Forgot your password?
typodupeerror
Hardware Hacking Media Television The Almighty Buck

Satellite TV Hacker Tells His Story 160

Posted by Soulskill
from the spike-sent dept.
Wired is running a story about Christopher Tarnovsky, the man who was accused of working for NDS, a company owned by Rupert Murdoch's News Corp., to sabotage a competitor's satellite TV system. Wired had a chance to speak with Tarnovsky and get his description of how the smart-card hacking war developed. Quoting: "Tarnovsky, who was known online as 'Big Gun,' says Ereiser offered him $20,000 to fix cards that were killed by ECMs, and he agreed. Each time NDS created a countermeasure, Tarnovsky would analyze the code and find a way to circumvent the countermeasure. He did it while working full-time as a software engineer for a semiconductor company in Massachusetts. 'I'd be at work and I'd check the IRC (channel) to see if they'd launched their Thursday countermeasure yet,' he says. 'It was like a chess game for me. I couldn't wait for them to do a countermeasure because I would counter it in minutes.' It wasn't long before NDS came courting. Tarnovsky had a contact at the company to whom he'd begun passing information about holes in its software, even supplying patches to fix them."
This discussion has been archived. No new comments can be posted.

Satellite TV Hacker Tells His Story

Comments Filter:
  • Motivation (Score:5, Insightful)

    by sqrt(2) (786011) on Friday May 30, 2008 @09:53PM (#23606737) Journal

    It was like a chess game for me. I couldn't wait for them to do a countermeasure...
    Anyone developing software designed to keep content locked down needs to realize that this is the kind of person they're up against. It's hard to beat that kind of motivation. Forcing an arms race is almost always going to be counter-productive to protecting your business, this company figured that out.
    • Re:Motivation (Score:4, Interesting)

      by Ethanol-fueled (1125189) * on Friday May 30, 2008 @10:23PM (#23606885) Homepage Journal
      This arms race deserves some indirect praise. It's like an creationist debating with an atheist on philosophical grounds, rather than the creationist just saying some crap like, "But the bible said X, therefore you are wrong and I am shutting you out." Everybody wins in a healthy pissing contest. It's a bad analogy, I took a cue from this [slashdot.org] guy.
      • Re:Motivation (Score:5, Insightful)

        by zappepcs (820751) on Friday May 30, 2008 @11:36PM (#23607201) Journal
        I think that you are right. One of the groups who benefits the most are the companies that want to apply DRM to their content. Some will learn up front how much the arms race will cost them. Others will learn what is probably the point at which they should stop trying, and yet other still will learn that it is a futile business tact, and that modifying their business plan is both cheaper and garners more and loyal customers.

        Additionally, with the arms race comes better code, not simply for the DRM, but for the operating systems and applications that work with the content. It is indeed evolution of both content, DRM, and code in general. The arms race in this case (not that of nuclear arms) is the catalyst of evolution, and betterment for all users in the long term. I would never call such hackers bad, simply the opposite side of the DRM coin that MUST exist, as without it, the other side cannot exist either.

        Try keeping all the coins in your pocket/drawer/whatever so that you only ever see the heads side sometime. It's far easier to just allow any side to show in it's turn. It kind of makes things like pockets, coin purses, piggy banks work well.
        • Not to mention that it's also much cheaper than sic'ing the lawyers on each other ;)
          • Not to mention that it's also much cheaper than sic'ing the lawyers other
            Not just cheaper, but geeks get hired instead of the lawyers. A win for all non-lawyers, geek or not.
        • by nametaken (610866)
          "and that modifying their business plan is both cheaper and garners more and loyal customers."

          When it comes to DRM on content and locking down devices, I don't think that's the case. I wish you were right, but... iTunes? Or DVD's, iPhones, etc?

          I dream of a world where people care about DRM, vendor lock-in, closed platforms, etc., but they just don't seem to.

