Millions of Satellite Receivers are Low-Hanging Fruit for Botnets

Satellite television is prevalent in Europe and Northern Africa. This is delivered through a Set Top Box (STB) which uses a card reader to decode the scrambled satellite signals. You need to buy a card if you want to watch. But you know how people like to get something for nothing. This is being exploited by hackers and the result is millions of these Set Top Boxes just waiting to form into botnets.

This was the topic of [Sofiane Talmat’s] talk at DEF CON 23. He also gave this talk earlier in the week at BlackHat and has published his slides (PDF).

stb-hardwareThe Hardware in Satellite receivers is running Linux. They use a card reader to pull in a Code Word (CW) which decodes the signal coming in through the satellite radio.

An entire black market has grown up around these Code Words. Instead of purchasing a valid card, people are installing plugins from the Internet which cause the system to phone into a server which will supply valid Code Words. This is known as “card sharing”.

On the user side of things this just works; the user watches TV for free. It might cause more crashes than normal, but the stock software is buggy anyway so this isn’t a major regression. The problem is that now these people have exposed a network-connected Linux box to the Internet and installed non-verified code from unreputable sources to run on the thing.

[Sofiane] demonstrated how little you need to know about this system to create a botnet:

  • Build a plugin in C/C++
  • Host a card-sharing server
  • Botnet victims come to you (profit)

It is literally that easy. The toolchain to compile the STLinux binaries (gcc) is available in the Linux repos. The STB will look for a “bin” directory on a USB thumb drive at boot time, the binary in that folder will be automatically installed. Since the user is getting free TV they voluntarily install this malware.

Click through for more on the STB Hacks.

Here’s a prime example of why you always want to verify the checksum when you download software to install on your own system. [Sofaine] researched the “same” software package for card sharing across many download sites on the internet and there were multiple different checksums. The assumption is that these are carrying different malware payloads.

In addition to this easy exploit, the boxes are broken by design anyway. There are no firewalls, there are secondary root accounts (backdoors), there are FTP servers running by default with root privileges and no password. The most laughable vulnerability for me is that updates from the manufacturer don’t do anything to patch or improve the OS, they’re 100% user experience updates. The BusyBox build running on the demo machine was from 2012 and has multiple known vulnerabilities. Even if you don’t want to use a card sharing service, the device can be compromised just by being connected to the Internet.

This talk was presented in the IoT villiage, not on a main stage. This a great example of why you should take these talks seriously. You’ll get a much grittier explanation and demonstration of the hacks than on the highly-polished “Track” talks. You also have the opportunity to ask questions and it’s less likely people will be asking questions just to hear themselves talk (which happens far too often here).

45 thoughts on “Millions of Satellite Receivers are Low-Hanging Fruit for Botnets

      1. ADSL sucks, “mom & pop” ISPs that tend to pop up in smaller cities can usually beat ADSL in price, speed and availability. Also, apart other services, they tend to do IPTV, usually by just stuffing satellite broadcast into IP.

    1. This is the year 2015, which came after the year 2014. That was the year that Telekom, Germany’s ex-monopolist and still biggest ISP, announced they will have a 176GB/month/customer cap. So much for IPTV for you and your family. Of course, as people mentioned, this only applies to you if you live in a city; rural areas and even parts of town that don’t have the highest population density often get only 1 or 2 Mbps, still. And this is high-tech paradise Germany, of course. (We really suck compared to other European countries, but then again, we’re not a country with low population density, so things aren’t quite catastrophic around here)

      Good luck getting IPTV-capable ISP in the rural parts of former Eastern Germany and if that’s even possible, at a price nearly competitive to just Satellite TV (which, by the way, doesn’t require code cards — it’s free to watch, aside from the few channels that are not, and they don’t have a significant market share aside from specific sports).

      1. is the speed really that bad in rural germany?

        some of the most remote locations in denmark still has fiber accwess and at worst a 10mbps copper connection.
        maybe that is why sattelite is so popular in southern denmark, especially in vacation homes, to accomodate german holiday viewers.

        sattelite isnt really used that much in people’s everyday lives, been ages since i last saw anyone with a receiver.

        1. I am reading this with my blazing fast 1Mbit connection. Even in big citys you can have bad luck and have only 2Mbit, but the house on the other side of the street has 50Mbit.

