
MitM'ing my STB (2016) - punnerud
https://xakcop.com/post/mitm-stb/
======
FlyingAvatar
Back in 2005 or 2006, I had purchased a cable-ready QAM PCI Tuner card. When I
scanned channels, I saw a number of very high numbered channels that all
appeared empty of content.

One day, I was flipping through the channels, I hit one of the high number
channels, a relatively newly released movie was playing on it. I started
watching it for a bit and the video paused for a second and then it started
rewinding.

It took me a few seconds to realize that the Video on Demand service was being
transmitted in the clear on these high number channels and the people's STBs
were programmed not to see them. With the PCI card though, I could see any VoD
being played on my local "circuit".

~~~
ZebZ
Having a QAM card and living in an apartment complex, there was a couple years
where I never had to pay for big PPV sporting/wrestling events. And also,
_other_ programming types late at night, which was a bit creepy and left me to
which neighbors had which proclivities.

I also found that NBA League Pass and NHL Center Ice weren't encrypted that
way too.

------
mpalfrey
I'm _very_ surprised this worked at all. I'd have thought HBO et al would have
wanted a good (Cisco NDS, Nagra, Conax etc) CAS layer to prevent this kind of
stuff happening as part of any agreements to be carried on the network.

In the past I've worked on a few IPTV projects. Users would only see channels
they were entitled to (unlike Sat / Cable) projects, and there was a heavy CAS
layer.

Interesting though. A lot of boxes are essentially just running an embedded
browser so there's scope for some poking around.

~~~
jandrese
I wouldn't be surprised if the guy opened his bill next month to discover that
he's suddenly subscribed to HBO. It's trivial for the cable company to log
those requests and they know who owns which box. An audit would discover his
shenanigans immediately.

------
pvachon
To be fair, while the channel rights enforcement is done "client side," the
real work is likely done by an M-Card in your set-top box. This is a secure
environment that contains hardware to support decrypting MPEG streams on the
fly. The M-Card is able to decrypt key bundles that are sent out-of-band and
in-band in the video streams.

The bar to get channels you're not subscribed to is quite a bit higher because
of this mechanism, alas.

~~~
Fnoord
(Post is from 2016 which the title on HN doesn't mention!)

Its a MITM. Packets are being changed on the fly. It being a MITM doesn't mean
it works. Nor that it works world-wide in 2019. The term MITM isn't
descriptive enough by itself.

Perhaps this worked in Bulgaria in 2016? I'd like to see some proof that he
got HBO to work though. I didn't see that clearly specified.

I mean, for public transport they were still using (the insecure) Mifare
Classic in 2016 in Bulgaria. See this post from the same blog [1]

[1] [https://xakcop.com/post/cloning-rfid/](https://xakcop.com/post/cloning-
rfid/)

~~~
milankragujevic
I'd bet 10$ that it still works, given that it works in Serbia on Orion :)

------
sofaofthedamned
This is a bit content light, and there's no MITM of any content. Anything
valuable will be secured with a secret client key. All this will do is show
encrypted data flowing as well as some signalling in the clear.

~~~
Tepix
He's MITM'ing the signalling. Guess it worked?