          It seems like DRM, in most co's eyes, is good enough if it stops a reasonable percentage of their consumers. Same with platform locks. A few will alw
    • by puck01 (207782)
      Content protection sucks for us consumers and I agree that its an uphill battle for companies to do this. However, I'm not sure all is lost for the content protectors out there. Last time I check the P4 and greater smart cards used by directv have not been cracked despite a huge demand for it. If I'm wrong please correct me.

      • by evilviper (135110)

        However, I'm not sure all is lost for the content protectors out there.

        It certainly is... DRM is an inherently untenable system.

        Last time I check the P4 and greater smart cards used by directv have not been cracked despite a huge demand for it. If I'm wrong please correct me.

        You're wrong about the "huge demand". Since DishNet is wide open (and they were even nice enough to use standard DVB-S protocol which any $50 tuner can receive) there isn't much reason for anyone to bother with DirecTV.

        • Re: (Score:3, Insightful)

          by dgatwood (11270)

          Well, DRM on ephemeral data isn't untenable. You don't really have to make it unbreakable. You just have to make it take long enough that you can't break it on the fly. Most people aren't willing to watch TV on a five minute delay while their computer queues up the encrypted data and attempts to determine the keys....

          Unless, of course, your goal for DRM on the ephemeral data is preventing people from recording it... in which case, yeah, it is just as untenable for ephemeral content as it is for any oth

          • by Dogtanian (588974)

            Most people aren't willing to watch TV on a five minute delay while their computer queues up the encrypted data and attempts to determine the keys....

            Depends what you're after; it might be annoying if you're channel-hopping or watching a live sports event. However, if you're just wanting to get vast amounts of entertainment which is already pre-recorded (and possibly years old) anyway, it might not be that big a deal- just leave it running in the background. That's not necessarily any worse than having to download it, which many people do quite happily.

        • Re: (Score:3, Interesting)

          by Tacvek (948259)

          However, I'm not sure all is lost for the content protectors out there.

          It certainly is... DRM is an inherently untenable system.

          Last time I check the P4 and greater smart cards used by directv have not been cracked despite a huge demand for it. If I'm wrong please correct me.

          You're wrong about the "huge demand". Since DishNet is wide open (and they were even nice enough to use standard DVB-S protocol which any $50 tuner can receive) there isn't much reason for anyone to bother with DirecTV.

          Citation Please. I am a legit E* subscriber, and to the best of my knowledge, only the anti-pirate channels and the FCC-mandated channels (like the NASA channel) are broadcast clear. Well actually, I believe the information channels are also broadcast in the clear. This is so that those information channels can be seen by unactivated E* receivers. My understanding is though that the remaining channels are indeed encrypted.

          • by evilviper (135110)

            to the best of my knowledge, only the anti-pirate channels and the FCC-mandated channels (like the NASA channel) are broadcast clear.

            "Wide open" doesn't mean broadcast unencrypted. "Wide open" means the NagravisionII cipher used by DishNet (and some others) has long been completely cracked, and can be trivially decoded.

    • Re:Motivation (Score:5, Insightful)

      by donweel (304991) on Saturday May 31, 2008 @12:24AM (#23607405)
      Using a hacker of this caliber is a double edged sword. If you don't keep him busy and entertained he's going to start looking for something else to do.
    • Re:Motivation (Score:5, Insightful)

      by Stellian (673475) on Saturday May 31, 2008 @03:18AM (#23607971)

      Anyone developing software designed to keep content locked down needs to realize that this is the kind of person they're up against.
      I don't understand why people insist DRM is an unattainable notion. It must be all those faulty software DRM schemes that were all eventually broken. Well guess what, hardware DRM is alive and kicking - and working, when implemented correctly. Hardware hacks are orders of magnitude harder to perform than software ones.

      Economically, there are two trade-offs in DRM:
      1. the cost of the hardware manufacturer to implement the DRM scheme, compared to the cost of the content he's trying to distribute
      2. the cost for the DRM wannabe hacker (cracks, mod chips etc.), compared to just buying a legit copy.

