Hardware “Security” And A DMCA Takedown Notice

tektronix-autoLast week we published a post about how it was discovered through trial and error that Tektronix application modules are designed with laughable security. We’ll get to that part of it in a minute. We received a DMCA Takedown Notice from Tektronix (which you can read after the break) demanding that we remove the post. We have altered the original post, but we believe our coverage of this story is valid and we don’t agree that the post should be completely removed.

First off, Tektronix sells the modules to unlock the features already present on the Oscilloscope in questions. We’re operating on the moral assumption that using these features without paying their asking price is wrong. If you want the features they’ve developed you should pay for them.

The real story here is that Tektronix designed a woefully weak system for unlocking these modules. Learn from this. If you’re ever designing a hardware key, don’t do it like this!

An EEPROM, a connector, and a plain text string of characters which is already published publicly on their website is all that is necessary to unlock these “crippled” features. Let’s just say that again: apparently every hardware key is the same and just uses a plain-text string found on their website which is not encrypted or obfuscated. If you were selling these keys for $2.99 perhaps this would be adequate, but Tek values these modules at $500 apiece.

If you were designing this system wouldn’t it be worth using an encryption key pair based on the serial number or some other piece of unique information? How do you think this should have been done? Leave your comment below.

 

  I am the Chief Intellectual Property Counsel at Test & Measurement group of companies including Tektronix, Inc.

I have been notified of a posting on the “Hack A Day” website concerning hacking of Tektronix’ copyrighted modules for use in oscilloscopes.  Hacking those modules permits unauthorized access to and use of Tektronix’ copyrighted software by means of copying of Tektronix’ copyrighted code in those modules.

http://hackaday.com/2014/07/28/cloning-tektronix-application-modules/

A copy of the offending posting is attached for your reference.

<Copied text removed>

The posting includes instructions for how to hack our modules and thereby violate Tektronix’ copyrights.

Tektronix has a good faith belief that there is no legal basis for this individual to provide such instructions to anyone, much less on a public forum.

I hereby submit that the above statements are true and accurate, and under penalty of perjury state that I am authorized to act on Tektronix’ behalf.

In view of the above, Tektronix demands that the posting identified above be expeditiously removed from the  website.

Very Truly Yours,

305 thoughts on “Hardware “Security” And A DMCA Takedown Notice

  1. In all fairness, protocol WAS broken here.

    When a security flaw is found, no matter how bad, really the first thing you should do is inform the company or individuals owning the property with the flaw.
    Being naive, a bad coder, or even hiring bad people is not a crime, and no one should lose money for it.
    Only if they fail to address the concerns in a reasonable time THEN you should publish name and shame as loud as you can.

  2. The cliche saying, “Knowledge is power” comes to mind here. In true hacker fashion, knowing how to do something is one thing. Putting it into practice is another. What you do in the privacy of your own home/shop/lab is your business. This is what hacking and hackers is all about – the free dissemination of knowledge. Of course, this has always been contested by those who rely on ignorance for security – which has been repeatedly proven to be no security at all. People are curious and they will also do anything to save a buck. How is Tektronix going to enforce this? They aren’t. New units have to have better security. They have learned a hard lesson.

  3. Say you own a a grocery store and you forget to lock the door properly at the end of the day. When you come the next morning and find that all your stock has been stolen wouldn’t you then have a whelk’s chance in a supernova of getting your insurance company to foot the bill?

    1. No, of course you wouldn’t because you haven’t adhered to the terms of agreement – you are guilty of contributory negligence – but that doesn’t mean the person who stole your goods is exonerated.

