Pirate decryption

Grey market

Pirate decryption most often refers to the decryption, or decoding, of pay TV or pay radio signals without permission from the original broadcaster. The term "pirate" in this case is used in the sense of copyright infringement and has little or nothing to do with sea piracy or pirate radio, which involved the operation of a small broadcast radio station without lawfully obtaining a license to transmit. The MPAA and other groups which lobby in favour of intellectual property (specifically copyright and trademark) regulations have labelled such decryption as "signal theft"[1] even though there is no direct tangible loss on the part of the original broadcaster, arguing that losing out on a potential chance to profit from a consumer's subscription fees counts as a loss of actual profit.

History

The concept of pay TV involves a broadcaster deliberately transmitting signals in a non-standard, scrambled or encrypted format in order to charge viewers a subscription fee for the use of a special decoder needed to receive the scrambled broadcast signal.

Early pay TV broadcasts in countries such as the United States used standard over-the-air transmitters; many restrictions applied as anti-siphoning laws were enacted to prevent broadcasters of scrambled signals from engaging in activities to harm the development of standard free-to-air commercial broadcasting. Scrambled signals were limited to large communities which already had a certain minimum number of unencrypted broadcast stations, relegated to certain frequencies. Restrictions were placed on access of pay TV broadcasters to content such as recent feature films in order to give free TV broadcasters a chance to air these programs before they were siphoned away by pay channels.

Under these conditions, the pay TV concept was very slow to become commercially viable; most television and radio broadcasts remained in-the-clear and were funded by commercial advertising, individual and corporate donations to educational broadcasters, direct funding by governments or license fees charged to the owners of receiving apparatus (the BBC in the UK, for example).

Pay TV only began to become common after the widespread installation of cable television systems in the 1970s and 1980s; early premium channels were most often movie broadcasters such as the US-based Home Box Office and Cinemax, both currently owned by Time Warner. Signals were obtained for distribution by cable companies using C-band satellite dish antennae of up to ten feet in diameter; the first satellite signals were originally unencrypted as extremely few individual end-users could afford the large and expensive satellite receiving apparatus.

As satellite dishes became smaller and more affordable, most satellite signal providers adopted various forms of encryption in order to limit reception to certain groups (such as hotels, cable companies, or paid subscribers) or to specific political regions. Early encryption attempts such as Videocipher II were common targets for pirate decryption as dismayed viewers saw large amounts of formerly-unencrypted programming vanishing. Nowadays some free-to-air satellite content in the USA still remains, but many of the channels still in the clear are ethnic channels, local over-the-air TV stations, international broadcasters, religious programming, backfeeds of network programming destined to local TV stations or signals uplinked from mobile satellite trucks to provide live news and sports coverage.

Specialty channels and premium movie channels are most often encrypted; in most countries, broadcasts containing explicit pornography must always be encrypted to prevent reception by those who wish not to be exposed to this sort of "adult content."

Technical issues

Initial attempts to encrypt broadcast signals were based on analogue techniques of questionable security, the most common being one or a combination of techniques such as:

These systems were designed to provide decoders to cable operators at low cost; a serious tradeoff was made in security. Some analogue decoders were addressable so that cable companies could turn channels on or off remotely, but this only gave the cable companies control of their own descramblers valuable if needed to deactivate a stolen cable company decoder but useless against hardware designed by signal pirates.

The first encryption methods used for big-dish satellite systems used a hybrid approach; analogue video and digital encrypted audio. This approach was somewhat more secure, but not completely free of problems due to piracy of video signals.

Direct broadcast satellites and digital cable services, because of their digital format, are free to use more robust security measures such as the Data Encryption Standard (DES) or the RSA and IDEA digital encryption standards. When first introduced, digital DBS broadcasts were touted as being secure enough to put an end to piracy once and for all. Often these claims would be made in press releases.