      There's no logic fault in saying that, for a certain type of content, with a certain cost, these two tradeoffs allow a DRM system to survive. That is, to cost small enough to implement as to not increase the cost of the content significantly, and high enough to circumvent, that the users rather pay than circumvent. This is not the same as "unbreakable", especially for the types of passionate hackers like Mr. Tarnovsky, but that's irrelevant.

      Note that the 2. cost can benefit tremendously from an economy of scale, if it's enough for a single user to circumvent and distribute to all others. For example when the content is in a platform independent format (distribute decrypted music), or when the DRM system is implemented in software (distribute software crack).

      This is not the case with, say, live High definition TV. Maybe someone can hack his topbox and have unlimited access to live Sports coverage, but he can't feed that content to me fast enough to be useful. So I need to hack my own topbox, and that could cost much more than the subscription to the sports channel.

      Also, this is not the case with a console game, where I need, again, to perform my own hardware hacks. A mod chip costs significantly today, and when the GPU, CPU, RAM and DRM chip will be integrated on a single dye, a mod chip will be impossible, and one would need to hack his own silicon.
      • Re: (Score:3, Insightful)

        by jamesh (87723)

        Also, this is not the case with a console game, where I need, again, to perform my own hardware hacks. A mod chip costs significantly today, and when the GPU, CPU, RAM and DRM chip will be integrated on a single dye, a mod chip will be impossible, and one would need to hack his own silicon.

        I sometimes wonder if turning a bit of a blind eye to the console mod chip market is in the interests of the console makers. If they are selling their consoles at an outright loss (which they allegedly do initially) then

      • by Dare nMc (468959)

        why people insist DRM is an unattainable notion. It must be all those faulty software DRM schemes

        exactly, because every DRM out their has either been broken, or is not in mass use anymore.
        hardware DRM works, if 1)your distributing hardware (Not a software CD), or 2) using it for hosting software DRM with real-time updates (IE for games played online at servers you control.)

        most popular HD PPV are re-broadcast over internet feeds in near real time, sounds like your not using the the right ap

        • by Stellian (673475)

          most popular HD PPV are re-broadcast over internet feeds in near real time, sounds like your not using the the right application.

          By all means, what application are they using ?
          Just so we are on the same page [wikipedia.org], HDTV bitrates come at 20MBps upwards. This means for a smooth, uninterrupted play you need at least a 25 to 30 Mbps pipe, when you take overheads and buffers into account.
          Assuming I could get that type of connection (I can't), wouldn't be still cheaper to pay for the content ? If I were to watch pirated HDTV 10 hours a day, wouldn't my ISP take offense at my 3TB monthly transfer ? BTW, who is paying for the server bandwidth to

  • Impressive (Score:2, Informative)

    by phasm42 (588479)
    That video was pretty damn cool. I didn't know chips could be disassembled that way.
  • by Doppler00 (534739) on Friday May 30, 2008 @10:17PM (#23606837) Homepage Journal
    Wow, can we get this guy to decode some of the Bluray keys used? Break HDCP? His method is pretty straight forward, easy to follow, and looks fool proof. Expose layers in the chip and read the data directly. I don't see how manufactures can stop this. As long as the key is physically somewhere in the hardware, it should be possible to access it. I guess the reason this isn't done more often is because of the expense of the high powered microscope, toxic chemicals, and fume hood.
    • How about cracking CableCARD? I don't really need free digital cable - I can afford to just pay for it - but I wouldn't mind being able to record digital cable on my MythTV box without needing a set-top box and an IR link.
    • I don't believe there is anything left in HDCP to be broken. As far as I know you can buy boxes that'll remove it (or rather, the speak the necessary HDCP exchange out of one end but don't require it on the other). As for Blu-Ray, not sure it is worth it. It sounds like AnyDVD does a fine job getting by the protections. I don't know how it works, but if you can get what you need in software, why bother with hardware? As a practical matter, if you were to do this the idea would be to wait until there have be
      • by Rich0 (548339)
        I think I've heard that after a certain number of keys are cracked there is an opening for an attack on the master key. However, as you indicate if you pick some very popular players (preferably one without good support for firmware updates) you're going to make the studios look very bad if they revoke them.
    • Re: (Score:3, Interesting)

      by ChrisMaple (607946)
      Examining the chip with a microscope is close to becoming impossible. Today's finest geometry cannot be resolved with an optical microscope. Using EPROM or similar programmable techniques, the function of the chip is determined by stored charges. Whether a transistor is N-type or P-type is determined by doping concentrations, which is also more difficult to determine as the device becomes smaller.

