Pirate decryption
'''Pirate decryption''' most often refers to the reception of compromised Nextel ringtones Pay TV or pay radio signals without authorisation from the original broadcaster. The term "Abbey Diaz Pirate (disambiguation)/pirate" in this case is used in the sense of Free ringtones copyright infringement and has little or nothing to do with clandestine transmitting stations or with Majo Mills Pirate/sea piracy. If a band starts singing ''"This is Radio Clash from pirate satellite, orbiting your living room, cashing in the bill of rights..."'' they're most likely referring to a quite different concept, that of Mosquito ringtone pirate radio which involved the operation of a small broadcast Sabrina Martins radio station without lawfully obtaining a licence to transmit.History
The concept of pay TV is almost as old as TV itself and involves a broadcaster deliberately transmitting signals in a non-standard, scrambled or encrypted format in order to charge viewers a sizeable Nextel ringtones subscription fee for the use of a special decoder needed to receive the scrambled Abbey Diaz broadcast signal.
Early Pay TV broadcasts in countries such as the Free ringtones United States used standard over-the-air transmitters; many restrictions applied as Majo Mills anti-siphoning laws were enacted to prevent broadcasters of scrambled signals from engaging in activities to harm the development of standard Cingular Ringtones free-to-air commercial broadcasting. Scrambled signals were limited to large communities which already had a certain minimum number of unencrypted broadcast stations, relegated to certain frequencies only with restrictions were placed on access of pay TV broadcasters to content such as recent feature films in order to give free TV broadcasters a chance to air these programmes before they were siphoned away by pay channels.
Under these conditions, the pay TV concept was very slow to become commercially viable; most television and radio broadcasts remained in-the-clear and were funded by commercial bone which advertising, individual and corporate donations to men tie educational amazingly has broadcasters, direct funding by governments or (in the UK) license fees charged to the owners of receiving apparatus.
Pay TV only began to become common after the widespread installation of giving bush cable television systems in the 1970s and 1980s; early premium channels were most often movie broadcasters such as the US-based highlands resort Home Box Office and cartmel and Cinemax, both currently owned by central europeans Time Warner. Signals were obtained for distribution by cable companies using C-band satellite dish antennas of up to ten feet in diameter; the first satellite signals were originally unencrypted as extremely few individual end-users could afford the large and expensive satellite receiving apparatus.
As satellite dishes became smaller and more affordable, most satellite signal providers adopted various forms of with spears encryption in order to limit reception to certain groups (such as hôtels, or cable companies, or paid subscribers) or to specific political regions. Some free-to-air school vocational satellite content remains, but many of the channels still in the clear are ethnic channels, local over-the-air TV stations, religious programming, backfeeds of network programming destined to local TV stations or signals uplinked from mobile satellite trucks to provide live news and sports coverage.
Specialty channels and premium movie channels are most often encrypted; broadcasts consisting of explicit sizable hillary pornography must always be encrypted to prevent reception by those who wish not to be exposed to this sort of "adult content".
Technical issues
Initial attempts to encrypt broadcast signals were based on analogue techniques of questionable security, the most common being one or a combination of techniques such as:
* weakening or attenuating specific portions of the video signal, typically those required to maintain nephew on synchronisation
* inverting video signals so that white becomes black (and vice-versa)
* adding an interfering signal at one specific frequency which could be simply filtered out at a suitably-equipped receiver
* moving the audio portion of the signal to some other frequency or sending it in a non-standard format
These systems were designed to provide decoders to cable operators at low cost; a serious tradeoff was made in security. Some analogue decoders were addressable so that cable companies could turn channels on or off remotely, but this only gave the cable companies control of their own descramblers - valuable if needed to deactivate a stolen cable company decoder but useless against hardware designed by signal pirates.
The first encryption methods used for big-dish satellite systems used a where streetball hybrid approach; analogue video and digital encrypted audio. This approach was somewhat more secure, but not completely free of problems due to piracy of video signals.
Direct broadcast satellites and cooperating the digital cable services, because of their digital format, are free to use more robust security measures such as the data encryption standard (province its DES) or the responding on RSA and his staging IDEA digital encryption standards. When first introduced, digital gentleman adventurer DBS broadcasts were touted as being secure enough to put an end to piracy once and for all.