  4. The logic fails here are astounding… If you lock something, no matter how flimsy a lock, it is LOCKED! No where in the law does it madate what kind of “protection” has to be used or how strong that protection is. Tek INTENDED to lock its software, pre-existing on the scope or not, with a LICENSE that is protected via a piece of hardware, the module with an SKU on that module. Just because the executible code is on the scope, does not give you a license to use that code! How is this any different than any piece of software (shareware for example) with a license key? Do what you want in the privacy of your own home (still doesn’t make it legal!), but go blabbing about it on the internet and be prepared to get sued!
    AND the guy did in fact COPY the SKU onto the eeprom… TEK may have posted the SKU on the internet, but they did not tell anyone that these were, in fact, the key codes and “this is how you use them to break our protection scheme”. The guy may have figured out how to do this on his own, but its still circumventing TEKs protection of their code . The DCMA puts it in plain english that if you intend to protect your work with ANY means, and someone circumvents that protection (no matter how flimsy) it is a violation of the DCMA. It’s like chipping a video game system, or hell, using the old magic marker trick. It doesn’t matter. The DCMA, poorly written or not is LAW! How easy it is to break a law does not have any bearing on anything! There are A LOT of laws that are easy to break, but you’ll still get in just as much trouble of you break them. There are no such thing as “blurred lines” in the eyes of the law! But obviously a lot of you are morally lost.

    1. If you sell someone a locked box they are not allowed to open it? I don’t see why morals should apply to this.. I wouldn’t steal this device but if I own it I don’t really care how the manufacturers intended me to use it.. If they want to lock down code sell it as needed.. If it’s in the package I own.. It’s mine. Then again I don’t see how the law and morals are intrinsically tied together..

    2. You seem very shouty. You might want to take a deep breath and calm down. And learn to insert paragraph breaks.

      Just because someone writes software with features that are ‘locked out’ does not automatically protect them from someone working around those features. The DMCA applies to copyrightable material – and something such as a product SKU has no creative content – a prerequisite for copyright – and is clearly not copyrightable.

      And yes, if I license a piece of software legally and install it on my computer, I expect that I should be allowed to do anything to it that I like, on my computer. The DMCA breaks this in some important ways when it comes to circumventing TPMs, but since that’s not at issue here, it’s irrelevant.

        1. Then it’s still not a copyright violation: no code is being copied; it’s already installed on your scope. And it’s still not an anti-circumvention provision, because there is no copying that it is trying to prevent from happening.

      1. Buying a PC does not give you right to use any piece of software made for PC, even if that piece of software is a full version, pre-installed on your system, that has a TRIAL LICENSE. You may use that software up until the trial expires even, but if you require a code, in this case, a SKU, to unlock the full version, and you by whatever means, circumvent that protection, you are in violation of the DCMA, period. How is that so hard to understand? Now retort with “I’ll never buy a PC.” or, “well, if its so easy to bypass, or whatever failed arguments you have…” it doesn’t matter. Try those things in front of a judge in a court of law and see how far you get. I bet my poor grammar will get me farther than your non-arguments…

        1. I never claimed that “Buying a PC does not give you right to use any piece of software made for PC”. Just that if I buy a piece of hardware that comes bundled with some sorftware, I’m entitled to mess with how that software executes on my own hardware however I like.

          Can you cite a provision in the DMCA that says that I can’t, assuming I’m not using a tool to circumvent a copy protection system?

  5. I know next to nothing regarding DMCA but I would expect hackaday to put up a little bit more of a fight. I am always against censorship. A company should not rely on censorship to protect themselves..

    This to me is the equivalent of burning books. Design better hardware Tektronix.. Don’t get mad when people exploit your poor design choices.. It sounds childish and I don’t do business with children.

    Hackaday, I love you guys.. But if you are gonna be taking stuff like this down perhaps you should consider altering the logo to something other then a hardware Jolly Roger. Alternatively, stop listening to the man. This is no different then any console being hacked or chipped and plenty of other websites get away with sharing that info all the time.

  6. If you bought the product and found a way to make it better, the company shouldn’t complain.

    If the company made their product so it has advanced features they can sell youaccesss to, but you found a way around their access block, the company should make their acess block more powerful, but not yell at you for their poar security,

    It is like buying a house with a room locked. the previous owner says that they will sell you the key to the locked room. Instead of buying the key, you take a hammer and nock down the door. should the previous owner get angry because you accessed the room without the key? this is what crippling products is like.