          1. This. It’s a shame that German governments, for decades, have declared that they want to make Germany a land of ubiquitous broadband access, yet all they do is cater to what the biggest ISP (not even really the biggest ISPs (plural)) tell them. Not to mention we are responsible for putting Mr. Oettinger in that EU chair, where he clearly, no, ostentatively doesn’t belong and hurt all Europe’s internet competitiveness with that.

          2. I see Germany uses the USA Plan for internet. and in the USA you are lucky to get 1Mbit in rural areas. Most of the united states rural is stuck with either dial up or $199 a month for 10gb metered satellite service that has a 3000ms ping.

        2. So, ok, I have 16Mb/s up and 2Mb/s down, living in a ~300kPeople city. My father lives in a ~100kPeople part of an 1.6MPeople city. and he get’s a friggin 6MS/s down on the paper, only that it’s more like 2MS/s normally. Again, this is a >> 1Million people city. Friends of mine who come from rural parts (Schwarzwald/Black Forest) often only got “DSL lite” at home, aka. 384 kb/s or 768 kb/s, depending on how far out your home is.

          Law has it that the companies that bought LTE spectrum licenses must reach rural areas first where there is no broadband fixed internet, but of course lobbying led to legislation forgetting to specify what bandwidth that actually would imply; not to mention, of course, that > 3GB/month high speed internet is extremely costly, so this would not even be an option if the LTE coverage *would* exist.

          Satellite dishes are a very common phenomenon in cities, especially in apartment towers with lower rent; that might have something to do with families with migration background wanting to watch “home” TV, but the percentage of flats with dishes in my perception is higher than the percentage of immigrants, usually (notice: I’m not a walking statistics tool, so take this with a grain of salt). You might consider this calculation, valid for where I’m from (https://app.unitymedia.de/bestellung/auswahl):

          * cable contract: 18,90€ /month (minimum contract duration 12 mo)

          * single time activation: 30€

          * no hardware included, but most TVs nowaday can deal with DVB-C directly

          hence: cost of one year ownership: 256.80€. Channels: 7 “serious, non infomercial” HD channels, and about 34 relevant SD channels, not counting these that are also available in HD.

          So, comparing this to satellite TV (excuse me if my prices are high, I’m not good at getting “bad deals”, but I’m trying to figure out what my dad would spend if he went out and bought something like this; and he’s definitely relatively tech-savvyy and won’t buy all the bullshit the guy at the store tries to sell him):

          * no contract, no activation
          * satellite dish: 60cm ca 50€ (saturn.de)
          * LNB: 10€ http://www.saturn.de/mcs/product/_SCHWAIGER-SPS-6910-Universal-Single-LNB-40-mm,48352,474997,272319.html?langId=-3
          * lots and lots of coax cable: 30€

          Price of one year of ownership: ca 90€.
          Number of channels: around all there are?

          You do the math. I’m not watching any TV, so it’s the first time I calculated this. I can’t just believe how bad it is.

          On the other hand, you can also get internet through your TV cable (again, not in remote locations…), and I used to have that, but then I cancelled my contract, because they didn’t manage to get reliability up, just because they tried to cramp too many users into too little backbone. When a caterpillar damaged one cable, about half a million households were offline; when I learned that there was absolutely zero redundancy, it was time to leave, since I earn my money partly through being able to access the net.

      2. greetings from Poland

        i live on the rural village with around 200 other people, closest town is 10 km from me with just 20k people, nearest city is over 50 km away with 120k people

        i have 100\10 Mbps optic fibre for just under €20 a month, or can choose from selection of wifi (up to 15Mbps) for half that price

        there is no transfer cap for any of that

        1. greetings from urban romania, where for 25euros a month i get 500Mbit fiber optic connection to the home, a landline which i seldom use, and a mobile phone that is pretty much free to use (apart from the monthly 4 euros contract for it – included into the 25 euros mentioned earlier.)

          the only reason i dont pay a couple of cents more for a gigabit upgrade is that this works fine for me, and instead o buying a 5ghz router, i pay those extra cents to rent one rom the isp…..

          1. *sigh* if only German politicians read these comments. They really don’t realize that fast internet is neither impossible nor a negligible competitional advantage… I actually know of a company that had to *relocate* their accounting in the late 90’s because there literally was no access better than ISDN (64kb/s, or aggregate lines) available at the place, just because 20 or so employees needed Email access at once, and occasionally had to send technical documents. Nowadays it’s the same business: photographs and advertisment agencies can’t be operated from the outskirts of cities, let alone villages (which is the biggest bullshit), and companies *right in the center of Munich* pay 200+ €/Month for a little more than 50Mb/s, and still experienced multiple days of downtime during the three months I worked there. Great for a company that mainly works by writing emails, researching stuff on the internet and having Voip calls.