      A chip designed with the intent to make it difficult to reverse-engineer can be made economically infeasible to

      • by NateTech (50881)
        And pass the costs of DRM in such a "super-chip" along to the consumer! Yay!

        (Because we're all excited to pay to protect our provider's content!)

        A "DRM/encryption/reverse-engineering cold-war" amongst the DTV businesses only hurts the people paying for the product in the long-term. Great.
  • by Joe The Dragon (967727) on Friday May 30, 2008 @10:26PM (#23606905)
    Now we need the max headroom video Pirate to tell his story.
  • Shocking! (Score:4, Funny)

    by neokushan (932374) on Friday May 30, 2008 @11:33PM (#23607183)
    I was shocked when I read TFA and found that it didn't easily summarise as "I spent ages hacking the system, then got bored because there was nothing worth watching".
    • Re: (Score:2, Interesting)

      by thalassinos (1006625)
      You probably meant it as a joke, but the most important thing that motivates a true geek itâ(TM)s the challenge (and the bragging rights). /n Most of us do not do it for the money, we do it because (a) we have an innate curiosity, (b) we want to be in control of our machines and (c) because itâ(TM)s there. For example, more than a decade ago I was obsessed with cracking a local broadcasterâ(TM)s encrypted TV signal. They used a (now seriously obsolete) analog irdeto scheme. It took me
  • by Anonymous Coward on Friday May 30, 2008 @11:54PM (#23607265)
    I spent years hacking satellite television, from the early days, the glory days of the H and HU cards and then left the scene when DTV killed with the P4 card and lawsuits. I've written my own 3Ms and emulators. What Chris has done in this video really is the ultimate holy grail of smart card hacking. The security layer he is referring to, at least on NDS cards, is sort of a sticky layer that when you attempt to pull off the coating to access the bus, it simply rips up many of the thin wires on the chip and you're SOL. This is enough to discourage casual hackers and those without good resources. It also, as he mentions late in the video, eliminates the need for using "glitching", which was accomplished using a specially programmed Atmel chip and some software, to attempt to oscillate the voltage in such a manner that allows you to read/write to the card without having a properly signed packet. Dumping ROMs is exceptionally difficult to do, even with the thoroughly hacked HU cards, and he can just casually do it with his setup. Makes me think he could also dump the ASIC, something even in the heyday of DTV hacking, was never accomplished. This would eliminate the need for an access card at all- once you've dumped the ROMs, got a valid EEPROM, all you need to do is emulate the ASIC and opcodes for the processor (which on the HU card was a Texas Instruments TMS370 chip with a modified instruction set).
    • Re: (Score:2, Funny)

      by liquidf (1146307)
      don't forget about the flux capacitor, you insensitive clod!
    • by Dun Malg (230075) on Saturday May 31, 2008 @12:24AM (#23607401) Homepage

      Makes me think he could also dump the ASIC, something even in the heyday of DTV hacking, was never accomplished.
      You can't dump an ASIC--- that's the very reason they exist in this application. It's not code, it's an Application Specific Integrated Circuit. It's essentially an unknown array of logic gates. The best you can do it try to reverse engineer it, and short of an electron microscope, you probably couldn't.
      • by TubeSteak (669689) on Saturday May 31, 2008 @01:15AM (#23607581) Journal

        The best you can do it try to reverse engineer it, and short of an electron microscope, you probably couldn't.
        This guy is hacking smart cards with a hood, some off the shelf chemicals, a very precise scratching tool and a pile of computer & electronics gear.

