Fishing for weakness in Seca 2

munkey

I luuurve Bananas
Joined
Jan 1, 2000
Messages
52
Reaction score
0
Points
0
My Location
Whipsnade
Benny got me thinking in his post 16-01-2003, but my reply got so big that I'm going to start a new thread. I was thinking about the feasibility of a lone hacker cracking Seca 2. Maybe it isn’t impossible?

I don't think cards for Seca 2 will have back doors which mean a hobbyist can dump the ROM then reverse engineer from there. Even if there are back doors, then they will probably only become clear once the whole system is compromised. So we can probably forget that approach. Consequently, anyone sitting logging bytes streaming between card and cam will probably be sitting there until the day they die.

The problem space is far too big to brute force with current hardware, so we can forget that approach for a good few years.

Attacking the physical security of the card would probably cost a shed load of money, so our hobbyist can forget that (unless, of course, he’s loaded).

I think a possible attack would be to compromise the computers at Mediaguard, or socially engineer an employee there - maybe a lone hobbyist could do that? But I don’t think that the weakest link is Mediagaurd’s internal network (after all, they are a security company, and probably aren't stupid enough to leave sensitive information on a network connected to the internet).

Maybe one way to hack Seca 2 is via a third party company. Maybe you could attack the company which manufacture the smartcards to mediagaurds spec (a lone hacker could theoretically obtain a schematic from them). Maybe this would lead to compromise of the card? This attack is obviously flawed, because a schemtic of the card would most likely take an age to anaylise, and might not reveal anything anyway.

Somone someware must program the cards for providers before shipping them to the paying customers. Perhaps you could then obtain a binary dump of the software *before* it hits the card and is wrapped in all the cards security. A hacker could get a job in the factory that programs the cards. They could then stick an adapted Season logger in the big card programming machine before it is about to program the card then - bingo - you just swagged all the cards secrets (including the encryption Algorithm) without spending 5 million quid anaylising the card with an electron microscope. Once you got the code in bytes, you wold then need to work on de-compiling into the appropriate ASM. We already have the the CAMS sussed inside out, so craking Seca 2 is then a down-hill struggle. If each provider is responsible for programming their own cards, then Seca 2 is actually wide open to attack this way.

It is concievable that Mediagaurd thought about this, and introduced further encrytion layer which scrambles data between the programming machine and card – but I doubt it.

Any thoughts? Do you think it could work?
 

tommyturnip

Member
Joined
Feb 11, 2003
Messages
19
Reaction score
0
Points
0
Website
Visit site
My Location
Swedeville
Tom Cruise is currently reading this script, there will also be lots of crawling through air conditioning ducts and flying helecopters through tunnels.

Coming to a cinema near you soon :D
 

munkey

I luuurve Bananas
Joined
Jan 1, 2000
Messages
52
Reaction score
0
Points
0
My Location
Whipsnade
Not that kind of attack. :)

But for the potential payoff a hacker could recieve, even Tom Cruise might get his chopper out.
 

Genie

Make a wish
Joined
Jan 1, 2000
Messages
81
Reaction score
0
Points
0
My Satellite Setup
DM800 with 320GB HDD running Nabilosat 0.12
1 metre motorised dish. Intel core i7 920 PC
My Location
London
Originally posted by tommyturnip
Tom Cruise is currently reading this script, there will also be lots of crawling through air conditioning ducts and flying helecopters through tunnels.

Coming to a cinema near you soon :D


:D :D :D :D :D :D
 

tommyturnip

Member
Joined
Feb 11, 2003
Messages
19
Reaction score
0
Points
0
Website
Visit site
My Location
Swedeville
I wish it was that easy (easy yeah) but I don't think that employees will give the company up. I guess that we should all carry on searchinh that keyspace.
 

munkey

I luuurve Bananas
Joined
Jan 1, 2000
Messages
52
Reaction score
0
Points
0
My Location
Whipsnade
That's the point dude. You can't search the problem space becuase its too big (2^128).
 