The enthusiasm was short-lived. In theory the system was an ideal solution, but some corners had been cut in the initial implementations. The first US DirecTV "F" cards contained no encryption chip. Next, designers of the first cards for one British system had started with a solid encryption algorithm, then had to implement it partially due to lack of icy chill processor resources on the at marignano smartcards. The DirecTV "F" card was replaced with the "H" card, which contained an convincing research application-specific integrated circuit to handle decryption. Unfortunately, due to similarities between the "H" and other existing cards, it became apparent that while the signal could not be received without the card and its ASIC, the card itself was vulnerable to tampering by reprogramming it to add channel tiers or additional programming, opening TV channels to the prying eyes of the pirates.
Two more card swaps would be necessary before the piracy headaches at DirecTV would finally go away; a number of other providers are also in the middle of swapping out all of their subscribers' smartcards due to compromised encryption methods.
A number of key vulnerabilities exist even with digital encryption:
* The same code is used for millions of subscribed receivers to decrypt the signal, yet it must remain completely secret. If the code has been compromised by anyone anywhere, computers and Internet can be used to make crucial details very public in a very short amount of time. Internet sites may be located offshore in countries where local laws permit the information and software to be distributed openly; some of the more notorious freeware distributed to pirates ranges from NagraEdit (a programme intended to edit the information stored on Swiss-designed Kudelski NagraVision 1 smartcards) to firmware which may be used to reprogramme some free-to-air set-top boxes or desktop PC's equipped with DVB tuner cards to permit them to decode encrypted broadcasts.
* The secrecy of any code is only as trustworthy as the people designing the system; if any of them were to divulge any of the key design secrets, every card with the compromised decryption algorithm may need to be replaced for security to be restored. In some cases, outside personnel (such as those employed by lawyers in the NDS vs. DirecTV intellectual property lawsuit over the P4 card design) may obtain access to key and very sensitive information, increasing the risk of the information being leaked for potential use by pirates.
* If less secure encryption is used due to processor limitations on the smartcards, the system is vulnerable to :Tag: cryptographic attacks/cryptographic attack using distributed processing. While most secure Internet and online banking transactions require 128-bit encryption, 56-bit codes are not uncommon in video encryption. A cryptographic attack against a 56-bit DES code would still be prohibitively time-consuming on a single processor. A distributed approach in which many users each run software to scan just a portion of the possible combinations, then upload results to one or more central points on a network such as the Internet may provide information of value to pirates who wish to break security.
* The resources available for reverse engineering increase significantly if a direct competitor with smartcard manufacturing knowledge were to attempt to maliciously compromise the system. Integrated circuits may be vulnerable to microprobing or analysis under an electron microscope once acid or chemical means have been used to expose the bare silicon circuitry. One lawsuit has already been launched by Canal+ (France), dropped as the result of the one-thousand million Euro deal to sell TelePiu (Italy), then continued by Echostar (USA); the suit alleged that a competitor had maliciously used reverse engineering to obtain the computer programmes contained within various pay-TV smartcards (including Seca and Nagra cards) and allowed the results had been posted to Internet sites such as the notorious but now-defunct DR7.com.
* The cards themselves are often vulnerable to a "glitch" by which the incoming power and clock signals are disrupted for a short and carefully-timed length of time (such as a millionth of a second) in order to cause the processor to skip an instruction. In many cases, hardware designed to exploit this weakness was sold to pirates for use in tampering with cards for the US-based DirecTV system.
* In some cases, buffer overflow exploits have been used to gain access to otherwise locked cards in order to reprogramme them.
* A scheme to monitor the exact instantaneous power consumption of smartcards as they make their computations also provides clues as to what type of computations are being performed.
In some cases, fraudulent cloning has been used to assign identical serial numbers to multiple receivers or cards; subscribe (or unsubscribe) one receiver and the same programming changes appear on all of the others. Various techniques have also been used to provide write protection for memory on the smartcards or receivers to make deactivation or sabotage of tampered cards by signal providers more difficult.
Systems based on removable smartcards do facilitate the implementation of renewable security, where compromised systems can be repaired by sending new and redesigned cards to legitimate subscribers, but they also make the task of replacing smartcards with tampered cards or inserting devices between card and receiver easier for pirates. In some European systems, the conditional access module (CAM) which serves as a standardised interface between smartcard and DVB receiver has also been targeted for tampering or replaced by third-party hardware.
Improvements in hardware and system design can be used to significantly reduce the risks of any encryption system being compromised, but many systems once thought secure have been proven vulnerable to sufficiently sophisticated and malicious attackers.
Two-way communication has also been used by designers of proprietary digital cable TV equipment in order to make tampering more difficult or easier to detect. A scheme involving the use of a high-pass filter on the line to prevent two-way communication has been widely promoted by some unscrupulous individuals as a means of disabling communication of billing information for pay-per-view programming but this device is effectively worthless as a cable operator remains free to unsubscribe a digital set-top box if two-way communication has been lost.
