munkey
I luuurve Bananas
- Joined
- Jan 1, 2000
- Messages
- 52
- Reaction score
- 0
- Points
- 0
- My Location
- Whipsnade
Benny got me thinking in his post 16-01-2003, but my reply got so big that I'm going to start a new thread. I was thinking about the feasibility of a lone hacker cracking Seca 2. Maybe it isn’t impossible?
I don't think cards for Seca 2 will have back doors which mean a hobbyist can dump the ROM then reverse engineer from there. Even if there are back doors, then they will probably only become clear once the whole system is compromised. So we can probably forget that approach. Consequently, anyone sitting logging bytes streaming between card and cam will probably be sitting there until the day they die.
The problem space is far too big to brute force with current hardware, so we can forget that approach for a good few years.
Attacking the physical security of the card would probably cost a shed load of money, so our hobbyist can forget that (unless, of course, he’s loaded).
I think a possible attack would be to compromise the computers at Mediaguard, or socially engineer an employee there - maybe a lone hobbyist could do that? But I don’t think that the weakest link is Mediagaurd’s internal network (after all, they are a security company, and probably aren't stupid enough to leave sensitive information on a network connected to the internet).
Maybe one way to hack Seca 2 is via a third party company. Maybe you could attack the company which manufacture the smartcards to mediagaurds spec (a lone hacker could theoretically obtain a schematic from them). Maybe this would lead to compromise of the card? This attack is obviously flawed, because a schemtic of the card would most likely take an age to anaylise, and might not reveal anything anyway.
Somone someware must program the cards for providers before shipping them to the paying customers. Perhaps you could then obtain a binary dump of the software *before* it hits the card and is wrapped in all the cards security. A hacker could get a job in the factory that programs the cards. They could then stick an adapted Season logger in the big card programming machine before it is about to program the card then - bingo - you just swagged all the cards secrets (including the encryption Algorithm) without spending 5 million quid anaylising the card with an electron microscope. Once you got the code in bytes, you wold then need to work on de-compiling into the appropriate ASM. We already have the the CAMS sussed inside out, so craking Seca 2 is then a down-hill struggle. If each provider is responsible for programming their own cards, then Seca 2 is actually wide open to attack this way.
It is concievable that Mediagaurd thought about this, and introduced further encrytion layer which scrambles data between the programming machine and card – but I doubt it.
Any thoughts? Do you think it could work?
I don't think cards for Seca 2 will have back doors which mean a hobbyist can dump the ROM then reverse engineer from there. Even if there are back doors, then they will probably only become clear once the whole system is compromised. So we can probably forget that approach. Consequently, anyone sitting logging bytes streaming between card and cam will probably be sitting there until the day they die.
The problem space is far too big to brute force with current hardware, so we can forget that approach for a good few years.
Attacking the physical security of the card would probably cost a shed load of money, so our hobbyist can forget that (unless, of course, he’s loaded).
I think a possible attack would be to compromise the computers at Mediaguard, or socially engineer an employee there - maybe a lone hobbyist could do that? But I don’t think that the weakest link is Mediagaurd’s internal network (after all, they are a security company, and probably aren't stupid enough to leave sensitive information on a network connected to the internet).
Maybe one way to hack Seca 2 is via a third party company. Maybe you could attack the company which manufacture the smartcards to mediagaurds spec (a lone hacker could theoretically obtain a schematic from them). Maybe this would lead to compromise of the card? This attack is obviously flawed, because a schemtic of the card would most likely take an age to anaylise, and might not reveal anything anyway.
Somone someware must program the cards for providers before shipping them to the paying customers. Perhaps you could then obtain a binary dump of the software *before* it hits the card and is wrapped in all the cards security. A hacker could get a job in the factory that programs the cards. They could then stick an adapted Season logger in the big card programming machine before it is about to program the card then - bingo - you just swagged all the cards secrets (including the encryption Algorithm) without spending 5 million quid anaylising the card with an electron microscope. Once you got the code in bytes, you wold then need to work on de-compiling into the appropriate ASM. We already have the the CAMS sussed inside out, so craking Seca 2 is then a down-hill struggle. If each provider is responsible for programming their own cards, then Seca 2 is actually wide open to attack this way.
It is concievable that Mediagaurd thought about this, and introduced further encrytion layer which scrambles data between the programming machine and card – but I doubt it.
Any thoughts? Do you think it could work?