Ohms
07-01-2006, 07:41 AM
I am posting this in hopes it will both add to other peoples’ understanding of the attack on the card, and also spark some of the smart guys (not the smart asses) out there to comment and correct any misstatements contained herein.
It should be known by all that I am not a coder, and that the following is only speculation on my part. My description is based on applying my knowledge of IP attack techniques to smart card attacks. I know nearly nothing about assembly language programming. Knowing that Crazy is pretty good at this stuff, I wanted to get some validation of my concept of the glitching process so I asked him to correct me where I was wrong. I guess I got lucky at best as he thought I had things pretty well right.
-----------------------------------------------------------------------
PART 1
Wordreference dot com defines ‘glitch’ as “a fault or defect in a system or machine”.
Synonymous with imperfection, defect, fault, bug.
Glitching is (in our hobby) used as a term for trying to break into a CAM (Conditional Access Module, or in layman’s terms, an access card). It is done by applied voltage pulses, stepping through varying levels and durations and delays. These pulses are applied during normal code execution by the CAM. This normal code execution would be during a reset, or a CMD. The intention of this attack is to interrupt the normal execution of code with what we refer to as an ABEND or Abnormal End of operation. This is a condition where the running process hangs or crashes and processing stops mid-stream.
At this point in the glitching process, the kernel is exposed to foreign code injection by the attacker. If one can send a new instruction to the processor, it will obey and do as it is being asked. This is similar in concept to an IP based buffer overflow attack.
Successful execution of this attack technique will result in the attacker having taken control of the system and executing whatever code he can make it process. The CAM, or at least the part of the CAM that was compromised, is now “OWNED”.
----------------------------------------------------------------------
PART 2
How could good security practice make complete CAM compromise almost impossible?
Again, in the interest of full disclosure, I need to point out that the following is speculation based on security practices from a completely different industry. I welcome ANYONE that would like to add informed analysis or correction of my statements. I don’t claim to be the world’s renowned authority on this subject.
I do not know anything specific about how DTV has deployed security on the P4 cards. What I do know for a fact is that they have done a great job of securing these CAMS. This is evidenced by the inability of many of the smartest crackers in our hobby to penetrate the CAM’s defensive systems.
Security 101
The way to make the invasion stop dead in its tracks is to deploy layered security. Deploying a secure system also means separating processes and transactions into layers. By creating separation between the transactions, each transaction or group of transactions can be secured by a separate security sub-system. No single sub-system compromise can expose more to the attacker than the transactions contained within it. There needs to be a reasonable layer of security to each layer of the transaction process not only within the CAM, but for both CAM to IRD, and for IRD to CAM communication. Setting things up this way means that an attacker will need to research his way into the system every step of the way.
Each layer provides an additional degree of ambiguity. Attackers dealing with a high level of ambiguity will find their effectiveness declines rapidly and every small success takes much longer to achieve. Combine this sort of well documented security philosophy with a reasonably designed intrusion detection system and the chances that an attacker will go undetected become extremely miniscule. At this point, most will either stop their attempts or begin to make so little progress that efforts will be redirected to some other target where their work may bear some fruit.
Let me provide an example of the above concept using the internet.
Let’s say you hang an FTP server out there on your high speed cable modem, protected with nothing except a login name and password.
If I were trying to gain access to the….oh, I don’t know…..let’s say the video files that you had stored on this server, I could do it quite easily. The server would probably have many processes running, and each one would have password protection, right? FTP, Windows Networking, Telnet, Terminal Server, PC Anywhere (God forbid), etc, etc, etc. Now I could guess that probably one of these services would have a username of ‘Administrator’. Even if you used pretty strong passwords, I could write a very simple script that would try every possible combination of alpha numeric characters until eventually I WOULD find the correct one. This could take an extended period of time. But it would work and I would gain access. FREE TV FOR ME.
Now take that very same server and put it behind a firewall that filters all but FTP traffic. The result would be that all of those other services would be in effect turned off to me. Terminal Server, for example, where an attacker could reasonably guess that ‘Administrator’ would be a usable username, would no longer be an available target. So now the attacker doesn’t know what the username might be. They will have to guess that too. This compounds the resistance to attack exponentially. Add into that an intrusion detection system that only allows 3 wrong password attempts in 1 hour.
MUCH more secure, right? Yes that is true, however a skilled attacker still might find a way in. Let’s consider how.
If an attacker could now only make connections on TCP port 21 because the firewall denies all other connection attempts and intrusion detection eliminates the ability to guess passwords unchecked, another method must be used. There are other methods.