        Now realize that one of these days, resources like electron microscopes will be within the grasp of entities that are not a Government, University, or Corporation. It only takes one rich misanthrope...
        • Re: (Score:3, Informative)

          by Forbman (794277)
          I forget the company, but at the OMSI (Oregon Museum of Science & Industry), they had a table top electron microscope there 3 or 4 months ago. It's a Netherlands company that makes it. I wish I remembered more about it, but the pricing on it was probably in the $10-50K region for the one they had there.

          Kind of "google earth" in reverse was its software interface for looking at stuff. Slicker than snot.
        • One of these days' has been here for a while. Buy one 2nd hand, 6 grand: http://www.labx.com/v2/adsearch/detail3.cfm?adnumb=356848 [labx.com] That one's possibly broken but you can get a fully functional one for ~20 grand, second hand, these days.
  • by Serapth (643581) on Saturday May 31, 2008 @12:20AM (#23607379)
    I mean...

    Since NDS fired him he's been consulting for two semiconductor companies and a manufacturer of dongle tokens, but he misses his life in electronic warfare. If NDS doesn't want him, he says he'd be happy to work for Nagrastar -- jumping sides once again. "I could design a whole entire chip for them like I did for NDS," he says. "NDS thinks today that their technology is superior to everybody else's and it probably is, because they're 17 years ahead of Nagra technologically. But Nagra could catch up overnight if they used my services. "I'm a very valuable asset as far as smart-card technology goes," he adds. "I know everything about (NDS) as far as their intellectual property models go."

    Then again, its Wired magazine. They exist purely to create arrogant douchebags, dont they?
    • Re: (Score:2, Insightful)

      by jeiler (1106393)
      Is it actually arrogance if he's that good?
      • by sporkme (983186) *
        It is actually arrogance, and he is that good, and he wants a new benefactor. He does not intend for the benefactor to be either of these companies. Again... he is arrogant, but to me it looks like he has earned it.
    • by sporkme (983186) *
      He's already cleared a major legal inquisition, and he considers himself untouchable in the short term, and he is. This is not an application to Nagra, who hould never hire him. This is an application to everyone else. If I had interest in his special skills, I would contract him as a "consultant."

      I would also contract an expert in the field of security threat mitigation, and have Bruce Willis detained. /US Govt
  • Wait a minute here. Wasn't DirecTV trying to get people to settle for upwards of $3K for stealing signals, and suing them for absurd amounts over 6 figures.

    Is the end result of all that litigation a $1500 fine? Or is this somehow different?
  • by ciscoguy01 (635963) on Saturday May 31, 2008 @02:55AM (#23607909)
    The techniques Tarnovski used to burn the top off with acid is failure analysis stuff.
    I knew a guy who worked at a chip manufacturer and that's what he did. Failure analysis.
    Burn the top of the chip off with what he called "formic acid" (I think, this was over 20 years ago) which "didn't hurt the chip".
    They would then look at it under a microscope and try to determine what had failed.
    The second microscope Tarnovsky was using looked to be a wire bonder.
    It welds wires on by hand, with a pantograph type positioner.
    So you can connect the chip to the leads, for example in the package, common for eproms. You can see the little leads in the window of older eproms.
    But hackers can also use those to reconnect the last link of a programmable chip like a PAL that has had the security fuses blown after programming. Then you can just read the program out of the chip. OOPS, there goes that programmable security.
    I had a chance to get one of those once, but it was a big one. Too big for me.
    The little tabletop one in the video would be neat. I would grab one of those if it ever presented itself.
    Tarnovski used that wire bonder to grab the signals off the chip internally, where they are actually running.
    Those smartcards are likely a serial device, but if you can get back to where the data bus is parallel maybe that is before the inherent security.
    The guy is obviously good. Wonder if he has a college degree?

Machines that have broken down will work perfectly when the repairman arrives.

Working...