Set Top Box

Security
Budapest, September 19, 2010
Zoltn Hornk
Tams Js
Kristf Kernyi
Outline
SEARCH-LAB Security Evaluation Analysis and
Research Laboratory
Embedded systems
Introduction
Security
Set-Top Boxes
Security solutions
PCB security
Interfaces
Chipset security features
Smart card security
Demonstration
2
SEARCH-LAB
introduction
SEARCH-LAB introduction
Introduction of SEARCH-LAB
SEARCH Laboratory established at the
Budapest University of Technology in 1999
with the financial help of Nokia Hungary
SEARCH-LAB Ltd established in 2002 as a
spin-off company to provide professional services
4
Professional activities
SAFECode: Software Assurance
Forum for Excellence in Code
Aims:
dedicated to increasing trust
in information and communications
technology products
advancement of proven software
assurance methods

SHIELDS: Detecting known security vulnerabilities
from within design and development tools
http://www.shields-project.eu
5
Embedded
Systems
Embedded systems
What is an embedded system
Computer systems designed for a specific purpose
As opposed to general purpose systems like PCs
Used where specific computing capability is needed
Limited resources
Input (designated knobs, dials)
Output (directly driving something)
Power (battery? cooling?)
Cheap components (mass production)
Not designed to be upgraded for new service areas
Used literally everywhere on the Globe
Ranging from very simple to quite complex systems
Most people have got at least one in their pockets
7
Security challenges of embedded systems
Freedom to tinker?
is your freedom to understand, discuss, repair, and
modify the technological devices you own
The embedded system is sometimes not even the
holders property
Works in a hostile environment
Incentive to abuse the device to get more (unpaid)
services
Attackers have unlimited time to reverse engineer the
hardware and the software of these devices
Cracking an embedded system usually results in loss
of profit for the owner (through the services)
8
Security advantages
Developers have full control of designing the
hardware architecture
Developers can use custom designed
processors/chipsets with enhanced security features
The software can be protected by some kind of
trusted computing solutions
End-to-end security is harder to crack than security
of open systems
9
Example: Set-Top Boxes
Digital television receiver
Terrestrial, cable, satellite or IPTV
Tuner, demodulator, demultiplexer
Conditional Access (Pay-TV)
Common Interface
Built-in card-reader
Additional features
Hard disk (DVR, PVR)
USB
Network (VOD, Web access)
Parental control
10
General model for STB
11
General STB architecture
System-on-Chip (SOC)
Processor core
Some RAM
Some Flash
Embedded controllers for network, USB, etc
Various engines for video decoding, decryption,
descrambling, etc
Main SDRAM
Flash memory for firmware
HDD interface
Other interfaces
12
Attack paths
Attackers prime goal: viewing unsubscribed content
Attack paths
Extract Control Words out of the STB (to distribute)
Inject downloaded CWs directly into own STB
Extract recorded programmes from PVR disk
Dump VoD programmes from disk or multicast
To reach this
External or internal interfaces could be eavesdropped
Hacked software could be loaded on the STB
13
Security
solutions
Security solutions
Security solutions
Interfaces
JTAG, RS-232, Smart Card, Infrared, I
2
C, USB, Ethernet,
HDMI, VGA,
Probing resistance
TSOP chips, BGA
Secure signal routing
Gluing
Chipset security features
System-on-Chip security
Firmware integrity protection
Smart Card Security
Shared secret between the Smart Card and SoC




15
Interfaces
JTAG
Generic test access point for electronic components
Standardized signals, but often custom protocol
Used during
Development
Finalization on the production line
Maintenance at service points
This interface has full control over the component
SoC, other chips
Many gaming consoles have been hacked with the use
of this interface
Possibility to lock it (password protect or disable)
17
Serial interfaces
RS-232
Common serial interface
Could be external or internal
Could be used to
Obtain debug information
Initiate firmware upgrade
Read out data for finalization on the production line
Smart card
Smart card reader chip usually connected to UART
Infrared
No protection
Full features only known to the programmer who
implements it
I
2
C
18
External connections
USB
Widespread interface
Could unlock or bypass security features when correct
token inserted
Hard to find out which profiles are implemented
Ethernet
Ethernet interface with TCP/IP stack implies the same
well-known weaknesses as it does on PCs
Is the stack well implemented?
Are the servers well implemented?
Is there a firewall?
19
HDD, Display
External or internal file systems
IDE or SATA HDD, USB PVR
File system
File/content encryption
Display interfaces
HDMI
HDMI has a two-way serial interface, like most
display adapter interfaces
HDCP key exchange (master key just cracked)
Device control (e.g. CEC)
Could be used for even more purposes
DVI
VGA
20
Probing resistance
Secure component selection
TSOP chips
Easily probed logic analyzer
Easily replaced break-out boards


