Syndicated Hack Watch - 09:1994

 ******************************************************************

*---------------- Syndicated Hack Watch - 09:1994 ---------------*

******************************************************************

*-------------- Special Projects BBS +353-51-50143 --------------*

*--------------        SysOp: John McCormac        --------------*

******************************************************************

*------------- (c) 1994 MC2 (Publications Division) -------------*

*--------------- 22 Viewmount, Waterford Ireland ----------------*

******************************************************************

******************************************************************


Syndicated  Hack Watch is copyrighted material.  All  unauthorised 

reproduction whether in whole or in part, in any language will  be 

suitably dealt with.


******************************************************************

Contact Numbers:


Voice: +353-51-73640 

Fax: +353-51-73640

BBS: +353-51-50143  V32bis & V.Fast  Special Projects BBS

E-mail: mc2@cix.compulink.com.uk

FidoNet: 2:263/402 HackWatch

******************************************************************



Phoenix Program Kills Sky's Access Control


It looks like the VideoCrypt system has suffered yet another hack. 

This one is far more dangerous than previous hacks because it  can 

attack  the  access control system in a manner that  is  virtually 

invisible and perhaps undetectable by Sky.


Unlike the American Viet-Nam war project of the same name, Phoenix 

is concerned with the giving of life rather than taking it. To  be 

more precise it is concerned with the resurrection of dead Sky  09 

smart cards. The cards so resurrected are known as Lazarus cards.


The  reactivation of Quickstart and dead Sky cards has  long  been 

the subject of experimentation. It was not as relevant during  the 

lifetime  of  the  07 Ho Lee Fook hack. Then it  was  possible  to 

obtain  a very cheap pirate card anywhere in Europe. With the  09, 

things are different.


With the killing of the released 09 code on 28/06/94, Sky and News 

Datacom  may well have thought that the hackers had been  defeated 

for  good. Of course this was a view that only had currency  among 

those who watched Sky One for a bit too long.


The  09  code release gave away too much information. In  fact  it 

produced enough information to completely cripple the 09 Sky  card 

issue. If this indeed was a plausible deniability operation by Sky 

and  News Datacom then it is more than certain that  News  Datacom 

Research in Israel were not consulted on the code release.  Indeed 

a release of this much code was fatally stupid.


The VideoCrypt system was never designed to handle a code  release 

of  this  magnitude.  In  fact I do not think  that  it  was  ever 

designed  to handle a code release. The one thing that was  always 

made clear in the VideoCrypt brochures was that the cards would be 

replaced in the event of a hack.


The  release  of a replacement for the 09 has  not  happened  yet. 

There  are no visible indications that there will be an  0A  issue 

this  year.  Unless  Sky  and News  Datacom  can  switch  in  some 

alternate  and more secure card addressing encryption the 09  card 

issue  is effectively dead. At best it would now appear  that  Sky 

and News Datacom are back in the old ECM - ECCM cycle.


The  workhorse of the VideoCrypt access control system is  the  32 

byte  packet.  This  packet carries all  of  the  card  addressing 

information in addition to being the seed data for the  decryption 

key generation hash function.


The  last  five bytes of this packet are the checksums.  The  last 

byte ensures that the sum of all the bytes is an even multiple  of 

256. The other four bytes are the packet checksum. If these  bytes 

are  incorrect  then  the card will reject  the  packet  as  being 

tampered with and it will not act upon the instructions carried in 

the  packet.  This  ensures that thirty one of the  bytes  in  the 

packet  cannot be altered. The card would test to see if the  last 

byte  brings the sum to a multiple of 256 by adding the bytes  and 

checking  the  end result. In an byte wide  register  the  correct 

result would be zero.


Without  a  valid  keytable and algorithm it is  not  possible  to 

generate a correctly checksummed 32 byte packet.


Regardless  of  whether  the algorithm and  keytable  produce  the 

correct  decryption key, one valid keytable (not  necessarily  the 

one in use) and the algorithm are all that is needed.


VideoCrypt Access Control


The  VideoCrypt  system is based on the 32 byte 74h  packet.  This 

packet  is used to carry the addressing information for the  smart 

cards. It is also used by the hash function to generate the 8 byte 

decryption  key for the decoder. This key is returned in  the  78h 

packet.


The  system is based on the Exclusion Principle. Each  card  stays 

working until it gets a kill signal. The cards sent to  authorised 

subscribers  are  pre-authorised and will  work  immediately.  Any 

additional  channels that the customer wants can be  activated  on 

the  card by Sky in the same manner. The Quickstart cards have  to 

be activated over the air by Sky.


The  problem with the VideoCrypt system is that the cards  already 

have  the  code tables for each channel. It is  just  the  tiering 

mechanism that stops the subscriber from getting the channels that 

he is not entitled to.


Phoenix  takes advantage of this and one other  important  factor. 

The release of the 09 codes in June is perhaps the one aspect that 

allowed Phoenix to occur. Without those codes, it is probable that 

the  best attack would have been a modified form of  the  KENtucky 

Fried  Chip.  This would of course rely on  the  prospective  user 

getting a fully validated and active Quickstart card.


The main difference here is that the Phoenix does not require  the 

Quickstart  to  be active or validated. It just  requires  any  09 

issue smart card.



Ramifications


The most obvious ramification of the Phoenix hack is that Sky  has 

once more lost control over its access control system. They cannot 

ensure that the average multichannel (minimum tier) subscriber  is 

not also watching the premium channels free of charge.