The enthusiasm was short-lived. In theory the system was an ideal solution, but some corners had been cut in the initial implementations in the rush to launch the service. The first US DirecTV smart cards were based on the BSkyB VideoCrypt card known as the Sky 09 card. The Sky 09 card had been introduced in 1994 as a replacement for the compromised Sky 07 card. It, the Sky 09 card, had been totally compromised in Europe at the time (1995). The countermeasure employed by NDS Group, the designers of the VideoCrypt system was to issue a new smartcard (known as the Sky 10 card) that included an ASIC in addition to the card's microcontroller. This innovation made it harder for pirates to manufacture pirate VideoCrypt cards. Previously, the program in the Sky card's microcontroller could be rewritten for other microcontrollers without too much difficulty. The addition of an ASIC took the battle between the system designers and pirates to another level and it bought BSkyB at least six months of almost piracy-free broadcasting before the pirate Sky 10 cards appeared on the market in 1996. Initial pirate Sky 10 cards had an implementation of this ASIC but once supplies ran out, pirates resorted to extracting the ASICs from deactivated Sky cards and reusing them.

The first US DirecTV "F" card did not contain an ASIC and it was quickly compromised. Pirate DirecTV cards based on microcontrollers that were often ironically more secure than that used in the official card became a major problem for DirecTV. Similar errors had been made by the developers of the UK's terrestrial digital Xtraview Encryption System, which provided no encryption and relied on hiding channels from listings.

The DirecTV "F" card was replaced with the "H" card, which contained an application-specific integrated circuit to handle decryption. However, due to similarities between the "H" and other existing cards, it became apparent that while the signal could not be received without the card and its ASIC, the card itself was vulnerable to tampering by reprogramming it to add channel tiers or additional programming, opening TV channels to the prying eyes of the pirates.

Two more card swaps would be necessary before the piracy headaches at DirecTV would finally go away; a number of other providers are also in the middle of swapping out all of their subscribers' smartcards due to compromised encryption methods or technology.

A number of vulnerabilities exist even with digital encryption:

On May 15, 2008, a jury in the Echostar vs NDS civil lawsuit (8:2003cv00950) awarded Echostar just over $1500 USD in damages; Echostar originally sought $1 billion in damages from NDS. However, a jury was not convinced of the allegations Echostar had made against NDS and awarded damages only for the factual claims that were proven and for which the jury believed an award should be given in accordance with the laws of the United States.

In some cases, fraudulent cloning has been used to assign identical serial numbers to multiple receivers or cards; subscribe (or unsubscribe) one receiver and the same programming changes appear on all of the others. Various techniques have also been used to provide write protection for memory on the smartcards or receivers to make deactivation or sabotage of tampered cards by signal providers more difficult.

Systems based on removable smartcards do facilitate the implementation of renewable security, where compromised systems can be repaired by sending new and redesigned cards to legitimate subscribers, but they also make the task of replacing smartcards with tampered cards or inserting devices between card and receiver easier for pirates. In some European systems, the conditional-access module (CAM) which serves as a standardized interface between smartcard and DVB receiver has also been targeted for tampering or replaced by third-party hardware.

Improvements in hardware and system design can be used to significantly reduce the risks of any encryption system being compromised, but many systems once thought secure have been proven vulnerable to sufficiently sophisticated and malicious attackers.

Two-way communication has also been used by designers of proprietary digital cable TV equipment in order to make tampering more difficult or easier to detect. A scheme involving the use of a high-pass filter on the line to prevent two-way communication has been widely promoted by some unscrupulous businesses as a means of disabling communication of billing information for pay-per-view programming but this device is effectively worthless as a cable operator remains free to unsubscribe a digital set-top box if two-way communication has been lost. As a device intended to pass signals in one direction only, the line filters offer nothing that couldn't be done (with the same results) by an inexpensive signal booster - a simple one-way RF amplifier already widely available cheaply and readily for other purposes. Also, many such boxes will disallow access to pay-per-view content after a set number of programs are watched before the box can transmit this data to the headend, further reducing the usefulness of such a filter.

Terminology and Definitions

Some of the terminology used to describe various devices, programs and techniques dealing with Pay-TV piracy is named for the particular hacks. The "Season" interface for example is named after the Season7 hack on Sky TV which allowed a PC to emulate a legitimate Sky-TV smartcard. The Season7 referred to the seventh and final season of Star Trek: The Next Generation which was then showing on Sky One. The "Phoenix" hack was named after the mythical bird which can reanimate itself. The hack itself reactivated smartcards that had been switched off by the providers.