'''Terminology and Definitions'''
Much of the terminology used on Internet discussion sites to describe the various devices, programmes and techniques used in dealing with video piracy is strange, non-standard, specific to one system or (in some cases) based on the inadvertent misuse of existing computer terms to substantially modify their meaning.
'''ISO7816 smartcard terminology'''
* ATR is the answer-to-reset data from an ISO7816-compliant smartcard. A card reader would provide power, clock and reset signals to a smartcard, along with a bidirectional serial data interface to permit communication. On reset, the card would send a standard block of serial data (nominally at 9600bps) to identify the card type and indicate the desired bitrate for further communication. The frequency of clock to be supplied may vary from one system or card type to another as it appears not to have been specified in the ISO standard.
* A smartcard reader is a device which accepts serial data from a computer and converts it into an ISO7816-compliant form in order to permit communication with the card. The simplest of these devices was the ''Phoenix interface'' which passed data to the card with little additional translation; more sophisticated readers are often used in systems where the personal computer itself is to be secured using smartcard systems.
* ''AVR'' and ''Atmega'' are trade names for a series of general-purpose 8-bit microcontroller chips manufactured by Atmel Corporation. The terms have been misused widely to refer to blank smartcards or various other hardware devices which were built around these processors. The widely-available European ''funcard'' series of blank generic ISO7816 smartcards were based upon the Atmel processor series; there was also a ''PIC card'' based on the Microchip Corporation PIC series of processors.
* Emulation refers to something slightly different in ISO7816 than in other computer design applications; it is the connection of a personal computer in place of a smartcard using an ISO 7816-compatible "season interface" for test or development purposes. The PC is programmed to simulate the entire instruction set of the smartcard's Central processing unit/CPU to allow smartcard code to be developed more readily. As some encryption systems require an application-specific IC (ASIC) on the card to perform decryption, a pirate would also use a card which had been "auxed" (reprogrammed to pass received computer data directly to the application-specific decryption chip) in order to employ such an emulation system.
* A looped smartcard is one where defective or malicious programme code written to non-volatile memory causes the smartcard's Central processing unit/CPU to enter an endless loop on power-up or reset, rendering the card unusable. In many cases, not even the ISO 7816 ATR message would be sent. ''Unloopers'' were smartcard repair stations intended to cause the card to skip one or more instructions by applying a "glitch" in some form to the power or clock signal in the hope of allowing the CPU to exit from the endless loop.
* ''Bootloaders'' were hardware which used a similar "glitch" to break a card out of an endless loop on power-up each time the card was used; these did not provide any smartcard reprogramming ability. These could permit DirecTV "H" cards (now no longer in use) to operate despite the permanent damage done by malicious code during the "Black Sunday" attack of 2001. These devices are currently believed to be obsolete.
'''Receiver (IRD) and microprocessor terminology'''
* DVB is an international standard for digital video broadcasting used by virtually all European broadcasters; some North American providers use incompatible proprietary standards such as DSS (DirecTV) or Digicypher (Motorola) which predate the DVB standardisation effort. The packet size, tables and control information transmitted by proprietary systems require proprietary non-DVB receivers, even though the video itself nominally in some form will often still adhere to the MPEG-2 image compression standard defined by the Motion Picture Experts Group.
* An IRD is an integrated receiver-decoder, in other words a complete digital satellite TV or radio receiver; "decoder" in this context refers not to decryption but to the decompression and conversion of MPEG video into displayable format.
* free-to-air/FTA is often used to refer to receivers and equipment which contain no decryption hardware, built with the intention of being able to receive unencrypted free-to-air broadcasts; more properly FTA refers to the unencrypted broadcasts themselves.
* A CAM or conditional access module is defined by the DVB standard as an interface between a standardised DVB common interface receiver and one or more proprietary smartcards for signal decryption. It is not the smartcard itself. The standard format of this module follows PCMCIA specifications; some receivers bypass the requirement for a separate module by providing embedded CAM functionality in the receiver to communicate with specific proprietary smartcards such as Nagra, Conax, Irdeto, Viaccess, Betacrypt. In the North American market, most "package receivers" sold by signal providers provide embedded CAM operation; terminology is therefore often misused to misidentify the smartcard as a CAM.
