Many hacks are reported on existing broadcast systems. Some newer systems are not hacked yet, but there are rumours that these systems are almost comprised by hackers, because the new systems are sometimes only an extension of previous systems. There are several similarities in how the systems are hacked. Hackers do not try to build a new descrambler from scratch. They use the real decoders. Sometimes they only try to add services to a card already paid for. This can be done by tampering with the smart card or the logic that interface with the smart card. This is the weakest chain in the security of all scrambling systems.
A well known hack that still works is the Mac Cormac hack. The data stream of a valid smart card of a real subscriber is tapped. This data stream is transmitted. Other people receive this signal and lead it to the smart card interface and can watch the same channels as the subscriber for free. In this case the decoders using the tapped control data are clones of the original decoder. There are other variants known on this hack. For example, one can record the scrambled video, download the control code from a BBS of a valid smart card and watch the movies a few hours later.
The data flow between smart card and interface has to be different for each descrambler system. For example ID-numbers for each decoder and smart card can be used to realize this.
Since hackers try to derive knowledge about the scrambling techniques, keys etc. from the hardware, it is important to protect the hardware against such attacks. A simple IC identification number can tell the hacker a lot about the applied techniques. It is also important to protect the EPROM's and micro controllers against attempts to read out their memories containing the encryption programs or parts of it or key tables. Some micro controllers like the PIC can easily be hacked, the piracy cards of the hackers using this chip are also hacked by other hackers!
The smart cards also have to be replaced in a cycle of less then six months. If the service providers wait too long, it is interesting for commercial hackers to break the system, because they do not have trouble with illegal subscribers when their piracy cards work too short.
If the service provider sends control messages (EMM's) over the air, together with the scrambled signal, the hackers try to intercept these messages to break the checksum algorithms and create own valid EMM's for example to reactivate killed cards. This checksum should resist such attacks. For Videocrypt only 10 plain messages and checksums were required to break the code.
A main problem with a working hack on the Nagra system would be the decoders. It would be easy to replicate the pirate card, but the decoders are not easy to get. Therefore with access to the decoders controlled it is a very good demonstration of the philosophy of total access control.
Real time decoding based on correlation techniques and a frame grabber is not really dangerous for digital recording, since algorithms are used like DES, and not simple line shifting and rotating algorithms. Also for these simple algorithms it takes 2 or 3 minutes on a fast PC to decode one frame.
The existing copy protection systems can easily be hacked. The currently used SCMS method for protecting digital audio material is weak, since the protection only relies on the presence of a copy-prohibit-bit on a fixed position. New methods have to be developed for copy protection. Watermarking is not yet applied for copyright protection purposes, so this subject has to be investigated further.
In some countries it is forbidden to use very strong cryptographic algorithms in consumer electronics. The law-enforcement agencies wish to have access to the communications of suspected criminals, which is threatened by secure cryptography. Industry and individual citizens, however, want to secure their private data. In the U.S. the Capstone project aims to develop a technology that attempts to balance these needs.
Watermarking techniques can be used for copyright protection for multimedia data. Maybe this technique can be extended to develop a copy protection system.
| ACCOPI | Access Control and Copyright Protection for Images |
| ACU | Access Control Unit |
| ACTS | Advanced Communications Technologies and Services |
| AGC | Automatic Gain Control |
| ATM | Asynchronous Transfer Mode |
| CA | Control Access Module |
| CW | Control Word |
| DBS | Direct broadcast satellite |
| DES | Data Encryption Standard |
| DSS | Digital Satellite System |
| DVB | Digital Video Broadcasting |
| ECM | Entitlements Control Messages |
| ECM | hackers: Electronic Counter Measure |
| EMM | Entitlements Management Messages |
| GI | General Instrument |
| IRD | Integrated Receiver Decoder |
| OFDM | Orthogonal Frequency Division and Multiplexing |