  7. My main issue is that this is not a hack, it’s a crack.

    It is no different than downloading a trial version of Windows or Photoshop and applying one of the many cracks that turn off or fake validation.

    If he had done the programming to replicate the features he wanted and flashed it onto the device, then sure that would be a hack.

    Is HaD going to start posting software crackers and windows keys?

  8. I wonder if the people screaming “theft, theft” would maintain their volume if they managed to score a cheap scope off eBay and could add this feature.

    My bet is that nobody with such high horse stand has such scope (or has but it already includes the analyzer function).

    1. It’s not a question of what people would do, it is whether it would be right to do.
      Would most people install pirated software? yes.
      Does that make it the right thing to do? no

          1. If it helps you getting a project done, or even learning something, it counts as the lesser evil.

            Life is too short and resources are too limited.

  9. I take back what I said at HOPE. The state of HaD saddens me if they are going to bend to the will of corporate overlords, lawyers & so on. I fully understanding protecting oneself from legalese, but they have no real standing here. Since the original post is down/modified, I’m sure if I can go back & see what’s being discussed, but I vaguely remember it. If they are positing that you’re “copying” their code & their IP, that’s just silly. It’s your hardware, your device, you own it.

    1. when you buy a PC it is also your hardware, your device, you own it. That doesn’t mean you automatically have the right to run every program known to man even though the hardware it capable of doing that.

  10. Bah. So much bikeshedding!

    How hard would it be to do some sort of two-way handshake for validation? The module could have a simple, super-cheap microcontroller on it to run some code. Module is inserted into scope. Scope reads a key from module, merges it with with its own internal, private key, hashes it, and sends the result back to the module. Module takes new hash, merges it with a second module-internal key, hashes, sends result back. Scope verifies result against expected value.

    Granted, this still isn’t “secure” — anybody who could read and disassemble the code from the uC could still replicate it. But it’s at least making a honest attempt to provide protection for the feature unlock, and it would require a bit more work on the part of the “hacker”. The keys could have dynamic components to them so that it would always require calculation, rather than a simple replay attack.

    As far as whether DMCA applies to a plaintext key on a hardware fob? I don’t know. The DMCA is rather loose on what it considers “encryption” for circumvention purposes. From what I’ve read before, a simple XOR is considered to be encryption as far as DMCA goes. And though the actual data here is apparently not encrypted, a lawyer is probably going to argue that having it stored in a “specialized” piece of hardware like an EEPROM is in itself a kind of encryption, just like a key fitting in a lock. Keep in mind that this would be argued to a judge who most likely has no practical knowledge of electronics or encryption. And to the layman, even something as simple as a text string stored in EEPROM is voodoo.

  11. Why is everyone angry with Tek. all there doing is protecting their interests…. same thing anyone else would do if they were producing test gear with the same capabilities and precision they do… If your a hacker then hack it and use it privately but if your a company and use it to make money then you know your wrong … if you intend break laws or rip anyone off in any way then don’t announce it to the world….DO IT ON THE DOWNLOW….. One wouldn’t think this would need to be explained…

  12. I will point out editing the original post does nothing about the unedited cached versions of the page of at least one cache provider. Is Tektronix going to issue DMCA to them?

  13. So what if the “Module activator” was just a peice of card witha few holes in it that you slotted into the device?

    Or even further down that road a big red button labled “Do not press unless instructed to do so” and when you paid $500 the rep said “Now, you can press that button”

  14. Maybe Tektronix will take notice, of what the post actually means, and start charging a reasonable amount for them … such that “hacking” them, as Tektronix believes, would be a moot point. For example, selling them for just a few dollars — $2-$5, etc.