        2. Ha Ha that was hilarious
          my turn:

          greetings from Poland!

          I live in Warsaw. Polish capital, 10 km from city centre.

          i have 7 / 0.8 Mbps ADSL for JUST around €20 a month, or i can choose ~ 15 Mbps LTE.

          there is no transfer cap for any of that :)

      3. And here I am, living in a rural village with 215 people, and I have a 1G fiber connection for about 20€ a month.
        Besides that I also have a sattelite dish and a reciever with about 200 channels that I rarely watch.

        Internet infrastructure should be built with taxmoney, since othervise noone will ever lay fiber out to the rural areas.

        1. N00bs. Cry(*):

          In Spain you’ve got the amazing experence of 10/1Mbits for 65€/month! (this include VAT and phone line -18€-).

          This the average speed from 30~40% of poblations. But you can suffer too if you are lucky enough! You can live on the capital and got this amazing offer. I’ve got 10/1 ADSL TODAY. Fiber or HFC ? No yet! Sorry!.

          When you was searching for a rental or new house you open the pages from the main 3 operators looking for coverage, sad, very sad :(

          (*) No offense, *ironic on*

      4. I get 50 Mbit cable a month with a 300GB “usage guideline” It’s not a cap, as it you don’t get cut off or charged more, BUT if you exceed it for 3 months, you are forced to the next higher tier ($50/mo up to $75/mo for I think 70Mbit with a 400 GB “data guideline”

        It kinda makes me thankful for having a 720p TV and an old 480p TV and older Roku so that we can at least stream a reasonable amount of shows. My wife’s PC though streams at the HQ 1080p as you can’t set resolution on the Nexflix app which eats through bandwidth like a teenager through a plate of pizza rolls.

        BTW, I know about the Low. Med, High settings, but I don’t want to limit everythign to DVD quality. IF there was a limit to 720p setting, I might consider that.

    2. anyone living out side of a major city, even in states like florida where its flat and easy to run cable.

      only 20 mi out of a major florida city and sometimes you cant get any cable or consumer high speed internet services outside of a cell phone ( which is of course super costly ), which leaves you with traditional POTS lines and broadcast TV or satellite TV.

  1. Considering that millions of STB are made with a STi7111 is a pretty excessive assumption.
    This chip has been designed 10 years ago, and in the STB cycle life, it’s almost a dinosaur.

  2. Working in an industry that deploys embedded Linux (not entertainment), I see this lack of regard for security all around me; the assumption that if the network is private it can’t be hacked, or no-one would be interested in hacking a low volume industrial embedded controller anyway. The motivation is very much getting product developed as quickly as possible which goes a long way to justifying use of multi-user Linux: It’s very easy to build and get working vs. some closed source offerings (at the expense of very roughly double the memory footprint of the better commercial embedded OSs once a reasonable rootfs is built).

    What would be nice to have is peer reviewed best practices for hardening embedded Linux, providing update mechanisms, field logging and debugging, etc that everyone can adhere to without having to try and reinvent the wheel.

    1. Read the hackaday article about gaining access by means of employing badly (or not at all) sandboxed game scripts?

      Imagine if someone who developed browsers said something like “Ok, this browser will only be used on machines that are especially well-equipped with CPU and probably have a very solid internet access bandwidth, ah and people will probably save their credit card data in this browser to pay for addons. I think we can clearly label this as uninteresting for attacks!”.

      That’s exactly what’s been happening to embedded systems in the last 10 years. No shit. Luckily *many* router manufacturers have understood that and actually try to make their firmware safe. Of course, there’s exceptions.

      ISP branded firmware coders, I’m looking at you. Yes, you. The O2 guy. Yes, the one that the O2 DSL support team officially recommends using Internet Explorer to administrate the HTML interface. Why? Because IE ignores the “SEGMENTATION FAULT” that comes before the start of the HTML document ON EVERY SINGLE PAGE.

      I guess it’s not critical to O2, because it only hits a few thousand people:
      https://hilfe.o2online.de/thread/36417 https://hilfe.o2online.de/thread/62067

  3. I am surprised to hear that broadcasters would allow user installable native plugins none of the broadcasters I have done work for allows this.

    but it still holds that if you hold the hardware in your hands you can do what ever you want. It is just a question of how much time you are willing to throw at it.