| PRBS | Pseudo Random Sequence Generator |
| RF | Radio frequency |
| SCMS | Serial Copy Management Systems |
| VC-I / II | VideoCipher I /II |
| [1]. | Workpackage 1: Access Control and Copyright Protection for Images needs evaluation, ACCOPI RACE project M1005, Universite Catholique de Louvain (UCL), June 1995 |
| [2] | Cryptology for digital TV broadcasting, B. Macq and J.-J. Quisquater, Proceedings of the IEEE, Vol. 83, No. 6, June 1995 |
| [3] | An overview of security in Eurocrypt conditional access system, E.Cruselles, J.L. Melus and M. Soriano, Applied Mathematics and Telematics Department, Polytechnic University of Catalonia, IEEE 1993 |
| [4] | A single conditional access system for satellite-cable and terrestrial TV, F. Coutrot, V. Michon, Centre Commun d'Etudes de Telediffusion et Telecommunication Cesson Sevigne, France, IEEE Transactions on Consumer Electronics, Vol. 35, No. 3., August 1989 |
| [5] | Satellite scrambling methods, M.Jackson, WWW-pages of Physical and Theoretical Chemistry Lab, Oxford University, 1995 |
| [6] | Satellite TV Frequently Asked Qustions List, Gary Bourgois, Newsgroup: rec.video.satellite.misc, 29 August 1995 |
| [7] | Phrack Magazine, Volume Six, Issue Forty-Seven, File 16 of 22 |
| [8] | Scrambling News- US. DBS Hackers Encounter Code 99: Part 1, David Lawson, Newsgroup: alt.satellite.tv.crypt, 16 July 1995 |
| [9] | Workpackage 3: ACCOPI Evaluation of Existing Systems, ACCOPI RACE project M1005, 19 April 1995 |
| [10] | Some technical details about Videocrypt, Markus Kuhn, WWW-pages of Computer Science University of Erlangen, Germany, 2 August 1994 |
| [11] | Videcrypt, An Overview, Darren Ingram, author of Satnews, 14 May 1991 |
| [12] | Satellite Piracy - The European Experience & NanoCommands Disappear - 0A Launch Imminent? John McCormac, WWW-pages of Hack Watch News, Piracy On The Final Frontier 1995 |
| [13] | Scrambling News- US. DSS Hackers Encounter Code 99: Part 2, David Lawson, Newsgroup: alt.satellite.tv.crypt, 16 July 1995 |
| [14] | Has DSS Been Hacked?, John McCormac, WWW-pages of Hack Watch News, Piracy On The Final Frontier 1995 |
| [15] | Implementation guidelines for the use of MPEG2 and content input to servers, DAVIC second call for proposals, CCETT |
| [16] | Common Interface Specification for Conditional Access and other Digital Video Broadcasting Decoder Applications, DVB, 16 February 1995 |
| [17] | Access Control : Common Scrambling system and Common Interface for Conditional Access, Final Technical Report of the Conditional Access Specialist Group, DAVIC second call for proposals, CCETT, 17 November 1994 |
| [18] | Standardisation in the DVB of conditional access systems for pay TV, D van Schooneveld, Philips Research Laboraties, Einhoven, The Netherlands, Tijdschrift van het Nederlands Elektronica- en Radiogenootschap deel 60 - nr.3, 1995 |
| [19] | Set-Top-Boxen fur Digital-TV, Funkschau 23, 1995 |
| [20] | Why Crypto systems Fail, Ross Anderson, University Computer Laboraty, Cambridge |
| [21] | The Black Disk, Information package for educational use about hackers, scrambling, reverse engineering etc. |
| [22] | PICBUSTER - Details Released On Internet & The Vampire Hack, John McCormac, WWW-pages of Hack Watch News, Piracy On The Final Frontier 1995 |
| [23] | Brucke zwischen analoger und digitaler Welt, D-VHS, Rainer Bucken, Fernseh- und kino- technik 49. Jahrgang Nr. 5/1995 |
| [24] | Macrovision FAQ v1.0c, Antti Paarlahti, 1995, WWW-pages: http://www.paranoia.com/~filipg |
| [25] | Digital audio interface, International Standard IEC 958 |
| [26] | Copybit kraker, H.J. Schaake, Elektuur 1/94 |
| [27] | Copybit kraker II, H.J. Schaake, Elektuur 9/95 |
| [28] | Copybit-inverter, digitaal kopieren zonder belemmeringen, W.Foede, Elektuur 1/96 |
| [29] | Overview of CD-ROM Encryption, Copy Protection, and Metering, by Disc Manufacturing, Inc. (DMI) WWW-pages: http://www.4cdr.com/info/misc_info/encryption_methods.htm |
| [30] | Copy protection for software, M.Buchheit, Elektronik Vol: 41, Iss: 14, pag. 68-74, July 1992 |
| [31] | Software copy protection systems: structure, analysis, attacks, A.V. Spesivtsev, A.J. Krutjakov et al., IEEE Proceedings. The Institute of Electrical and Electronics Engineers 1992 International Carnahan Conference on Security Technology: Crime Countermeasures |
| [32] | A proposed Federal Information Processing Standard for an Escrowed Encryption Standard (EES), National Institute of Standards and Technology (NIST), Federal Register, 58(145), July 1993 |
| [33] | Techniques for data hiding, Walter Bender, Daniel Gruhl, and Norishige Morimoto, Massachusetts Institute of Technology, Media Laboratory Cambridge, Proceedings of the SPIE, 2420:40, San Jose CA, Februari 1995 |
| [34] | Hiding Information in Document Images, J.Brassil, S.Low, N.F.Maxemchuk, L.O'Gorman, AT&T Bell Laboratories |