In financial terms, the person using a Phoenix activated card  and 

a  blocker  only has to pay for the minimum tier -  roughly  seven 

pounds  per  month as opposed to the twenty pounds  for  the  full 

subscription.


Of  course  the  person could also be using a  09  Quickstart  and 

therefore would not have to pay anything to Sky.


Whereas  Sky's problems with the 07 Ho Lee Fook hack  were  highly 

visible,  this new hack is far more dangerous. It is not  strictly 

quantifiable. This should give the statisticians a few  headaches. 

Of  course on the other hand it will allow the hack to  be  played 

down in the mainstream satellite press.


Many  of the figures spouted in the satellite press over the  last 

few months may well be totally inaccurate. According to one report 

in  the Observer, a UK Sunday newspaper, Sky were multiplying  the 

dish sales figures by three based on the average family in the  UK 

having  three  members. It is impossible that all of  the  systems 

sold  were new Sky subscribers. Perhaps the purchasers of many  of 

these  systems  were merely upgrading to new systems and  as  such 

were not first time buyers.


The  only measure of the hack is the number of missing  Quickstart 

and  Official  09 Sky cards. The main sources  of  information  on 

these numbers would be Sky and News Datacom.


Of course they are not likely to divulge such information, even if 

they  knew.  Indeed  some of the statistics on  dish  sales  being 

produced by Sky have been questioned in UK national newspapers.


The  legal aspect is also murkier than before. Whereas the  07  Ho 

Lee  Fook cards were definitely illegal to manufacture in the  UK, 

the legality of the Phoenix is more questionable.


The Phoenix is a program that can be used for theft of  copyright. 

The origin of the information that allows it to activate cards  is 

suspect. If the 09 codes were indeed sold by Sky and News  Datacom 

in  an attempt to sting the pirates, then it could be argued  that 

the Phoenix was a development of the codes that were purchased  by 

the  pirates and therefore the program is not Sky's  property.  It 

was not developed by Sky.


Undoubtedly  the Phoenix could not work without the 09  algorithm. 

The  keytable used is that that was operational up to  June  28th. 

The  backdoor in the 09 VideoCrypt card is that it recognises  any 

packet  generated  with a valid 09 keytable. It is  not  necessary 

that the keytable used is the one in use at the present time.


The  problem  now is that the Phoenix program  is  spreading  like 

wildfire. Indeed there are already reports that the hack has  been 

stolen by more than one pirate company. Naturally retribution will 

follow in true hacker fashion.


The  hack  will  probably  circulate for  a  few  thousand  pounds 

initially but the key section is the blocker. Without the blocker, 

the  Lazarus cards will be killed in a few hours. There are a  few 

possibilities for blockers though many initial attempts will  draw 

heavily  on  the  KENtucky Fried Chip design  of  1992.  The  more 

elegant  devices  will  use PIC16C84s though in  their  case,  the 

device will be an external solution rather than the internal  8752 

KFC solution.



Black Book 4 Now Available


The Black Book is now back from the printers and orders are  being 

shipped.  The  Black  Book is also known  as  European  Scrambling 

Systems. It is the bible  of the Blackbox Industry.


The new version concentrates on the smart card hacks and how  they 

operate. Details of smart cards and computer monitoring  circuitry 

are  provided.  The  majority of the systems  in  Europe  are  now 

hacked.  Perhaps more importantly it shows how the  present  hacks 

will develop in the near future.


The  chapter  on  cryptology has been expanded  to  cover  message 

digests,  hash  functions and one way functions. The  Fiat  Shamir 

Zero  Knowledge  Test,  allegedly  used  in  VideoCrypt  is  fully 

explained.  A  datasnatch of the Fiat Shamir  Test  in  VideoCrypt 

being spoofed is also included - the decoder did not lock out  the 

'card'  with  the implication being that the Fiat Shamir  Test  in 

VideoCrypt  does not work properly. It also shows how the  Ho  Lee 

Fook hack on the VideoCrypt crypto system operates, complete  with 

worked examples in psuedo code and C. A description of the 09  Sky 

code is given complete with structure.


The official price of the book is 32.00 plus postage but to  those 

electronically  aware  people reading this via a bbs,  fidonet  or 

usenet,  I have decided that the price of the book will  be  25.00 

pounds Including postage. 


This  special offer price includes postage in the EC. Payment  can 

be  made by UK or Irish cheque or draft. Alternatively payment  by 

credit card is possible. Visa and Mastercard / Access acceptable.


Either  fax  the  order  to the phone  number  below  or  use  the 

mc2@cix.compulink.co.uk  e-mail address.  Alternatively  telephone 

(voice) after 1400 Hrs to order.

 

------------------------------------------------------------------------- 

| John McCormac                          | Hack Watch News              |

| Editor - Hack Watch News               | MC2 (Publications Division)  |

| Voice & Fax: +353-51-73640             | 22 Viewmount, Waterford      |

| BBS: +353-51-50143                     | Ireland                      |

| e-mail: mc2@cix.compulink.co.uk        |-------------------------------

| john.mccormac@f402.n263.z2.fidonet.org | Black Book 4  Available  Now |

-------------------------------------------------------------------------



Comments

Popular posts from this blog

BOTTOM LIVE script

Evidence supporting quantum information processing in animals

ARMIES OF CHAOS