Some of the terminology used on Internet discussion sites to describe the various devices, programs and techniques used in dealing with video piracy is strange, non-standard, or specific to one system. The terms are often no different from the brand names used by legitimate products and serve the same function.

ISO/IEC 7816 smartcard terminology

Receiver (IRD) and microprocessor terminology

SmartCard piracy

Smart card piracy involves the unauthorised use of conditional-access smart cards, in order to gain, and potentially provide to others, unauthorised access to pay-TV or even private media broadcasts. Smart card piracy generally occurs after a breach of security in the smart card, exploited by computer hackers in order to gain complete access to the card's encryption system.

Once access has been gained to the smart card's encryption system, the hacker can perform changes to the card's internal information, which in turn tricks the conditional-access system into believing that it has been allowed access, by the legitimate card provider, to other television channels using the same encryption system. In some cases, the channels do not even have to be from the same television provider, since many providers use similar encryption systems, or use cards which have the capacity to store information for decoding those channels also. The information on how to hack the card is normally held within small, underground groups, to which public access is not possible. Instead, the hacking groups may release their hack in several forms. One such way is simply to release the encryption algorithm and key. Another common release method is by releasing a computer program which can be used by the smart card user to reprogram their card. Once complete, the now illegally modified smart card is known as a "MOSC." (Modified Original Smart Card). A third such method, more common in recent times, is to sell the information gained on the encryption to a third party, who will then release their own smart card, such as the K3 card. This third party, for legal reasons, will then use a fourth party to release encrypted files, which then allow the card to decode encrypted content.

Along with modifying original cards, it is possible to use the information provided by the smart card to create an encryption emulator. This, in turn, can be programmed into a cable or satellite receiver's internal software, and offered for download on the internet as a firmware upgrade. This allows access to the encrypted channels by those who do not even own a smart card. In recent times, many underground forum websites dedicated to the hobby of satellite piracy and encryption emulated Free To Air (FTA) receivers have been set up, giving up-to-date information on satellite and cable piracy, including making available firmware downloads for receivers, and very detailed encryption system information available to the public.

Upon gaining the knowledge that their system has been compromised, the smart card providers often have several counter measure systems against unauthorised viewing, which can be put in place over the air, in most cases causing virtually no disruption to legitimate viewers. The simplest form of counter measure is a key change. This simply halts viewing for those viewing without authorisation temporarily, since the new key can easily be accessed in the hacked card, and implemented. There are often other more complicated procedures which update a part of the smart card in order to make it inaccessible. These procedures can also, however, be hacked, once again allowing access. This leads to a game of "cat and mouse" between the smart card provider, and the hackers. This, after several stages of progression, can leave the smart card provider in a situation where they no longer have any further counter measures to implement. This leaves them in a situation where they must perform a card and encryption change with all legitimate viewers, in order to eliminate the viewing of the service without permission, at least for the foreseeable future.

Such has been the success of implementing new smart card systems, that another form of smart card piracy has grown in popularity. This method is called card sharing, which works by making available the smart card decoding information in real time to other users, via a computer network. Police monitoring of unsecured card sharing networks has led to prosecutions.

Virtually every common encryption system is publicly known to have been compromised. These include Viaccess, Nagravision, SECA Mediaguard and Conax. The MediaCipher system, owned by Motorola, along with Scientific Atlanta's PowerKEY system, are the only digital TV encryption systems which have not publicly been compromised. This is largely thanks to there being no PC card conditional-access modules (CAMs) available for either encryption system.

Despite the unauthorised decryption of media being illegal in many countries, smart card piracy is a crime which is very rarely punished, due to it being virtually undetectable, particularly in the case of satellite viewing. Laws in many countries do not clearly specify whether the decryption of foreign media services is illegal or not. This has caused much confusion in places such as Europe, where the proximity of many countries, coupled with the large land mass covered by satellite beams, allows signal access to many different providers. These providers are reluctant to pursue criminal charges against many viewers as they live in different countries. There have, however, been several high profile prosecution cases in the USA, where satellite dealers have been taken to court resulting in large fines or jail time.[2]

Internet key sharing

Main article: card sharing

An Internet key sharing scheme consists of one smart card with a valid, paid subscription which is located on an Internet server. It generates a stream of real-time decryption keys which are broadcast over the Internet to an unlimited number of remotely located satellite receivers. Possible limiting factors in the number of remotely located satellite receivers are the network latency and the period between the updated keys and the ability of the card client's receiver to use the decrypted key stream, however no physical or theoretical limit exists.