* JTAG is a standard test interface defined by the Joint Test Action Group and supported on many late-model digital receivers for factory test purposes. Operating using a six-wire interface and a personal computer, the JTAG interface was originally intended to provide a means to test and debug embedded hardware and software. In the satellite TV world, JTAG is most often used to obtain read-write access to nonvolatile memory within a digital receiver; initially programs such as Wall and JKeys were used to read box keys from receivers with embedded CAM's but JTAG has since proven its legitimate worth to satellite TV fans as a repair tool to fix receivers where the firmware (in flash memory) has been corrupted.
* The ''Sombrero de Patel'' is another device used to obtain direct memory access to a receiver without physically removing memory chips from the board to place them in sockets or read them with a specialised device programmer. The device consists of a standard PLCC integrated circuit socket which has been turned upside-down in order to be placed directly over a microprocessor already permanently soldered to a printed circuit board in a receiver; the socket makes electrical contact with all pins of the microprocessor and is interfaced to one or more microcontrollers which use direct memory access to pause the receiver's microprocessor and read or write directly to the memory. The term ''sombrero'' is used for this hack as the novel use of an inverted IC socket somewhat resembles a hat being placed upon the main processor.
Political issues
In some countries such as Canada and many Caribbean nations, the black market in satellite TV piracy is closely tied to the gray market activity of using direct broadcast satellite signals to watch broadcasts intended for one country in some other, adjacent country. Many smaller countries have no domestic DBS operations and therefore few or no legal restrictions on the use of decoders which capture foreign signals.
The refusal of most providers to knowingly issue subscriptions outside their home country leads to a situation where pirate decryption is perceived as being one of the only ways to obtain certain programming. If there is no domestic provider for a channel, a grey market (subscribed using another address) or black market (pirate) system is prerequisite to receive many specific ethnic, sport or premium movie services.
Pirate or grey-market reception also provides viewers a means to bypass local blackout restrictions on sports/sporting events and to access hard-core pornography from places such as the Bible Belt where some content is not otherwise available.
The grey market for US satellite receivers in Canada at one point was estimated to serve as many as several hundred thousand English-speaking Canadian households. Canadian authorities, acting under pressure from cable companies and domestic broadcasters, have made many attempts to prevent Canadians from subscribing to US direct-broadcast services such as News Corporation's DirecTV and Echostar's Dish Network.
While litigation has gone as far as the Supreme Court of Canada, no judicial ruling has yet been made on whether such restrictions violate the safeguards of the Canadian Charter of Rights and Freedoms which are intended to protect freedom of expression and prevent linguistic or ethnic discrimination. Domestic satellite and cable providers have adopted a strategy of judicial delay in which their legal counsel will file an endless series of otherwise-useless motions before the courts to ensure that the proponents of the grey-market systems run out of money before the "Charter Challenge" issue is decided.
In most cases, broadcasters will require a domestic billing address before issuing a subscription; post boxes and commercial mail receiving agencies are often used by grey-market subscribers to foreign providers to circumvent this restriction.
The situation in the US itself differs as it is complicated by the legal question of subscriber access to distant local TV stations. Satellite providers are severely limited in their ability to offer subscriptions to distant locals due to the risk of further lawsuits by local affiliates of the same network in the subscribers home designated market area. California stations have sued satellite providers who distributed New York signals nationally, as the distant stations would have an unfair advantage by broadcasting the same programming three hours earlier.
There is also a small "reverse gray market" for Canadian signals, transmitted with a footprint which sends full-strength DBS signals to many if not all of the contiguous 48 US states. The question of signal substitution, by which Canadian cable and satellite providers tamper with foreign or distant broadcasts on their systems by substituting the signal of a local or domestic channel carrying the same programme, is rendered more complex by the existence of a reverse grey market. Signal substitution had already been the cause of strong diplomatic protests by the United States, which considers the practice to constitute theft of advertising revenue.
The lack of domestic competition for premium movie channels in Canada is one factor encouraging grey-market reception; language is another key issue as most Spanish-language programming in North America is on the US system and most French-language programming is on the Canadian system. A larger selection of sports and ethnic programming is also available to grey-market subscribers.
It could be said that the 1000-channel universe is a reality in North America, but only for the signal pirates as many legal and geographic restrictions are placed on the ability to subscribe to many if not most of the physically-available channels.
Other countries such as Iran, Afghanistan during Taliban rule and Iraq during the Saddam Hussein régime, have attempted to prohibit their citizens from receiving any satellite broadcasts from foreign sources; reception of news services such as Qatar-based Al Jazeera are the target of restrictive legislation in some nations.