  15. This is probably how I would have decided to do it. Even if you embedded the serial number, someone would figure it out just like they figured this out.

    About the only way I can think to overcome this is to embed the serial number and use a hash algorithm that is pre-shared between the the scope and whatever is burning the keys. Then the data on the key is unique to its target and the data would be very difficult to reverse engineer.

    Outside of this would be an online process where the scope would reachout, but that is a lot of different architecture to break :)

    Also, to the people whining that they should not charge so much for the keys and congratulating people on hacking this, from the stance of a software engineer, piss off. It is common practice to deliver all of the features and only unlock what has been paid for. Just like an auto manufacturer that up charges you $200 for cruise control and all they have to do is install the switch.

  16. I have to wonder, who was losing the argument so decided to email the Headmaster at Tektronix and get us all in trouble. Now we’re all in detention and there’ll be no oscilloscopes for anybody!

  17. I left a comment on KF5OBS’s blog post (which is awaiting moderation as I write):

    Ignoring the “DMCA takedown” (and I think DMCA is broken beyond fixing anyway), I don’t think Tektronix is in the wrong in this at all. I think they’d have been better off engaging the community about it, posting something similar to this blogpost, but PR presumably isn’t their strong point.

    Software and media piracy has shown that if you provide the locked content (and in most cases the key) then someone’s going to open the thing and then smash the lock off eventually anyway. One can devote time and effort into slowing down a determined adversary but that’s a race one will almost always lose in the end. Especially if the tool you’re selling is excellent at helping your adversary.

    Tektronix has apparently invested the minimum amount possible in an arms race that it would eventually lose. Seems sensible.

    A side effect of doing it the Tektonix way, it quietly provides the functionality “off-the-books” to hobby users that couldn’t afford to buy a license and don’t expect the support. Would it have a big negative impact upon their commercial sales? I doubt it as companies have to pay for licenses, it’s part of the price of doing business.

    In software, having people get used to the software when they’re learning is key. It means that’s what the customer goes for when they’re in business. The trick is to hook ‘em when they’re young. Adobe and Microsoft have been getting progressively better at this, providing cheap academic licenses, affordable licensing with a low initial price on a subscription model etc. Creative Cloud probably would have been better had it not broken spectacularly recently, but the idea is sound.

    If Tektronix had taken a different approach to this, it could have been a big PR and Marketing win. Maybe create a new “non-commercial” offering at the lower end with a different support structure. Something like:

    “Hi HaD, glad you like our scopes!

    First off, we don’t support piracy and we think it’s wrong. Our engineers spend a lot of time making great products, and that includes time spent making software features. We don’t think you should steal functionality that you haven’t paid for.

    We didn’t waste time and money trying to encrypt and obfuscate our license keys. That’s an expensive arms race that doesn’t benefit our customers. We don’t treat our customers like thieves. There are many examples of DRM, and almost as many examples of them failing. We could really lock things up and in future and maybe that’s what we’ll have to do, but we don’t think that’s the best path forwards.

    We want to keep focusing on helping our customers. 8 out of 10 engineers around the world trust us to help them debug and test tomorrow’s designs faster. We respect and value that. Our trust in them shows in our products. Please don’t abuse that trust.

    A large portion of the cost of these keys is the stuff you don’t see on the surface. It’s not the PCB and the EEPROM, it’s the engineering team writing and testing the different bits of software. It’s the skilled engineers on the phones, who know our products, that provide excellent customer support and service. That’s what the license price pays for. It’s not the 8Kbit chip in some injection-moulded plastic, it’s the engineers who work hard to provide great tools and great service.

    Every feature added is an investment. We hire great engineers who are passionate and really know their stuff, and we believe they deserve to be paid for their work. We hope that you value engineers as well and that you pay for what you use. We believe that in many cases, the most cost-effective and convenient solution is including the functionality for features but only turning them on if you need them. It allows some of our customers to purchase the best equipment to meet their needs without spending extra on functionality they don’t want right now, but still allowing them to upgrade in future.

