****************************************************************** *---------------- Syndicated Hack Watch - 09:1994 ---------------* ****************************************************************** *-------------- Special Projects BBS +353-51-50143 --------------* *-------------- SysOp: John McCormac --------------* ****************************************************************** *------------- (c) 1994 MC2 (Publications Division) -------------* *--------------- 22 Viewmount, Waterford Ireland ----------------* ****************************************************************** ****************************************************************** Syndicated Hack Watch is copyrighted material. All unauthorised reproduction whether in whole or in part, in any language will be suitably dealt with. ****************************************************************** Contact Numbers: Voice: +353-51-73640 Fax: +353-51-73640 BBS: +353-51-50143 V32bis & V.Fast Special Projects BBS E-mail: [email protected] FidoNet: 2:263/402 HackWatch ****************************************************************** Phoenix Program Kills Sky's Access Control It looks like the VideoCrypt system has suffered yet another hack. This one is far more dangerous than previous hacks because it can attack the access control system in a manner that is virtually invisible and perhaps undetectable by Sky. Unlike the American Viet-Nam war project of the same name, Phoenix is concerned with the giving of life rather than taking it. To be more precise it is concerned with the resurrection of dead Sky 09 smart cards. The cards so resurrected are known as Lazarus cards. The reactivation of Quickstart and dead Sky cards has long been the subject of experimentation. It was not as relevant during the lifetime of the 07 Ho Lee Fook hack. Then it was possible to obtain a very cheap pirate card anywhere in Europe. With the 09, things are different. With the killing of the released 09 code on 28/06/94, Sky and News Datacom may well have thought that the hackers had been defeated for good. Of course this was a view that only had currency among those who watched Sky One for a bit too long. The 09 code release gave away too much information. In fact it produced enough information to completely cripple the 09 Sky card issue. If this indeed was a plausible deniability operation by Sky and News Datacom then it is more than certain that News Datacom Research in Israel were not consulted on the code release. Indeed a release of this much code was fatally stupid. The VideoCrypt system was never designed to handle a code release of this magnitude. In fact I do not think that it was ever designed to handle a code release. The one thing that was always made clear in the VideoCrypt brochures was that the cards would be replaced in the event of a hack. The release of a replacement for the 09 has not happened yet. There are no visible indications that there will be an 0A issue this year. Unless Sky and News Datacom can switch in some alternate and more secure card addressing encryption the 09 card issue is effectively dead. At best it would now appear that Sky and News Datacom are back in the old ECM - ECCM cycle. The workhorse of the VideoCrypt access control system is the 32 byte packet. This packet carries all of the card addressing information in addition to being the seed data for the decryption key generation hash function. The last five bytes of this packet are the checksums. The last byte ensures that the sum of all the bytes is an even multiple of 256. The other four bytes are the packet checksum. If these bytes are incorrect then the card will reject the packet as being tampered with and it will not act upon the instructions carried in the packet. This ensures that thirty one of the bytes in the packet cannot be altered. The card would test to see if the last byte brings the sum to a multiple of 256 by adding the bytes and checking the end result. In an byte wide register the correct result would be zero. Without a valid keytable and algorithm it is not possible to generate a correctly checksummed 32 byte packet. Regardless of whether the algorithm and keytable produce the correct decryption key, one valid keytable (not necessarily the one in use) and the algorithm are all that is needed. VideoCrypt Access Control The VideoCrypt system is based on the 32 byte 74h packet. This packet is used to carry the addressing information for the smart cards. It is also used by the hash function to generate the 8 byte decryption key for the decoder. This key is returned in the 78h packet. The system is based on the Exclusion Principle. Each card stays working until it gets a kill signal. The cards sent to authorised subscribers are pre-authorised and will work immediately. Any additional channels that the customer wants can be activated on the card by Sky in the same manner. The Quickstart cards have to be activated over the air by Sky. The problem with the VideoCrypt system is that the cards already have the code tables for each channel. It is just the tiering mechanism that stops the subscriber from getting the channels that he is not entitled to. Phoenix takes advantage of this and one other important factor. The release of the 09 codes in June is perhaps the one aspect that allowed Phoenix to occur. Without those codes, it is probable that the best attack would have been a modified form of the KENtucky Fried Chip. This would of course rely on the prospective user getting a fully validated and active Quickstart card. The main