Each receiver is configured in an identical manner, a clone receiving the same television signal from a satellite and, from the internet server, the same decryption keys to unlock that signal. As the server must have individually subscribed smart cards for each channel to be viewed, its continued operation tends to be costly and may require multiple subscriptions under different names and addresses. There is also a risk that as the number of card clients on the card sharing network grows, it will attract the attention of the satellite TV service provider and law enforcement agencies and the monitoring of IP addresses associated with this card sharing network may identify individual users and server operators who then become targets for legal action by the satellite TV service provider or by legal authorities.

Key sharing schemes are typically used where replacement of compromised smart card systems (such as the deprecation of Nagra 1/2 in favour of Nagra 3) has made other pirate decryption methods non-functional.

In February 2014, an episode of BBC's "Inside Out" disclosed that the complete Sky TV package could be obtained from black-market sources for as little as £10 per month through Internet key sharing, Swansea and Cardiff were highlighted with significant activity in pubs using cracked boxes to show Premier League football.[3]

Political issues

In some countries such as Canada and many Caribbean nations (except for the Dominican Republic), the black market in satellite TV piracy is closely tied to the gray market activity of using direct broadcast satellite signals to watch broadcasts intended for one country in some other, adjacent country. Many smaller countries have no domestic DBS operations and therefore few or no legal restrictions on the use of decoders which capture foreign signals.

The refusal of most providers to knowingly issue subscriptions outside their home country leads to a situation where pirate decryption is perceived as being one of the few ways to obtain certain programming. If there is no domestic provider for a channel, a grey market (subscribed using another address) or black market (pirate) system is prerequisite to receive many specific ethnic, sport or premium movie services.

Pirate or grey-market reception also provides viewers a means to bypass local blackout restrictions on sporting events and to access hard-core pornography where some content is not otherwise available.

The grey market for US satellite receivers in Canada at one point was estimated to serve as many as several hundred thousand English-speaking Canadian households. Canadian authorities, acting under pressure from cable companies and domestic broadcasters, have made many attempts to prevent Canadians from subscribing to US direct-broadcast services such as Liberty Media's DirecTV and Echostar's Dish Network.

While litigation has gone as far as the Supreme Court of Canada, no judicial ruling has yet been made on whether such restrictions violate the safeguards of the Canadian Charter of Rights and Freedoms which are intended to protect freedom of expression and prevent linguistic or ethnic discrimination. Domestic satellite and cable providers have adopted a strategy of judicial delay in which their legal counsel will file an endless series of otherwise-useless motions before the courts to ensure that the proponents of the grey-market systems run out of money before the "Charter Challenge" issue is decided.

According to K. William McKenzie, the Orillia Ontario lawyer who won the case in the Supreme Court of Canada, a consortium headed by David Fuss and supported by Dawn Branton and others later launched a constitutional challenge to defeat section 9(1)(c) of the Radiocommunication Act on the basis that it breached the guarantee of Freedom of Expression enshrined in section 2 (c) of the Canadian Charter of Rights.

The evidence compiled by Mr. McKenzie from his broadcasting clients in opposition to this challenge was so overwhelming that it was abandoned and the Court ordered that substantial costs be paid by the applicants.

In most cases, broadcast distributors will require a domestic billing address before issuing a subscription; post boxes and commercial mail receiving agencies are often used by grey-market subscribers to foreign providers to circumvent this restriction.

The situation in the US itself differs as it is complicated by the legal question of subscriber access to distant local TV stations. Satellite providers are severely limited in their ability to offer subscriptions to distant locals due to the risk of further lawsuits by local affiliates of the same network in the subscribers home designated market area. California stations have sued satellite providers who distributed New York signals nationally, as the distant stations would have an unfair advantage by broadcasting the same programming three hours earlier.