If an attacker could gain knowledge of what FTP server software was running on the server through enumeration, then he might uncover a known flaw. Most all software has flaws. Many of them are yet to be discovered, but many, many flaws are already known. Let’s say that I send a certain type of packet to the server and it is handled in a way that is unique to XYZ brand of FTP software. I see the unique response and I know instantly that the server is running XYZ FTP software. A simple Google search will reveal any number of vulnerabilities which could be exploited and it’s FREE TV FOR ME……Or is it?
Not so fast. Remember we added intrusion detection. Even the least expensive intrusion detection systems can catch most of the exploits that XYZ FTP software is vulnerable to. It could shun the attacker (think caller ID blocking) at the firewall and he would have to get a new IP address before he could even try again with a different exploit.
Lots more secure now, right? Yes it is considerably more secure than before. But is it secure? Could it still be compromised by a skilled attacker? Yes it could. A VERY skilled attacker could craft a new exploit that used TCP Port 21, and didn’t trigger any signatures on the IDS because this attack is a one off, and is previously unknown, AND, worked on XYZ FTP software. Excellent ownership for the skilled attacker indeed. He wins a hard fought battle. If this attacker were a freeware coder, it would be FREE TV FOR EVERYONE!!!!!
So what have we done so far? We have added only one security system and one extra layer to traverse. By doing this, we have prevented compromise by all but the most skilled attacker. Not many of them around and they would need to be motivated to put forth that much effort. Those must be some of those “PRON” videos we have been hearing about lately from all the free TVers…. LOL (Yes I know it’s porn not pron. This was a joke)
Now let’s add some layers to this analogy. After all, layers were what I said before were the key to a good security system. Could layers really make this even more secure? Oh yeah, baby! Much more secure.
Let’s say the highly desired adult training video files aren’t even on the FTP server. Let’s say there is another firewall and intrusion detection system between the video files and the FTP server. So we put a second network card into the FTP server, and connect it to the second firewall/IDS. The firewall IDS will not accept ANY data unless it is sourced from the FTP server. This gets the request for the video files into the firewall, but not to the video files server.
Let’s further say that the server with the video files only communicates using a secret homemade protocol that is not known by anyone except you. There is NO record of this secret protocol anywhere on the FTP server. The FTP server requests the files sending a normal FTP GET request to yet another server on the other side of another firewall. This server is running a custom operating system with no known vulnerabilities. The firewall filters requests to this second server and there is another intrusion detection system at this layer.
This second server translates the FTP GET request to the secret communications protocol and sends the request along through yet another firewall and intrusion detection system to the server where the video files are actually stored. By the way, all of this secondary firewall to server to firewall communication is encrypted with 256 bit AES encryption or 3DES IP SEC or something really, really hard to crack. Consider that the encrypted tunnel termination endpoints are the firewalls not the servers. This forces the attacker to not only compromise the servers, but the firewalls as well. That ought to do it. This should effectively obfuscate the secret communications protocol so no one can get a look at it. Hell, we don’t even know what language the damn thing is speaking so how are we going to attack it? This is getting much harder.
The firewall encrypts the request and sends to the next server. Each firewall along the way will inspect the request from the previous sub-system, and make sure it contains the correct credentials for the next server at the next layer. The server at the last layer also requires the correct credentials to access the files which are encrypted on the hard drive. No where else in this entire system are the keys to the encrypted files found. That means even this server must be compromised before the files can be stolen. And so on and so on. Layers make a big difference.
Good luck getting those prized adult training video files now. Sorry, but there will be NO FREE TV from the cache of adult training video files you have available on your cable modem any longer unless someone leaks out all the secret handshakes and passwords.
Or…..perhaps…… is there another way that is not obvious here……. I think there might be another way……
But like I said, I am no coder so from this point forward, you’re on your own…..
-----------------------------------------------------------------------
This above scenario is 100%real. It’s a cat and mouse game played every day by security professionals and those who would steal credit card info or other personal information from internet based servers. I realize that this is not the same as CAM security. There are many similarities though and you can look at one and see things familiar in the other.
My friend Seaboard said this when he read the above post text.
“The example would need to be more focused in respect to the CAM and the IRD and tied into the provider’s encryption server. In the case of testing cams and IRD's, the stream is a one way street, interaction does take place but one way, not two way.. The IRd can't send commands back to the provider.
Commands are tested and known to work before they are sent into the stream.
If the provider actually screws up a card, his technical support line lets him know what he has to do to fix the problem. He has choices... the cams have the ability to run unencrypted or in this case N1 encryption if his new code fails him, such as the cmd 07 may have done. It’s really hard to tie in an ftp server for an example.”
Seaboard is absolutely correct that it is really hard to correlate between the two different types of systems. I use FTP and IP because that is what I know. Security is security and I believe there is something to be applied in the FTP example.
