******************************************************************
*---------------- Syndicated Hack Watch - 09:1994 ---------------*
******************************************************************
*-------------- Special Projects BBS +353-51-50143 --------------*
*-------------- SysOp: John McCormac --------------*
******************************************************************
*------------- (c) 1994 MC2 (Publications Division) -------------*
*--------------- 22 Viewmount, Waterford Ireland ----------------*
******************************************************************
******************************************************************
Syndicated Hack Watch is copyrighted material. All unauthorised
reproduction whether in whole or in part, in any language will be
suitably dealt with.
******************************************************************
Contact Numbers:
Voice: +353-51-73640
Fax: +353-51-73640
BBS: +353-51-50143 V32bis & V.Fast Special Projects BBS
E-mail: [email protected]
FidoNet: 2:263/402 HackWatch
******************************************************************
Phoenix Program Kills Sky's Access Control
It looks like the VideoCrypt system has suffered yet another hack.
This one is far more dangerous than previous hacks because it can
attack the access control system in a manner that is virtually
invisible and perhaps undetectable by Sky.
Unlike the American Viet-Nam war project of the same name, Phoenix
is concerned with the giving of life rather than taking it. To be
more precise it is concerned with the resurrection of dead Sky 09
smart cards. The cards so resurrected are known as Lazarus cards.
The reactivation of Quickstart and dead Sky cards has long been
the subject of experimentation. It was not as relevant during the
lifetime of the 07 Ho Lee Fook hack. Then it was possible to
obtain a very cheap pirate card anywhere in Europe. With the 09,
things are different.
With the killing of the released 09 code on 28/06/94, Sky and News
Datacom may well have thought that the hackers had been defeated
for good. Of course this was a view that only had currency among
those who watched Sky One for a bit too long.
The 09 code release gave away too much information. In fact it
produced enough information to completely cripple the 09 Sky card
issue. If this indeed was a plausible deniability operation by Sky
and News Datacom then it is more than certain that News Datacom
Research in Israel were not consulted on the code release. Indeed
a release of this much code was fatally stupid.
The VideoCrypt system was never designed to handle a code release
of this magnitude. In fact I do not think that it was ever
designed to handle a code release. The one thing that was always
made clear in the VideoCrypt brochures was that the cards would be
replaced in the event of a hack.
The release of a replacement for the 09 has not happened yet.
There are no visible indications that there will be an 0A issue
this year. Unless Sky and News Datacom can switch in some
alternate and more secure card addressing encryption the 09 card
issue is effectively dead. At best it would now appear that Sky
and News Datacom are back in the old ECM - ECCM cycle.
The workhorse of the VideoCrypt access control system is the 32
byte packet. This packet carries all of the card addressing
information in addition to being the seed data for the decryption
key generation hash function.
The last five bytes of this packet are the checksums. The last
byte ensures that the sum of all the bytes is an even multiple of
256. The other four bytes are the packet checksum. If these bytes
are incorrect then the card will reject the packet as being
tampered with and it will not act upon the instructions carried in
the packet. This ensures that thirty one of the bytes in the
packet cannot be altered. The card would test to see if the last
byte brings the sum to a multiple of 256 by adding the bytes and
checking the end result. In an byte wide register the correct
result would be zero.
Without a valid keytable and algorithm it is not possible to
generate a correctly checksummed 32 byte packet.
Regardless of whether the algorithm and keytable produce the
correct decryption key, one valid keytable (not necessarily the
one in use) and the algorithm are all that is needed.
VideoCrypt Access Control
The VideoCrypt system is based on the 32 byte 74h packet. This
packet is used to carry the addressing information for the smart
cards. It is also used by the hash function to generate the 8 byte
decryption key for the decoder. This key is returned in the 78h
packet.
The system is based on the Exclusion Principle. Each card stays
working until it gets a kill signal. The cards sent to authorised
subscribers are pre-authorised and will work immediately. Any
additional channels that the customer wants can be activated on
the card by Sky in the same manner. The Quickstart cards have to
be activated over the air by Sky.
The problem with the VideoCrypt system is that the cards already
have the code tables for each channel. It is just the tiering
mechanism that stops the subscriber from getting the channels that
he is not entitled to.
Phoenix takes advantage of this and one other important factor.
The release of the 09 codes in June is perhaps the one aspect that
allowed Phoenix to occur. Without those codes, it is probable that
the best attack would have been a modified form of the KENtucky
Fried Chip. This would of course rely on the prospective user
getting a fully validated and active Quickstart card.
The main difference here is that the Phoenix does not require the
Quickstart to be active or validated. It just requires any 09
issue smart card.