There is also a small "reverse gray market" for Canadian signals, transmitted with a footprint which sends full-strength DBS signals to many if not all of the contiguous 48 US states. This is desirable not only to receive Canadian-only content, but because some US-produced programs air in Canada in advance of their US broadcast. The question of signal substitution, by which Canadian cable and satellite providers substitute the signal of a local or domestic channel over a foreign or distant channel carrying the same program, is rendered more complex by the existence of a reverse grey market. Signal substitution had already been the cause of strong diplomatic protests by the United States, which considers the practice to constitute theft of advertising revenue.

The lack of domestic competition for premium movie channels in Canada is one factor encouraging grey-market reception; language is another key issue as most Spanish-language programming in North America is on the US system and most French-language programming is on the Canadian system. A larger selection of sports and ethnic programming is also available to grey-market subscribers.

It could be said that the 1000-channel universe is a "reality" in North America, but only for the signal pirates as many legal and geographic restrictions are placed on the ability to subscribe to many if not most of the physically available channels.

Other countries such as Nicaragua during Sandinista rule, Cuba, Iran (Islamic Republic of Iran) and Afghanistan during Taliban rule and Iraq during the Saddam Hussein regime, have attempted to prohibit their citizens from receiving any satellite broadcasts from foreign sources.

The situation in Europe differs somewhat, due to the much greater linguistic diversity in that region and due to the use of standardized DVB receivers capable of receiving multiple providers and free-to-air signals. North American providers normally lock their subscribers into "package receivers" unable to tune outside their one package; often the receivers are sold at artificially low prices and the subscription cost for programming is increased in order to favour new subscribers over existing ones. Providers are also notorious for using sales tactics such as bundling, in which to obtain one desired channel a subscriber must purchase a block of anywhere from several to more than a hundred other channels at substantial cost.

Many European companies such as British Sky Broadcasting prohibit subscriptions outside the UK and Ireland. But other satellite providers such as Sky Deutschland do sell yearly subscription cards legally to customers in other European countries without the need for an address or other personal information. The latter also applies to virtually all the Adult channel cards sold in Europe.

Counter-piracy techniques

A number of strategies have been used by providers to control or prevent the widespread pirate decryption of their signals.

One approach has been to take legal action against dealers who sell equipment which may be of use to satellite pirates; in some cases the objective has been to obtain lists of clients in order to take or threaten to take costly legal action against end-users. Providers have created departments with names like the "office of signal integrity" or the "end-users group" to pursue alleged pirate viewers.

As some equipment (such as a computer interface to communicate with standard ISO/IEC 7816 smartcards) is useful for other purposes, this approach has drawn strong opposition from groups such as the Electronic Frontier Foundation. There have also been US counter-suits alleging that the legal tactics used by some DBS providers to demand large amounts of money from end-users may themselves appear unlawful or border on extortion.

Much of the equipment is perfectly lawful to own; in these cases, only the misuse of the equipment to pirate signals is prohibited. This makes provider attempts at legal harassment of would-be pirates awkward at best, a serious problem for providers which is growing due to the Internet distribution of third-party software to reprogram some otherwise legitimate free-to-air DVB receivers to decrypt pay TV broadcasts with no extra hardware.

US-based Internet sites containing information about the compromised encryption schemes have also been targeted by lawyers, often with the objective of costing the defendants enough in legal fees that they have to shut down or move their sites to offshore or foreign Internet hosts.

In some cases, the serial numbers of unsubscribed smartcards have been blacklisted by providers, causing receivers to display error messages. A "hashing" approach of writing arbitrary data to every available location on the card and requiring that this data be present as part of the decryption algorithm has also been tried as a way of leaving less available free space for third-party code supplied by pirates.

Another approach has been to load malicious code onto smartcards or receivers; these programs are intended to detect tampered cards and maliciously damage the cards or corrupt the contents of non-volatile memories within the receiver. This particular Trojan horse attack is often used as an ECM (electronic countermeasure) by providers, especially in North America where cards and receivers are sold by the providers themselves and are easy targets for insertion of backdoors in their computer firmware. The most famous ECM incident was the Black Sunday attack launched against tampered DirecTV "H" on 3 January 21, 2001 and intended to destroy the cards by overwriting a non-erasable part of the cards internal memory in order to lock the processor into an endless loop.