difference here is that the Phoenix does not require the Quickstart to be active or validated. It just requires any 09 issue smart card. Ramifications The most obvious ramification of the Phoenix hack is that Sky has once more lost control over its access control system. They cannot ensure that the average multichannel (minimum tier) subscriber is not also watching the premium channels free of charge. In financial terms, the person using a Phoenix activated card and a blocker only has to pay for the minimum tier - roughly seven pounds per month as opposed to the twenty pounds for the full subscription. Of course the person could also be using a 09 Quickstart and therefore would not have to pay anything to Sky. Whereas Sky's problems with the 07 Ho Lee Fook hack were highly visible, this new hack is far more dangerous. It is not strictly quantifiable. This should give the statisticians a few headaches. Of course on the other hand it will allow the hack to be played down in the mainstream satellite press. Many of the figures spouted in the satellite press over the last few months may well be totally inaccurate. According to one report in the Observer, a UK Sunday newspaper, Sky were multiplying the dish sales figures by three based on the average family in the UK having three members. It is impossible that all of the systems sold were new Sky subscribers. Perhaps the purchasers of many of these systems were merely upgrading to new systems and as such were not first time buyers. The only measure of the hack is the number of missing Quickstart and Official 09 Sky cards. The main sources of information on these numbers would be Sky and News Datacom. Of course they are not likely to divulge such information, even if they knew. Indeed some of the statistics on dish sales being produced by Sky have been questioned in UK national newspapers. The legal aspect is also murkier than before. Whereas the 07 Ho Lee Fook cards were definitely illegal to manufacture in the UK, the legality of the Phoenix is more questionable. The Phoenix is a program that can be used for theft of copyright. The origin of the information that allows it to activate cards is suspect. If the 09 codes were indeed sold by Sky and News Datacom in an attempt to sting the pirates, then it could be argued that the Phoenix was a development of the codes that were purchased by the pirates and therefore the program is not Sky's property. It was not developed by Sky. Undoubtedly the Phoenix could not work without the 09 algorithm. The keytable used is that that was operational up to June 28th. The backdoor in the 09 VideoCrypt card is that it recognises any packet generated with a valid 09 keytable. It is not necessary that the keytable used is the one in use at the present time. The problem now is that the Phoenix program is spreading like wildfire. Indeed there are already reports that the hack has been stolen by more than one pirate company. Naturally retribution will follow in true hacker fashion. The hack will probably circulate for a few thousand pounds initially but the key section is the blocker. Without the blocker, the Lazarus cards will be killed in a few hours. There are a few possibilities for blockers though many initial attempts will draw heavily on the KENtucky Fried Chip design of 1992. The more elegant devices will use PIC16C84s though in their case, the device will be an external solution rather than the internal 8752 KFC solution. Black Book 4 Now Available The Black Book is now back from the printers and orders are being shipped. The Black Book is also known as European Scrambling Systems. It is the bible of the Blackbox Industry. The new version concentrates on the smart card hacks and how they operate. Details of smart cards and computer monitoring circuitry are provided. The majority of the systems in Europe are now hacked. Perhaps more importantly it shows how the present hacks will develop in the near future. The chapter on cryptology has been expanded to cover message digests, hash functions and one way functions. The Fiat Shamir Zero Knowledge Test, allegedly used in VideoCrypt is fully explained. A datasnatch of the Fiat Shamir Test in VideoCrypt being spoofed is also included - the decoder did not lock out the 'card' with the implication being that the Fiat Shamir Test in VideoCrypt does not work properly. It also shows how the Ho Lee Fook hack on the VideoCrypt crypto system operates, complete with worked examples in psuedo code and C. A description of the 09 Sky code is given complete with structure. The official price of the book is 32.00 plus postage but to those electronically aware people reading this via a bbs, fidonet or usenet, I have decided that the price of the book will be 25.00 pounds Including postage. This special offer price includes postage in the EC. Payment can be made by UK or Irish cheque or draft. Alternatively payment by credit card is possible. Visa and Mastercard / Access acceptable. Either fax the order to the phone number below or use the [email protected] e-mail address. Alternatively telephone (voice) after 1400 Hrs to order. ------------------------------------------------------------------------- | John McCormac | Hack Watch News | | Editor - Hack Watch News | MC2 (Publications Division) | | Voice & Fax: +353-51-73640 | 22 Viewmount, Waterford | | BBS: +353-51-50143 | Ireland | | e-mail: [email protected] |------------------------------- | [email protected] | Black Book 4 Available Now | -------------------------------------------------------------------------