Channel Hopper

Suffering fools, so you don't have to.
Staff member
Joined
Jan 1, 2000
Messages
35,533
Reaction score
8,554
Points
113
Age
59
Website
www.sat-elite.uk
My Satellite Setup
A little less analogue, and a lot more crap.
My Location
UK
I could dust off the old time machine, travel a few months into 2004, grab one of the newly released Funcard 27s with the up to date auto update firmware, grab a few DVDs of Tom Cruises latest MI3 film where he plays a bloke travelling into the future to save the world from paying silly subscription rates for last years films (simply to pay the electricity bill for the jump you understand), and hop back to the present to divulge all the info in the next thread.

Saves hacking it entirely, and I dont think theres a law against it
 

jimbo

Retired Mod
Joined
Jan 1, 2000
Messages
3,482
Reaction score
1
Points
0
Age
74
My Satellite Setup
Sky HD, TM6800HD, Manhattan Plaza ST550 and TM1500 CI+. 1.0m dish and 36v motor, Panasonic DVD HDD recorder and Panasonic video/DVD recorder. Sony G800 HD TV stand/surround system + Sony KDL40W2000. Infinity USB, Elvis, CAS1, CAS2.
My Location
Greater London
Or you could watch teletext which is eminently more interesting than a Tom Cruise film :D
 

Genie

Make a wish
Joined
Jan 1, 2000
Messages
81
Reaction score
0
Points
0
My Satellite Setup
DM800 with 320GB HDD running Nabilosat 0.12
1 metre motorised dish. Intel core i7 920 PC
My Location
London
come on lads now your're being silly.

What we really need to do is send in a remote controlled beatle with a microscopic camera attached to its head and record their every move.

When they're on lunch we can get up close and get the beatle to look at their logged on terminal and download all the keys and algo into our flash memory.:D
 

Channel Hopper

Suffering fools, so you don't have to.
Staff member
Joined
Jan 1, 2000
Messages
35,533
Reaction score
8,554
Points
113
Age
59
Website
www.sat-elite.uk
My Satellite Setup
A little less analogue, and a lot more crap.
My Location
UK
Must admit I did like A Few Good Men, very good script and well worth sitting in for.

Tom and his Chopper are usually not reasons to go see a film, but if he pays me royalties for the script, leisure time, manicurist, and any discarded waif, Im not likely to argue

Anyway Im bigger than him.
 

munkey

I luuurve Bananas
Joined
Jan 1, 2000
Messages
52
Reaction score
0
Points
0
My Location
Whipsnade
OK Genie, you're saying it's a bit far fetched - but will you aprecciate that if Seca 2 is cracked it will most likely be due to some internal breach.
 

Genie

Make a wish
Joined
Jan 1, 2000
Messages
81
Reaction score
0
Points
0
My Satellite Setup
DM800 with 320GB HDD running Nabilosat 0.12
1 metre motorised dish. Intel core i7 920 PC
My Location
London
Usually these things are from internal breaches munkey. So yes you're right thats the first place to start.

seriously though, if a bunch of clever people wanted to break into s*ca 2, it would not take long. But really clever people make money out of their bright brains legitimatly through working to MAKE these encryptions, not break them. But I suppose offering lots of money to one will tempt them.

Imagine a transmission is encrypted in a format unknown and is being used by another country in a war situation. You would imaging the british government to be able to crack it, i.e. enigma.
A team of bright people would be working on it.

Now, we also have very clever people doing open source stuff for linux etc, and a lot of these ar very knowledgeable too, so if the interest is there it could be done.
 

benny

Regular Member
Joined
Jan 1, 2000
Messages
63
Reaction score
0
Points
0
If you remember the videocrypt cards that flooded the market in the early 90's,these were a deliberate ploy by the provider.(alegedly) I believe that it did work,£60-£100 is a lot to lose for 2 weeks viewing.It also gave people a taste of the films,football,boxing etc. Sometimes if a crack is released we may not know where it came from.And dont forget pete townsend.....its possible to track people down.....and round us all up.
 

Old Satellite

Retired Mod
Joined
Jan 1, 2000
Messages
458
Reaction score
0
Points
0
Dont believe that Tom or any of his friends are required- may be we could write a script and sell it just the same.- But then who would show the film!

Personally I believe we just require some very clever individuals in Europe's closest quarters.

Its strange that recently just as several areas of the Mediagaurd 2 system, were being puplished on a known site outside of Europe that the site disappears completely - at least for the moment anyways.

Just maybe its closer than most would have believed

regards

Old Satellite
 
Top