    We understand that unlike some of our larger customers, many of your readers aren’t building billion-dollar planes or consumer products that are sold by the millions with budgets to match. We’re passionate about providing great equipment at great prices to everyone. We already offer the TBS1000B-EDU for education which starts at just $520, and our DPO2002B scope starts with a list price of $1,290. That’s a lot of power at an entry-level price and it provides excellent value for money.

    We’re also going to start offering a licensing system aimed just for hobbyists at a lower price point, with a dedicated support and community forum. I’ll let you know more about this when we’ve got more details for you. We hope that you understand our position, and believe in the value of great engineers as we do.

    Warmest regards,
    Tektronix.”

    Albeit written with shorter sentences and fewer commas. They’ve still got a limited window to fix the PR damage, but I think it’s closing fast.

  18. Test & Measurement group = Tektronix + Fluke: http://www.tek.com/about-us/entities
    They didn’t have much to loose in terms of PR.

    This protection is actually quite clever. They made sure the DMCA does not apply by not even using ROT13 protection of there data. Then used a standard connector, or at least made sure a standard connector would fit, so no one would need to copy there physical design. And finally made the data so short and non-artistic that it would never qualify for copyright.
    I think the person designing this protection system was trying to make a point, but then management missed the joke and put it on the market.

  19. So, consider this…. I buy one of these modules and then go around and plug this ONE module I bought into the 15 lower capability scopes that I bought. Have I done something illegal? The module is simply a sku. It would work regardless of what scope I plug it in to. So, I could just buy 15 scopes and 1 single module.

    That’s the problem here. It isn’t even a hardware security dongle. It is just an eeprom with a non-unique string on it. Nothing would prevent me from loaning out my one module to friends, family, the dog catcher, or the butcher thereby preventing Tektronix from making a sale with them. There is nothing stopping me from buying several lower capability scopes, and using my one module to make them all fully capable (though obviously not at the same time.) I just deprived them from 14 additional sales.

    There is no way they would win this in court as long as you didn’t chicken out.

  20. Totally dumb article.

    What was the point of all this ?
    You just ruined possibility of simple expansion for many users that couldn’t afford it otherwise.

    And for what gain? Serious industrial users were paying for those dongles anyway.

    Have you uncovered some deep mistery ?

    This is why I rarely visit hackaday.com.
    Far too much noise.

  21. What we really need is some sort of an opensource scope. There are already some good contenders, usually built around FPGA boards. The simultaneous developments in the hardware of software-defined radio (HackRF, for example) are another platform that can be built on top of or provide material. The successfully kickstartered SmartScope is another example. And there are many many efforts along these lines.

    Many people can write software. Fewer can do the FPGA code. Even fewer know how to design properly the analog part before the signals hit the ADCs. But the design can be modular and individual parts incrementally updated as the developers come and do their little pieces of work and go.

    …and as another advantage, a stripped-down version can act as a data acquisition system.

  22. Does Tektronix have right to store unused software on my oscilloscope? And why they even give it to user in first place? Its simple enough to change firmware with added options…

  23. Simple solution, put the content back, say tough shit and see if they sue. That would be one way to find out. If they don’t in 14 days, then your fine. If they sue then see what grounds the file under. Could get expensive to find out responses to the various arguments but it would be a valid way to find out.

    I would suspect that HaD is simply a publisher, protected as any press would be, that DMCA applying only to content that is protected by “Copyright” and may not apply at all in this case. My guess is Tek is just using scare tactics because for them its cheaper then not challenging this. If they scare the content off the web they win. If no one calls their bluff they win. If you call the bluff you have to have the money for the legal quagmire they can create so really from their perspective its very little effort and cost.

    Feel free to give HaD a put-back notice and see what happens.

    I am not judging content here, simply saying HaD got a legal notice they complied and notified their readers. Under the process for the DMCA there are options. HaD had to do something because they got it valid or not they had to comply or face de facto fault.

