This year, Softpedia had the privilege to pick the brains of many security experts at Hack in the Box 2012 Amsterdam. Among them is Adam Gowdiak, CEO and founder of Security Explorations, a company whose researchers are not afraid of taking a crack at unexplored areas.
Their latest achievement is the discovery of major security holes in digital satellite equipment, including set-top boxes and DVB chipsets, which is the main topic of the following interview. Adam was also kind enough to answer a question from our readers.
So, without further ado, here's the interview. Softpedia:
First, please introduce yourself and your company. Adam Gowdiak:
My name is Adam Gowdiak, I am CEO and founder of Security Explorations, a security and vulnerability research start-up company from Poland. We conduct commercial and pro bono security research and from time to time we also run security research projects which are perceived as a little bit controversial. Softpedia:
It's great that you try to approach the controversial stuff. Adam Gowdiak:
Well, recently we became interested in the areas which are also important, but are not so well explored. Some of these areas are treated as risky and might be perceived as somewhat sensitive research topics by some security researchers.
But in our opinion such unexplored or sensitive areas are also important and the security of set-top boxes is a good example of that. For set-top-boxes, it's not just about the security of content because these devices become network connected and vendors start to embed some complex and rich functionality in them, such as YouTube or web browsing.
And we all know from the PC world that any Internet access or the use of web browsers could bring certain security risks to users and this is why we got interested in digital satellite TV set-top-boxes. Softpedia:
So you are trying to show users that vulnerabilities don't exist only in operating systems and programs we use every day, they exist everywhere. Adam Gowdiak:
That’s true. We start to become surrounded by all sorts of technologies. We are actually witnessing an explosion in a variety of digital and smart, network connected devices. Just to mention wireless smart meters or the recent trend in a smart-TV ecosystem.
All the major TV vendors are putting novel and very interesting technologies into television sets these days to enhance the experience of the users. And that of course leads to the question how secure these devices are once being connected to a global network. Softpedia:
Besides allowing an attacker to install malware and steal digital signal, are there any other threats? For instance, can attackers cause physical damage to the devices? Adam Gowdiak:
Beside demonstrating a malware threat and satellite TV signal theft, we also proved that some sensitive information could be obtained from set-top-box devices such as user’s credentials for access to customer service, VOD rental or web auction portals. We were also able to obtain billing / invoicing data for all subscribers in a given subscription period.
Finally, we demonstrated a successful capture of arbitrary HD programming into an MPEG file that could be later played on a user's PC or shared over the Internet.
As for the physical damage to the device, upon full access to set-top-boxes (root and kernel in the OS) one can imagine bricking the device by overwriting its flash memory with garbage data. For obvious reasons, we haven't tested that.
The more serious damage could be however done to DVB chipsets. We found out that it was possible to permanently change their configuration by the means of setting the fuses of the chip.
One can imagine an attack scenario where the fuses are programmable in such a way so that the chip becomes useless / bricked and the whole set-top-box device needs to be replaced by a digital satellite TV operator. Softpedia:
After finding the vulnerabilities in the satellite platform you have notified a number of affected companies. How did they receive the news? Have they done anything in the meantime to address the issues? Adam Gowdiak:
Some companies didn’t react in a way vendors usually react in response to receiving a security vulnerability report (we have almost 15 years of experience in that area). We lost contact with several companies in January.
Advanced Digital Broadcast (set-top boxes vendor) and ITI Neovision (digital satellite TV provider) companies hasn't been answering our emails since then. Softpedia:
So they only responded in the initial phases. Adam Gowdiak:
All companies confirmed reception of our vulnerability reports. After some time, as part of our vulnerability reporting process, we inquired them about the status of the reported issues.
That’s when the two aforementioned companies stopped responding to our e-mail messages. Some companies such as STMicroelectronics did respond, however refused to disclose information regarding the impact of reported issues.
From our point of view, no information from the vendors to our impact inquiry questions just confirms publicly announced results of our research and a widespread impact of the issues found, which could be hundreds of millions of DVB chipsets according to some public data. Softpedia:
Did you maybe notice that they were secretly trying to fix the vulnerabilities? Adam Gowdiak:
We have some indications that a set-top box vendor did address some of the issues but without having an official information of what they actually did it’s difficult for us to say anything about it. Softpedia:
If presented with your findings about the security holes in DVB chipsets and digital satellite set-top-boxes regular users will probably think “That can never happen to me.” Because it’s clear that such risks are not taken as seriously as they should. When do you think this will change? Or, will it ever change? Adam Gowdiak:
A couple of years ago, nobody expected that a cell phone could be hacked and that one could run a shell or some other commands in the OS of the cell phone. These days we have smart TVs and set-top boxes which are being connected to the Internet.
Usually, the users’ perception is that “these are just dumb devices, I can use them, but no actual harm can happen by having these devices deployed in my home network.”
But this is not always true. And as a result of our research, we proved that these devices could pose a security risk to users, their privacy and security of their home networks. Softpedia:
This is a question that our readers wanted us to ask you. How did you work on the famous MS03-026 in the Windows Server 2003? Adam Gowdiak:
The MS03-026 bug was found during experiments aimed at launching the Internet Explorer web browser on a remote Windows machine by the means of a Microsoft’s RPC DCOM interface. The goal was to use the bug in a remotely spawned web browser to attack a target machine.
What was found instead, was that the overlong path provided to the MSRPC DCOM Remote Activation interface could overflow some local stack buffer.
And this was the actual trigger for a deeper dive into MS RPC services area for the whole team as well as for the investigation of exploitation techniques required for a successful an reliable remote code execution on Windows Server 2003 system. Softpedia:
What was Microsoft’s reaction at the time? Adam Gowdiak:
Microsoft received the vulnerability report and it was professionally handled by the company. I don’t recall any issues regarding this, just remember that the issues were fixed pretty fast. Adam Gowdiak's presentations from HITB 2012 Amsterdam are available here and here.