1996-03-30 - Re: [NOISE] Cable-TV-Piracy-Punks

Header Data

From: kooltek@iol.ie (Hack Watch News)
To: cypherpunks@toad.com
Message Hash: b3b834e587d2c20c1f004323c4a591677c325e155705284fa821a816395166c3
Message ID: <199603292053.UAA18333@GPO.iol.ie>
Reply To: N/A
UTC Datetime: 1996-03-30 09:13:23 UTC
Raw Date: Sat, 30 Mar 1996 17:13:23 +0800

Raw message

From: kooltek@iol.ie (Hack Watch News)
Date: Sat, 30 Mar 1996 17:13:23 +0800
To: cypherpunks@toad.com
Subject: Re: [NOISE] Cable-TV-Piracy-Punks
Message-ID: <199603292053.UAA18333@GPO.iol.ie>
MIME-Version: 1.0
Content-Type: text/plain

>"David K. Merriman" <merriman@arn.net> writes:
> > At 01:34 AM 03/28/96 +0000, you wrote:
> >> I've been looking for a file on how to make PPV
> >> descramblers and havn't found any. Commercial descramblers
> >> cost around $200 base price. If anyone has a file on how to
> >> make them please e-mail me one.  Thanks.
> > This is cypherpunks. Not Cable-TV-Piracy-Punks.
>ObCrypto: Scrambling TV signals sometimes makes use of
>encryption, so perhaps a brief discussion of how this is done
>could be tolerated.
>If you are talking about recovering signals from completely
>encrypted digital MPEG-2 streams, such as those used by the DBS
>folks, you are probably out of luck.  The relevant processing in
>the decoder exists on a small card which has so far resisted
>attempts at reverse engineering.

The DSS smart card has been reverse-engineered for at least six months now
and pirate devices are in the market. The encryption used on those systems
is good but it does not stand up to a well financed attack. In the European
version of the system, the encryption routines were using a hashing
function. The input packet also carried the authorisation data so it was
using this as an input packet. The DSS routine is probably based on a
similar hashing routine.

>There are a variety of techniques for scrambling audio.  The most
>expensive is to DES encrypt the sound and place it in the
>horizontal blanking interval.  The regular sound channel can then
>be used for advertising.  This requires a bit of processing at
>both ends, and is generally used for satellite to ground
>transmission of cable signals.  The other common method is to
>modulate the sound on a subcarrier, usually the one transmitted
>in phase with the missing sync.

Using DES to encrypt the audio on the fly is an old technique and was used
in the VideoCipher II system. Most of the more recent systems use a PRNBSG
EXORed with the digital audio data stream. 

>Of course, once television transmission goes completely digital,
>and strong encryption is used on both audio and video, the
>opportunity for such simple attacks will vanish.

The problem of piracy will still exist on digital systems. The DSS system is
a completely digital system and it too is hacked. Admittedly some of the
elements of security in the DSS are good, most can be rendered void by
hackers. The problem for DSS is that the smart card they used is not secure
enough. It was a Motorola 6805 type. What appears to be the pattern with the
hacks on more recent smart card systems is an inversion of the original
pattern on the simple analogue systems. The original pattern was that some
hobbyists would figure out how to hack the system and then the hack would be
commercialised. With the smart card hacks - the pattern is inverted so that
it becomes a trickle down pattern. The professional hackers reverse and
emulate the smart card and then the code is sometimes hacked from the
emulator card and then distributed among hobbyists.

The most dangerous thing in all this is that the smart cards that have been
hacked in Pay TV systems throughout the world are also used in other
applications. The expertise and the knowledge of reversing smart cards is
now more common in the Pay TV piracy business. There is always the
possibility that these skills could be applied elsewhere.

John McCormac            * Hack Watch News
jmcc@hackwatch.com       * 22 Viewmount, 
Voice&Fax: +353-51-73640 * Waterford,
BBS: +353-51-50143       * Ireland

Version: 2.6