Thanks for taking the time to read all of this. I hope it sparks some discussion here, or on another site somewhere.
It should be known by all that I am not a coder, and that the following is only speculation on my part. My description is based on applying my knowledge of IP attack techniques to smart card attacks. I know nearly nothing about assembly language programming. Knowing that Crazy is pretty good at this stuff, I wanted to get some validation of my concept of the glitching process so I asked him to correct me where I was wrong. I guess I got lucky at best as he thought I had things pretty well right.
-----------------------------------------------------------------------
PART 1
Wordreference dot com defines ‘glitch’ as “a fault or defect in a system or machine”.
Synonymous with imperfection, defect, fault, bug.
Glitching is (in our hobby) used as a term for trying to break into a CAM (Conditional Access Module, or in layman’s terms, an access card). It is done by applied voltage pulses, stepping through varying levels and durations and delays. These pulses are applied during normal code execution by the CAM. This normal code execution would be during a reset, or a CMD. The intention of this attack is to interrupt the normal execution of code with what we refer to as an ABEND or Abnormal End of operation. This is a condition where the running process hangs or crashes and processing stops mid-stream.
At this point in the glitching process, the kernel is exposed to foreign code injection by the attacker. If one can send a new instruction to the processor, it will obey and do as it is being asked. This is similar in concept to an IP based buffer overflow attack.
Successful execution of this attack technique will result in the attacker having taken control of the system and executing whatever code he can make it process. The CAM, or at least the part of the CAM that was compromised, is now “OWNED”.
----------------------------------------------------------------------
PART 2
How could good security practice make complete CAM compromise almost impossible?
Again, in the interest of full disclosure, I need to point out that the following is speculation based on security practices from a completely different industry. I welcome ANYONE that would like to add informed analysis or correction of my statements. I don’t claim to be the world’s renowned authority on this subject.
I do not know anything specific about how DTV has deployed security on the P4 cards. What I do know for a fact is that they have done a great job of securing these CAMS. This is evidenced by the inability of many of the smartest crackers in our hobby to penetrate the CAM’s defensive systems.
Security 101
The way to make the invasion stop dead in its tracks is to deploy layered security. Deploying a secure system also means separating processes and transactions into layers. By creating separation between the transactions, each transaction or group of transactions can be secured by a separate security sub-system. No single sub-system compromise can expose more to the attacker than the transactions contained within it. There needs to be a reasonable layer of security to each layer of the transaction process not only within the CAM, but for both CAM to IRD, and for IRD to CAM communication. Setting things up this way means that an attacker will need to research his way into the system every step of the way.
Each layer provides an additional degree of ambiguity. Attackers dealing with a high level of ambiguity will find their effectiveness declines rapidly and every small success takes much longer to achieve. Combine this sort of well documented security philosophy with a reasonably designed intrusion detection system and the chances that an attacker will go undetected become extremely miniscule. At this point, most will either stop their attempts or begin to make so little progress that efforts will be redirected to some other target where their work may bear some fruit.
Let me provide an example of the above concept using the internet.
Let’s say you hang an FTP server out there on your high speed cable modem, protected with nothing except a login name and password.
If I were trying to gain access to the….oh, I don’t know…..let’s say the video files that you had stored on this server, I could do it quite easily. The server would probably have many processes running, and each one would have password protection, right? FTP, Windows Networking, Telnet, Terminal Server, PC Anywhere (God forbid), etc, etc, etc. Now I could guess that probably one of these services would have a username of ‘Administrator’. Even if you used pretty strong passwords, I could write a very simple script that would try every possible combination of alpha numeric characters until eventually I WOULD find the correct one. This could take an extended period of time. But it would work and I would gain access. FREE TV FOR ME.
Now take that very same server and put it behind a firewall that filters all but FTP traffic. The result would be that all of those other services would be in effect turned off to me. Terminal Server, for example, where an attacker could reasonably guess that ‘Administrator’ would be a usable username, would no longer be an available target. So now the attacker doesn’t know what the username might be. They will have to guess that too. This compounds the resistance to attack exponentially. Add into that an intrusion detection system that only allows 3 wrong password attempts in 1 hour.
MUCH more secure, right? Yes that is true, however a skilled attacker still might find a way in. Let’s consider how.
If an attacker could now only make connections on TCP port 21 because the firewall denies all other connection attempts and intrusion detection eliminates the ability to guess passwords unchecked, another method must be used. There are other methods.
