Hacking Your Cable TV Network: Die Hard Style presented at HackInTheBox 2014

by Rahul Sasi,

Summary : Ever since I started with computers and hacking, I was fascinated with the idea of hacking into TV networks and being able to broadcast my own videos to TV users. In 2007, the movie Die Hard was released which showed hackers hacking into TV networks via satellites. Television is a one-way medium unlike Internet. Whatever you stream to your audience they cannot question back. So if someone hacked into your TV provider and streamed a video stating that a riot has started in the nearby village/city, that could cause some panic. Such attacks could not easily be achieved 6 to 7 years ago, as the attack vectors were very few, however all that changed with the arrival of digital TVs, triple play and IPTV networks…
IPTV Networks
IP Television enables the broadcasting and delivery of audio and video over IP network infrastructure. This technique also uses digital modulation at the head end which could be easily compressed, sent over the IP network and decoded only by means of IP set top box placed at the subscribers place.
Digital Dish TVs: What we are NOT hacking.
These TV devices were hard to attack because it was only a receiver. Currently these devices decode the incoming data via an Ethernet cable, a satellite dish, a coaxial cable (see cable television) or a telephone line.
“A set­top box (STB) or set­top unit (STU) is an information appliance device that generally contains a TV­tuner input and display output connects to a television set and an external source of signal, turning the source signal into content in a form that can then be displayed on the television screen or other display device.” - http://en.wikipedia.org/wiki/Set­top_box
IP TV Networks : What we ARE hacking:
There are lots of small cable TV vendors involved in their local cable business. They used to run on fiber cables and now it needs an update, so they’ve converted their local networks into a local IP­TV network by the use of few set top boxes. These devices can send and receive signals. With this, each device is uniquely identified and connected to the cable network and is granted an IP. So now local service providers can send in various command supported by the device and stream video to a device of their choice. They can shut down a device remotely as well if for example no payment has been received or even swap a package with another.
We spent a lot of our summer moving from one cable TV operator to another trying to understand “how stuff worked” and to understand the various processes in place. There was quite a lot to learn and we will share the many ways to successfully attack these devices in our talk. We will cover the following topics:
1) Reverse engineering firmwares
2) Locating your attack targets [The mother program]
3) Web Applications – finding critical implementation bugs [The kind you have never seen before].
4) Network layer attacks on these devices
The talk will have various small demos that will include,
• Shutting down cable service for multiple users.
• Remotely updating the firmware of Settopboxes
Our final demo will show how attackers could swap a channel with their own movie or video – just like in the Die Hard movie!