Ramifications
The most obvious ramification of the Phoenix hack is that Sky has
once more lost control over its access control system. They cannot
ensure that the average multichannel (minimum tier) subscriber is
not also watching the premium channels free of charge.
In financial terms, the person using a Phoenix activated card and
a blocker only has to pay for the minimum tier - roughly seven
pounds per month as opposed to the twenty pounds for the full
subscription.
Of course the person could also be using a 09 Quickstart and
therefore would not have to pay anything to Sky.
Whereas Sky's problems with the 07 Ho Lee Fook hack were highly
visible, this new hack is far more dangerous. It is not strictly
quantifiable. This should give the statisticians a few headaches.
Of course on the other hand it will allow the hack to be played
down in the mainstream satellite press.
Many of the figures spouted in the satellite press over the last
few months may well be totally inaccurate. According to one report
in the Observer, a UK Sunday newspaper, Sky were multiplying the
dish sales figures by three based on the average family in the UK
having three members. It is impossible that all of the systems
sold were new Sky subscribers. Perhaps the purchasers of many of
these systems were merely upgrading to new systems and as such
were not first time buyers.
The only measure of the hack is the number of missing Quickstart
and Official 09 Sky cards. The main sources of information on
these numbers would be Sky and News Datacom.
Of course they are not likely to divulge such information, even if
they knew. Indeed some of the statistics on dish sales being
produced by Sky have been questioned in UK national newspapers.
The legal aspect is also murkier than before. Whereas the 07 Ho
Lee Fook cards were definitely illegal to manufacture in the UK,
the legality of the Phoenix is more questionable.
The Phoenix is a program that can be used for theft of copyright.
The origin of the information that allows it to activate cards is
suspect. If the 09 codes were indeed sold by Sky and News Datacom
in an attempt to sting the pirates, then it could be argued that
the Phoenix was a development of the codes that were purchased by
the pirates and therefore the program is not Sky's property. It
was not developed by Sky.
Undoubtedly the Phoenix could not work without the 09 algorithm.
The keytable used is that that was operational up to June 28th.
The backdoor in the 09 VideoCrypt card is that it recognises any
packet generated with a valid 09 keytable. It is not necessary
that the keytable used is the one in use at the present time.
The problem now is that the Phoenix program is spreading like
wildfire. Indeed there are already reports that the hack has been
stolen by more than one pirate company. Naturally retribution will
follow in true hacker fashion.
The hack will probably circulate for a few thousand pounds
initially but the key section is the blocker. Without the blocker,
the Lazarus cards will be killed in a few hours. There are a few
possibilities for blockers though many initial attempts will draw
heavily on the KENtucky Fried Chip design of 1992. The more
elegant devices will use PIC16C84s though in their case, the
device will be an external solution rather than the internal 8752
KFC solution.
Black Book 4 Now Available
The Black Book is now back from the printers and orders are being
shipped. The Black Book is also known as European Scrambling
Systems. It is the bible of the Blackbox Industry.
The new version concentrates on the smart card hacks and how they
operate. Details of smart cards and computer monitoring circuitry
are provided. The majority of the systems in Europe are now
hacked. Perhaps more importantly it shows how the present hacks
will develop in the near future.
The chapter on cryptology has been expanded to cover message
digests, hash functions and one way functions. The Fiat Shamir
Zero Knowledge Test, allegedly used in VideoCrypt is fully
explained. A datasnatch of the Fiat Shamir Test in VideoCrypt
being spoofed is also included - the decoder did not lock out the
'card' with the implication being that the Fiat Shamir Test in
VideoCrypt does not work properly. It also shows how the Ho Lee
Fook hack on the VideoCrypt crypto system operates, complete with
worked examples in psuedo code and C. A description of the 09 Sky
code is given complete with structure.
The official price of the book is 32.00 plus postage but to those
electronically aware people reading this via a bbs, fidonet or
usenet, I have decided that the price of the book will be 25.00
pounds Including postage.
This special offer price includes postage in the EC. Payment can
be made by UK or Irish cheque or draft. Alternatively payment by
credit card is possible. Visa and Mastercard / Access acceptable.
Either fax the order to the phone number below or use the
[email protected] e-mail address. Alternatively telephone
(voice) after 1400 Hrs to order.
-------------------------------------------------------------------------
| John McCormac | Hack Watch News |
| Editor - Hack Watch News | MC2 (Publications Division) |
| Voice & Fax: +353-51-73640 | 22 Viewmount, Waterford |
| BBS: +353-51-50143 | Ireland |
| e-mail: [email protected] |-------------------------------
| [email protected] | Black Book 4 Available Now |
-------------------------------------------------------------------------
