Now with FDMA all the many different channels are sent to the users via a fiber cable.
The transmission medium is Radio over Fiber.
TV channels tunes in individual frequency and decodes them to audio and video.
Multiple antennas are necessary for cable operators to capture individual channel signals from multiple satellites.
These signals are decoded using an IRD decoder units [Integrated Decoder] .
The decoded signal are modulated .
The modulators are connected together to sent the entire collected channels to a QAM.
To distribute signals optic fiber cables are used.
At a local cable distributor end the optic cable is replaced with co-axial cable.
Amplifiers were introduced in each nodes to keep signals strong.
Analog network vulnerable to MITM since no Encryption.
If you have physical access to these networks then you can easily have free cable connection.
Or you can even Broadcast your own signals.
The following cheap devices were enough to perform a MITM on Analog networks.
RF modulator : An RF modulator, takes an input signal and outputs a radio frequency-modulated signal.
Amplifier : Boost the output signal.
Signal Cutter: Chop down a specified frequency .
Signal Tap: Can inject signal into the existing signals.
Optical Receiver :Reads optical inputs.
Optical to Coaxial: Converts Optical input to Coaxial output.
Total: 3000 RS
When doing man in the middle you need to avoid collision.
It could be done by fully shutting down the original signal source .
Shutting down the entire signal source will stop all the channels going offline.
Or include a signal cutter, that will chop reduce the signals so that the existing NDTV frequency is reduced to something else.
Introduce our custom video in the frequency of fox news and game over.
Nafeez
there are many dvb standards, each developed for its own intended use. the first of the dvb standards to be agreed upon by etsi and others was the dvb-s standard (1994) for satellite transmission. dvb-t is used for ter- restrial transmissions, and was commercialized around 1997. dvb-c is used in cable transmissions.
DVB headend DVB-C system is the information exchange center, responsible for signals, treatment and control, complete signal input, signal processing, signal output and conditions, and programs receive management, customer management, system management, and other functions.
Source: http://www.chinaotec.com/en/shownew.asp?id=14
Does signal processing, Customer management .System management.
Spent 1 minute on this slide.
Middleware Servers
These are servers that provide the billing and customer services.
Attacks on Middleware are possible in both DVB-C and IPTV networks
Locating the Mother Program:
Some network fingerprinting will provide details of the Web Application used to manage the IPTV service.
Sometimes few of these controllers are accessible on the Internet.
The cable TV local operators control panel can do stuff like shutting down access, send messages to individual clients etc by specifying the client’s UAKEY.
They have a super secret JS file, which gets dynamically loaded for a given admin.
Spent 1 minute on this slide.
Tips: Before writing a fuzzer always check other mpeg parsing applications source code .
We waited for the stb to crash and restart. So mostly stared at the TV.
cable companies deliver one dvb stream to the tv. this stream contains several channels, each on its own frequency. the channels are com- bined, or “muxed” into one transport stream and delivered to the tv, which “demuxes” the signal so it can be “read” from the various channels. in addition to the audio/video streams (the
payload), there are also a number of tables included in the transport stream. these tables provide the tv with information about the stream. an example is the Program association table, which lists all available programs in the transport stream.
Source:
http://www.codenomicon.com/resources/whitepapers/codenomicon-wp-smart-tv-fuzzing.pdf
Sample picture shows data populated using PAT info.
Program Association Table (PAT): for each service in the multiplex, the PAT indicates the location (the Packet Identifier (PID) values of the Transport Stream (TS) packets) of the corresponding Program Map Table (PMT).
It also gives the location of the Network Information Table (NIT).
Ref: http://www.etsi.org/deliver/etsi_en/300400_300499/300468/01.03.01_60/en_300468v010301p.pdf
A good tool to inspect DVB stream is Dvsnoop: http://dvbsnoop.sourceforge.net/examples/example-ts.html
Image: http://www.althos.com/sample_diagrams/ag_MPEG_TS_Packet_low_res.jpg
More detailed structure diagram: http://www.jdsu.com/ProductLiterature/MPEG_Poster_lowrez.pdf
Each field explained: http://www.erg.abdn.ac.uk/future-net/digital-video/mpeg2-trans.html
Pass 1:
The plaintext of the payload is split into blocks of 64 bit length.
The remainder that is smaller than 64 bit; all blocks except this remainder are then encrypted with a custom block cipher in CBC
mode, using reverse block order and all zero initialization vector.
Pass 2:
In the second pass, a stream cipher using the first block (last block in the order used with the block cipher) as initialization vector encrypts all data again, except the first block.
Note that DVB-CSA does not randomize the ciphertexts: Equal plaintexts are always mapped to the same ciphertexts
Ref: https://www.cdc.informatik.tu-darmstadt.de/~jwaelde/breaking-dvbcsa.pdf
The DVB-C decryption keys for the scrambling algorithm are in the STB [removable cards] or hardcoded .
There are multiple papers that document ways to effectively break DVB-CSA and recover encryption key.
Our aim is to inject our own streams into the network and make the end user STBs parse them.
There is a better way doing it rather than breaking the key.
The header starts with a well-known Synchronisation Byte (8 bits). This has the bit pattern 0x47 (0100 0111).
A set of three flag bits are used to indicate how the payload should be processed.
Ref: http://www.erg.abdn.ac.uk/future-net/digital-video/mpeg2-trans.html
The first flag indicates a transport error.
The second flag indicates the start of a payload (payload_unit_start_indicator)
The third flag indicates transport priority bit.
The flags are followed by a 13 bit Packet Identifier (PID). This is used to uniquely identify the stream to which the packet belongs (e.g. PES packets corresponding to an ES) generated by the multiplexer. The PID allows the receiver to differentiate the stream to which each received packet belongs. Some PID values are predefined and are used to indicate various streams of control information.
A packet with an unknown PID, or one with a PID which is not required by the receiver, is silently discarded.
The particular PID value of 0x1FFF is reserved to indicate that the packet is a null packet (and is to be ignored by the receiver).
The two scrambling control bits are used by conditional access procedures to encrypted the payload of some TS packets.
Two adaption field control bits which may take four values:
01 – no adaptation field, payload only
10 – adaptation field only, no payload
11 – adaptation field followed by payload
00 - RESERVED for future use
Finally there is a half byte Continuity Counter (4 bits)