If an attacker could gain knowledge of what FTP server software was running on the server through enumeration, then he might uncover a known flaw. Most all software has flaws. Many of them are yet to be discovered, but many, many flaws are already known. Let’s say that I send a certain type of packet to the server and it is handled in a way that is unique to XYZ brand of FTP software. I see the unique response and I know instantly that the server is running XYZ FTP software. A simple Google search will reveal any number of vulnerabilities which could be exploited and it’s FREE TV FOR ME……Or is it?
Not so fast. Remember we added intrusion detection. Even the least expensive intrusion detection systems can catch most of the exploits that XYZ FTP software is vulnerable to. It could shun the attacker (think caller ID blocking) at the firewall and he would have to get a new IP address before he could even try again with a different exploit.
Lots more secure now, right? Yes it is considerably more secure than before. But is it secure? Could it still be compromised by a skilled attacker? Yes it could. A VERY skilled attacker could craft a new exploit that used TCP Port 21, and didn’t trigger any signatures on the IDS because this attack is a one off, and is previously unknown, AND, worked on XYZ FTP software. Excellent ownership for the skilled attacker indeed. He wins a hard fought battle. If this attacker were a freeware coder, it would be FREE TV FOR EVERYONE!!!!!
So what have we done so far? We have added only one security system and one extra layer to traverse. By doing this, we have prevented compromise by all but the most skilled attacker. Not many of them around and they would need to be motivated to put forth that much effort. Those must be some of those “PRON” videos we have been hearing about lately from all the free TVers…. LOL (Yes I know it’s porn not pron. This was a joke)
Now let’s add some layers to this analogy. After all, layers were what I said before were the key to a good security system. Could layers really make this even more secure? Oh yeah, baby! Much more secure.
Let’s say the highly desired adult training video files aren’t even on the FTP server. Let’s say there is another firewall and intrusion detection system between the video files and the FTP server. So we put a second network card into the FTP server, and connect it to the second firewall/IDS. The firewall IDS will not accept ANY data unless it is sourced from the FTP server. This gets the request for the video files into the firewall, but not to the video files server.
Let’s further say that the server with the video files only communicates using a secret homemade protocol that is not known by anyone except you. There is NO record of this secret protocol anywhere on the FTP server. The FTP server requests the files sending a normal FTP GET request to yet another server on the other side of another firewall. This server is running a custom operating system with no known vulnerabilities. The firewall filters requests to this second server and there is another intrusion detection system at this layer.
This second server translates the FTP GET request to the secret communications protocol and sends the request along through yet another firewall and intrusion detection system to the server where the video files are actually stored. By the way, all of this secondary firewall to server to firewall communication is encrypted with 256 bit AES encryption or 3DES IP SEC or something really, really hard to crack. Consider that the encrypted tunnel termination endpoints are the firewalls not the servers. This forces the attacker to not only compromise the servers, but the firewalls as well. That ought to do it. This should effectively obfuscate the secret communications protocol so no one can get a look at it. Hell, we don’t even know what language the damn thing is speaking so how are we going to attack it? This is getting much harder.
The firewall encrypts the request and sends to the next server. Each firewall along the way will inspect the request from the previous sub-system, and make sure it contains the correct credentials for the next server at the next layer. The server at the last layer also requires the correct credentials to access the files which are encrypted on the hard drive. No where else in this entire system are the keys to the encrypted files found. That means even this server must be compromised before the files can be stolen. And so on and so on. Layers make a big difference.
Good luck getting those prized adult training video files now. Sorry, but there will be NO FREE TV from the cache of adult training video files you have available on your cable modem any longer unless someone leaks out all the secret handshakes and passwords.
Or…..perhaps…… is there another way that is not obvious here……. I think there might be another way……
But like I said, I am no coder so from this point forward, you’re on your own…..
-----------------------------------------------------------------------
This above scenario is 100%real. It’s a cat and mouse game played every day by security professionals and those who would steal credit card info or other personal information from internet based servers. I realize that this is not the same as CAM security. There are many similarities though and you can look at one and see things familiar in the other.
My friend Seaboard said this when he read the above post text.
“The example would need to be more focused in respect to the CAM and the IRD and tied into the provider’s encryption server. In the case of testing cams and IRD's, the stream is a one way street, interaction does take place but one way, not two way.. The IRd can't send commands back to the provider.
Commands are tested and known to work before they are sent into the stream.
If the provider actually screws up a card, his technical support line lets him know what he has to do to fix the problem. He has choices... the cams have the ability to run unencrypted or in this case N1 encryption if his new code fails him, such as the cmd 07 may have done. It’s really hard to tie in an ftp server for an example.”
Seaboard is absolutely correct that it is really hard to correlate between the two different types of systems. I use FTP and IP because that is what I know. Security is security and I believe there is something to be applied in the FTP example.
Thanks for taking the time to read all of this. I hope it sparks some discussion here, or on another site somewhere.