FlyingAvatar 5 years ago

Back in 2005 or 2006, I had purchased a cable-ready QAM PCI Tuner card. When I scanned channels, I saw a number of very high numbered channels that all appeared empty of content.

One day, I was flipping through the channels, I hit one of the high number channels, a relatively newly released movie was playing on it. I started watching it for a bit and the video paused for a second and then it started rewinding.

It took me a few seconds to realize that the Video on Demand service was being transmitted in the clear on these high number channels and the people's STBs were programmed not to see them. With the PCI card though, I could see any VoD being played on my local "circuit".

  • ZebZ 5 years ago

    Having a QAM card and living in an apartment complex, there was a couple years where I never had to pay for big PPV sporting/wrestling events. And also, _other_ programming types late at night, which was a bit creepy and left me to which neighbors had which proclivities.

    I also found that NBA League Pass and NHL Center Ice weren't encrypted that way too.

mpalfrey 5 years ago

I'm _very_ surprised this worked at all. I'd have thought HBO et al would have wanted a good (Cisco NDS, Nagra, Conax etc) CAS layer to prevent this kind of stuff happening as part of any agreements to be carried on the network.

In the past I've worked on a few IPTV projects. Users would only see channels they were entitled to (unlike Sat / Cable) projects, and there was a heavy CAS layer.

Interesting though. A lot of boxes are essentially just running an embedded browser so there's scope for some poking around.

  • jandrese 5 years ago

    I wouldn't be surprised if the guy opened his bill next month to discover that he's suddenly subscribed to HBO. It's trivial for the cable company to log those requests and they know who owns which box. An audit would discover his shenanigans immediately.

pvachon 5 years ago

To be fair, while the channel rights enforcement is done "client side," the real work is likely done by an M-Card in your set-top box. This is a secure environment that contains hardware to support decrypting MPEG streams on the fly. The M-Card is able to decrypt key bundles that are sent out-of-band and in-band in the video streams.

The bar to get channels you're not subscribed to is quite a bit higher because of this mechanism, alas.

  • Fnoord 5 years ago

    (Post is from 2016 which the title on HN doesn't mention!)

    Its a MITM. Packets are being changed on the fly. It being a MITM doesn't mean it works. Nor that it works world-wide in 2019. The term MITM isn't descriptive enough by itself.

    Perhaps this worked in Bulgaria in 2016? I'd like to see some proof that he got HBO to work though. I didn't see that clearly specified.

    I mean, for public transport they were still using (the insecure) Mifare Classic in 2016 in Bulgaria. See this post from the same blog [1]

    [1] https://xakcop.com/post/cloning-rfid/

    • milankragujevic 5 years ago

      I'd bet 10$ that it still works, given that it works in Serbia on Orion :)

sofaofthedamned 5 years ago

This is a bit content light, and there's no MITM of any content. Anything valuable will be secured with a secret client key. All this will do is show encrypted data flowing as well as some signalling in the clear.

  • Tepix 5 years ago

    He's MITM'ing the signalling. Guess it worked?

  • Scoundreller 5 years ago

    It seems like this system doesn’t/didn’t encrypt 1 channel differently from any other.

  • jandrese 5 years ago

    It looks like he's tweaking it so when he switches to QVC or something it rewrites the channel ID to HBO and the server hands the content out without any further checks.

    This guy is totally busted if his cable company ever runs an audit of their logs.