The situation in Europe differs somewhat, due to the much greater linguistic diversity in that region and due to the use of standardised DVB (digital video broadcasting) receivers capable of receiving multiple providers and free-to-air signals. North American providers normally lock their subscribers into "package receivers" unable to tune outside their one package; often the receivers are sold at artificially low prices and the subscription cost for programming is increased in order to favour new subscribers over existing ones. Providers are also notorious for using sales tactics such as bundling, in which to obtain one desired channel a subscriber must purchase a block of anywhere from several to more than a hundred other channels at substantial cost.
Fighting piracy
A number of strategies have been used by providers to control or prevent the widespread pirate decryption of their signals.
One approach has been to take legal action against dealers who sell equipment which may be of use to satellite pirates; in some cases the objective has been to obtain lists of clients in order to take or threaten to take costly legal action against end-users. Providers have created departments with names like the "office of signal integrity" or the "end-users group" to pursue alleged pirate viewers.
As some equipment (such as a computer interface to communicate with standard ISO7816 smartcards) is useful for other purposes, this approach has drawn strong opposition from groups such as the Electronic Frontier Foundation. There have also been US counter-suits alleging that the legal tactics used by some DBS providers to demand large amounts of money from end-users may themselves appear unlawful or border on extortion.
Much of the equipment is perfectly lawful to own; in these cases, only the misuse of the equipment to pirate signals is prohibited. This makes provider attempts at legal harassment of would-be pirates awkward at best, a serious problem for providers which is growing due to the Internet distribution of third-party software to reprogramme some otherwise legitimate free-to-air DVB receivers to decrypt pay TV broadcasts with no extra hardware.
US-based Internet sites containing information about the compromised encryption schemes have also been targeted by lawyers, often with the objective of costing the defendants enough in legal fees that they have to shut down or move their sites to offshore or foreign Internet hosts.
In some cases, the serial numbers of unsubscribed smartcards have been blacklisted by providers, causing receivers to display error messages. An "hashing" approach of writing arbitrary data to every available location on the card and requiring that this data be present as part of the decryption algorithm has also been tried as a way of leaving less available free space for third-party code supplied by pirates.
Another approach has been to download malicious code to smartcards or receivers; these programmes are intended to detect tampered cards and maliciously damage the cards or corrupt the contents of non-volatile memories within the receiver. This particular Trojan horse attack is often used as an ECM (electronic countermeasure) by providers, especially in North America where cards and receivers are sold by the providers themselves and are easy targets for insertion of backdoors in their computer firmware. The most famous ECM incident was the Black Sunday attack launched against tampered DirecTV "H" cards just before the 2001 SuperBowl game and intended to destroy the cards by overwriting a non-erasable part of the cards internal memory in order to lock the processor into an endless loop.
The results of a provider resorting to the use of malicious code are usually temporary at best, as knowledge of how to repair most damage tends to be distributed rapidly by hobbyists through various Internet forums. There is also a potential legal question involved (which has yet to be addressed) as the equipment is normally the property not of the provider but of the end user. Providers will often print on the smartcard itself that the card is the property of the signal provider, but at least one legal precedent indicates that marking "this is mine" on a card, putting it in a box with a receiver and then selling it can legally mean "this is not mine anymore". Malicious damage to receiver firmware puts providers on even shakier legal ground in the unlikely event that the matter were ever to be heard by the judiciary.
The only solution which has shown any degree of long-term success against tampered smartcards has been the use of digital renewable security; if the code has been broken and the contents of the smartcard's programming widely posted across the Internet, replacing every smartcard in every subscriber's receiver with one of different, uncompromised design will effectively put an end to a piracy problem. Providers tend to be slow to go this route due to cost (as many have millions of legitimate subscribers, each of which must be sent a new card) and due to concern that someone may eventually crack the code used in whatever new replacement card is used, causing the process to begin anew.
Premiere in Germany has replaced all of its smartcards with the Nagravision Aladin card; the US DirecTV system has replaced its three compromised card types ("F" had no encryption chip, "H" was vulnerable to being reprogrammed by pirates and "HU" were vulnerable to a "glitch" which could be used to make them skip an instruction). Both providers have been able to eliminate their problems with signal piracy by replacing the compromised smartcards after all other approaches had proved to provide at best limited results.
Many other providers, including the http://www.bellexpress.vu systems, are now also in the process of a smartcard swap to replace cards which were based on what is now a compromised encryption system.
External links
*http://news.bbc.co.uk/1/hi/business/1868140.stm
*http://www.silicon.com/management/government/0,39024677,11031985,00.htm
*http://www.atnewyork.com/news/article.php/1473021
*http://www.hut.fi/u/silja/netsec/broadcast.pdf
Tag: Consumer electronics
Tag: Digital television
Tag: Copyright law
posted @ 7:14 PM
0 comments