The results of a provider resorting to the use of malicious code are usually temporary at best, as knowledge of how to repair most damage tends to be distributed rapidly by hobbyists through various Internet forums. There is also a potential legal question involved (which has yet to be addressed) as the equipment is normally the property not of the provider but of the end user. Providers will often print on the smartcard itself that the card is the property of the signal provider, but at least one legal precedent indicates that marking "this is mine" on a card, putting it in a box with a receiver and then selling it can legally mean "this is not mine anymore". Malicious damage to receiver firmware puts providers on even shakier legal ground in the unlikely event that the matter were ever to be heard by the judiciary.

The only solution which has shown any degree of long-term success against tampered smartcards has been the use of digital renewable security; if the code has been broken and the contents of the smartcard's programming widely posted across the Internet, replacing every smartcard in every subscriber's receiver with one of different, uncompromised design will effectively put an end to a piracy problem. Providers tend to be slow to go this route due to cost (as many have millions of legitimate subscribers, each of which must be sent a new card) and due to concern that someone may eventually crack the code used in whatever new replacement card is used, causing the process to begin anew.

Premiere in Germany has replaced all of its smartcards with the Nagravision Aladin card; the US DirecTV system has replaced its three compromised card types ("F" had no encryption chip, "H" was vulnerable to being reprogrammed by pirates and "HU" were vulnerable to a "glitch" which could be used to make them skip an instruction). Both providers have been able to eliminate their problems with signal piracy by replacing the compromised smartcards after all other approaches had proved to provide at best limited results.

Dish Network and Bell TV had released new and more tamper-resistant smart cards over the years, known as the ROM2, ROM3, ROM10, ROM11 series. All these cards used the Nagravision 1 access system. Despite introducing newer and newer security measures, older cards were typically still able to decrypt the satellite signal after new cards were released (A lack of EEPROM space on the ROM2 cards eventually led to them being unable to receive updates necessary to view programming). In an effort to stop piracy, as by this point the Nagravision 1 system had been thoroughly reverse-engineered by resourceful hobbyists, an incompatible Nagravision 2 encryption system was introduced along with a smart card swap-out for existing customers. As more cards were swapped, channel groups were slowly converted to the new encryption system, starting with pay-per-view and HDTV channels, followed by the premium movie channels. This effort culminated in a complete shutdown of the Nagravision 1 datastream for all major channels in September, 2005. Despite these efforts to secure their programming, a software hack was released in late August, 2005, allowing for the decryption of the new Nagravision 2 channels with a DVB-S card and a PC. Just a few months later, early revisions of the Nagravision 2 cards had been themselves compromised. Broadcast programming currently uses a simulcrypt of Nagravision 2 and Nagravision 3, a first step toward a possible future shutdown of Nagravision 2 systems.

One of the most severe sentences handed out for satellite TV piracy in the United States was to a Canadian businessman, Martin Clement Mullen, widely known for over a decade in the satellite industry as "Marty" Mullen.

Mullen was sentenced to seven years in prison with no parole and ordered to pay DirecTV and smart card provider NDS Ltd. US$24 million in restitution. He pled guilty in a Tampa, Florida court in September 2003 after being arrested when he entered the United States using a British passport in the name "Martin Paul Stewart".

Mr. Mullen had operated his satellite piracy business from Florida, the Cayman Islands and from his home in London, Ontario, Canada. Testimony in the Florida court showed that he had a network of over 100 sub-dealers working for him and that during one six-week period, he cleared US$4.4 million in cash from re-programming DirecTV smartcards that had been damaged in an electronic counter measure.

NDS Inc. Chief of Security John Norris is credited with pursuing Mullen for a decade in three different countries. When Mullen originally fled the United States to Canada in the mid-1990s, Norris launched an investigation that saw an undercover operator (a former Canadian police officer named Don Best) become one of Mullen's sub-dealers and his closest personal friend for over a year. In summer of 2003 when Mullen travelled under another identity to visit his operations in Florida, US federal authorities were waiting for him at the airport after being tipped off by Canadian investigators working for NDS Inc.

Ironically the NDS Group were accused (in several lawsuits) by Canal+ (dismissed) and Echostar (now Dish Network) of hacking the Nagra encryption and releasing the information on the internet. The jury awarded EchoStar $45.69 actual damages (one month's average subscription fee) in Claim 3.

See also

References

External links