    1. This doesn’t affect people who’ve got the genuine boxes. They aren’t even connected to the internet. To the phone line sometimes (only if you pay to have more than one box in your house – they are programmed to occasionally ring home, just to check that you haven’t taken one round your friend’s house), but I’ve never heard of an autodialling botnet. The only people who will get caught out are those who have bought the dodgy Chinese receivers designed pretty much exclusively for this. I suspect that the numbers are in the tens of thousands at the most, since the fact that you have to connect to some mystery remote server every few seconds just to watch TV scares off a lot of people. It’s nowhere near as anonymous as paying cash to buy a blackmarket card from a bloke in the pub.

      1. You don’t have to own a satellite receiver. If you have internet you could find yourself the victim of botnet activity generated by other peoples devices. Covertly created botnets aren’t built to do good.

  4. I have got 50/50 here in the Netherlands including IPTV for €60,- a month.
    You can get that in like 70% of the country. Is Germany really that bad when in comes to ISPs?

    1. 60/month is still a lot compared to what our Polish and Romanian neighbors seem to pay. I guess it has to do with these services not being priced at cost, but at affordability.

  5. If satellite viewers in Europe still have the right to buy a common access module to use whichever receiver they like then that is CW security out the window in those countries. It can’t be enforced by law.

    The main providers in the UK are seeking security through chain of trust from a CPU embedded secure bootloader handing over ultimately to signed middleware. It’s not completely secure yet, but it’s everything bad about security through obscurity. More so this bothers me a lot. I’m buying a computer and I’m not able to change the OS. If microsoft was doing this there would be rioting.

    We are moving toward an internet centric media. Big providers like Amazon and Google are competing for space under our TVs and they are doing so with ever more generic hardware and a focus for ease of access to build subscribers. Right now two paths are diverging and I’m not sure I want to be on either of them.

  6. And in other news… satellite receivers could be used as lo-tech information storage as a lot of them have spare areas in the Flash chip for wear leveling/future updates/etc.
    Write enough data to them but not too much and it will still update but overwrite a bit of the storage each time so sufficiently clever software can make use of this.
    A variant of Cryptowall uses this same technique to hide on hard drives and pendrive slack space with a very small trigger file hidden elsewhere.

    1. They are using linux more and more, and having to release some source as a result. Of this kind the hacker only has to compromise 1 box to find out how the CW comms to the card work. This hack mostly concerns the other boxes, bought by users who want to more control (think dreambox) to boxes being sold with hacked firmware that do nothing but act as clients for CW sharing networks. I’ve seen a few of these on amazon but I had no idea it was as widespread as the talk states.

  7. scary, i had one of the first ST7100 based boxes available in NA.. in the latest round of piracy killing methods (2008) hackers realized that emulating the new smartcards on the STB wasnt going to be practical, so they went back to smart card sharing, in real time, over the internet. there are likely millions of these STBs.
    normally a satelite provider will only allow, up to 6 smartcards per account. one of those cards could provide code words for 20 STBs. multiple providers on one box. 5000 channels. you bet.
    they spent billions trying to stamp out satelite piracy, there were a couple boxes that had working fixes before the latest smartcard solution was fully implemented. the fix has worked for years.
    hackers even hacked a router to facilitate this process
    Jung Kwak made millions, until he got caught and they RICO’d his Lamborghini

  8. Greetings from South Korea.

    At home, I consistently get around 35~50 Mbps download speeds, and with 250+ channel IPTV, I pay probably around US$35 a month for two set-top boxes for the 2 TVs at home.

    I Can’t imagine paying hundreds of dollars for internet and cable.

    Granted, Korea has very high population density, one of the highest in the world, but competition between 3 major providers has brought the price down.

    You usually sign up for a 3 year contract, at which point, most people switch to a different provider.

    ISPs give away cash and gift certificates amounting to anywhere from US$300 to US$400 to new subscribers to poach from other ISPs, so on average, spreading this out to 3 years, most people end up paying around US$25~30 per month for cable and internet, and internet phone can be added for a few dollars as well.

  9. HI, here in the netherlands i used to have a 150/15 Mbit cable connection with iptv settopbox wich was running its own modem for the tv and on demand functions, now im on a fiber line 75/75 with iptv witch cost me 45 euro a month and provides me with tv on my computers tablest and phones if the app would be fixted to work on android 5

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s