  24. A simple solution to the whole DMCA disaster would be for hackers/tinkerers/etc to simply redefine themselves as an “Organic AI” thereby rendering the DMCA invalid as it specifically states “A person may not”.

    :-)

  25. These companies need to get a clue! I buy something then anything I choose to do to or with MY PROPERTY is my right to do and the company that I bought it from has no say or power to stop me from opening it changing how it works, if the features are already there then they are mine to use period, it isn’t like its costing them for more hardware or a more complicated version of the firmware, they have sold a product and made their desired profits from it selling a hobbled or crippled device and thinking your customers should pay you to “fix” your device or program to preform at full capability is laughable!! Sort of makes me think of Microsoft’s marketing system ! Just think if GM sold a corvette that had a stop on the gas pedal so it wouldn’t reach top speed and customers were supposed to go pay MORE cash to get the full use of what they already thought they had bought! Then all the service dept. does is open the hood and pull a hunk of 2X4 out of the way of the throttle and then complain when car owners start pulling the block out themselves!! No one would think GM had any claim to be paid, these folks don’t either, sort of like the wedding venue that stated negative web comments about them by the clients or guests would be charged $500 bucks !! MORONS ! Oh wait Microsoft does go one better they give you features then during an “update” they lock you out and claim the software no longer supports that feature! they basically come and break your property with no compensation to the customer! Folks we are a large technical voice we could by other brand test equipment and steer our employers away from Tektronix’s product line there are cheaper and just as capable brands of equipment out there (half the cost often) and at least other manufacture’s don’t publicly open the mouth and prove how ignorant they really are!! We Could BOYCOTT them you know!
    The flip side is:
    If I don’t need that feature the code key enables then boy did I just pay way to much for a scope!!

  26. I for one sincerely hope that this has a Streisand effect.. I will always support free information and rail against any attempts to suppress information of any sort. I have nothing against tektronix with the exception this dmca letter. Supporting suppression of any information is a slippery slope that without archives could lead to modern day “book burning”.

    Hackaday, I feel you really need to reverse your position on this.. Put it back and stand up against the eventual ignorance that measures like this lead to.

    Your fan,
    John

  27. this has been a great article for discovering just how many people have absolutely know idea what the DMCA actually says, but are more than willing to speak authoritatively on the subject

    1. This will be a great comment for discovering just how many people will respond angrily to someone who infers they know better without really contributing anything anything to the discussion.

      I know you’re not talking about me cause I already copped to knowing nothing about it.. But why don’t you clarify the reality of DMCA for the ignorant masses?

      On a side note libeler would be a better name for a troll account if you’re gonna use it to write comments.

  28. “Hacking those modules permits unauthorized access to and use of Tektronix’ copyrighted software by means of copying of Tektronix’ copyrighted code in those modules.”

    “The posting includes instructions for how to hack our modules and thereby violate Tektronix’ copyrights.”

    “I hereby submit that the above statements are true and accurate, and under penalty of perjury state that I am authorized to act on Tektronix’ behalf.”

    Looks like that penalty should kick in then, because the above statements are in no way true. Your article neither told us how to hack the modules, nor allowed us to copy any copyrighted code. What your article told us was how to create a *new* module that happened to emulate the same functionality.

    Perhaps you should point out to them that they should know what they’re talking about before waving legal threats around.

  29. A thought. For such little hacks that are likely to be taken down, the information should be in plain text. No binary file attachments, no images. (Or, not only that.) Pipe the binary file with the EEPROM data through hexdump and include it in the page. (In this case, as hexdump is omitting duplicate lines, you end up with three lines per EEPROM image. Surprisingly compact.)

    That way, when page gets down, the content of the files is still available in all the places that keep the scraped pages (archive.org, google cache… – many such services don’t store images and other attachments), and it is therefore quite harder to take it down.

Leave a Reply to DuwoggCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.