BGA means a level of physical protection
against tapping and probing attacks
In many cases chip identity concealed
(grinding)
In some cases special chips used
(mixing pins)
22
Secure signal routing
Exposing signal lines is dangerous for
Key components (Flash, RAM)
Any confidential data transmitted
in plaintext
An attacker could sniff the data
being sent and received
And could do much more
23
Gluing
Could hide chip
identification string
Hides sensitive signal lines
and exposed pins
Makes the removing
process really hard
Removes also top layer of
PCB signal lines
Heat-resistant glue types
Not often used because of
the high cost
24
Chipset security features
System-on-Chip central units
Provides the majority of the core functions for the
embedded device integrated into one chip
Main SoC blocks are
CPU
Memory controllers RAM, Flash
External interface controllers RS-232, Ethernet, USB, IR
Internal interface controllers SATA, Smart card, I
2
C, SPI
Complete MPEG stream processor
Demultiplexing
Descrambling
Decoding
A lot of general purpose pins
26
SoC security
Secure unique identity
Unique serial number stored inside the chip during
manufacturing
Cannot be changed
Secure key storage
Small amount of ROM, RAM
Holds the keys for cryptographic operations
Some unique
Others shared
Secure on-chip cryptographic engines
The core CPU is slow, needs hardware acceleration for
crypto functions
Secure DMA using key in SoC-internal RAM/ROM
27
SoC security II
Antifuses
OTP One Time Programmable memory cells
Can set certain behavior of the chip like forcing flash
authentication
Usually set as the final step of manufacturing
Secure bootloader
Before booting the firmware
SoC-internal boot code runs, which authenticates the
firmware before running it or loading it to the RAM
Integrity
Authenticity
Only signed code will start
28
Firmware security
Mandatory AES-256 encryption for the system
software on new STBs
RSA-1024/2048 digital signature
Runtime integrity checking
The SoC checks the integrity of the firmware not just at
boot time but later, in random or pre-set time intervals
Authenticated flash memory update
Firmware upgrade only from authenticated source
Potentially insecure channel
Therefore signed
Downgrade protection (version number is signed along
with the firmware, lower version will not install)
29
Memory security
Flash security
Authenticated flash image
Write protection
Write Enable pin
Hardware logic in the flash chip (passwords)
Write-protecting certain (boot) sectors of the flash
RAM security
Performed by SoC (designated module)
RAM encryption
Transparent for the CPU and authenticated developers
Prevents disassembling the RAM contents after dumping
Source ID monitoring
Acts like a firewall between RAM and SoC cores, only
granting access to certain areas for certain cores
30
Smart card security
Chipset pairing and protection of link to smart card
ECM is decrypted by the smart card to yield CW
Must be transmitted to SoC for descrambling
Simple serial interface (UART)
Could be sniffed
Encrypted channel between SoC and smart card
SoC and smart card share a symmetric encryption key,
which is unique
Pairing between smart card and chipset (STB, CAM)
Pairing also prevents to use a STB at another content
provider (protects provider investment)
Similar type of link protection can be used to encrypt
all communication between smart card and SoC,
not just CWs
32

Embedded Systems
Security Services
34
SEARCH-LABs Testing Tools
Embedded systems debugging tools
Generic JTAG and manufacturer-specific evaluation tools
Boundary and parallel scanning
Content analysis of memory chips
Man-in-the-Middle (MiM) analysis and manipulation tools
Flash MiM
Smart card MiM
USB MiM
UART/serial MiM
Flash memory manipulator tool
VHDL programmable run-time XILINX logic
Post-processing on a PC
Various reverse engineering tools
Soldering and rework equipment,
X-ray microscopy
35
JTAG pin reconstruction based on X-ray images
6
GenIO27 VSS JTClk EMU1
5
GenTest0 JTRst VDDLMM
4
JTDI JTDO EMU0
3
JTMS EMU0 GenIO30 MBusRx FBusRx
2
GenIO26 VSS EarData
1
A B C D E F

36
JTAG test device and its connection
37
Logging board
38
Patch board
39
Phone boots up with patch board
40
Logic analysis environment
41
MiM Flash Manipulator
Flash Manipulator board that is able to switch between
an original Flash and another one with manipulated content
42
MiM Flash Manipulator
XILINX
RAM
USB Port
P
O
R
T

3
P
O
R
T

2
PORT 1
Original
Flash
M
o
d
i
f
i
e
d

F
l
a
s
h
Place of the
Flash Memory Chip
on the PCB
43
Man in the middle connection
between Flash memory and CPU
44
Capabilities of our MiM Flash Manipulator
VHDL programmable XILINX logic
Fast enough for run-time operation
Logic analyzer capabilities
Programmable triggers
Records up to 2MB of internal bus traffic
Post processing on PC (connected via USB)
Flash memory manipulation
Shows original content during boot loader
to bypass integrity checking
Switches to the manipulated flash chip during operation
Arbitrary code can be executed this way
Possibility to run internal testing algorithms
Similar solutions for Smart cards, USB, UART/serial
connections
45
Summary
Attack potential is there
SIM unlocking, IMEI number forgery
Cracked video set-top-boxes (with upgrade guarantee)
Security evaluation of embedded systems require
Laboratory infrastructure
Prepared hardware and security professionals
Adequate tools and methods
Research background
Continuous attack technology watch
Demonstration
Target
Generic Set-Top Box off the shelf
Probing security very low
TSOP chips for SoC, RAM, Flash
External signal routing
Chipset security medium
Secure boot
Flash authentication
No flash encryption
No RAM encryption
No run-time integrity checking
Content security low
No smart card pairing
47
Conclusion
Set-Top Box security
If all the security solutions are applied
Secure component selection and signal routing
Secure chipset with
Boot authentication
Flash encryption
RAM encryption
Runtime integrity protection/source monitoring
Authenticated updates
Secure channel (Smart Card pairing with SoC)
Only encrypted Control Words transferred
Display of Smart Card number on screen
then hacking a solution is not cost-efficient
Provides a high level of security
49
50




Zoltn Hornk
managing director
zoltan.hornak@search-lab.hu
Interested for
more?
jobs@search-lab.hu