SE-2011-01 Press Info

03 January 2012, Poznan, Poland

Security Explorations, a security and vulnerability research company from Poland, discovered multiple security vulnerabilities in the major polish digital satellite platform "N" [1]. The most serious of the 24 weaknesses uncovered allows for a remote attack against network connected, satellite set-top-box equipment and for the persistent and automatic malware code installation on it. As a result, full control over the vulnerable set-top-box devices can be gained by attackers, which could conduct all sorts of malicious activities on them. This in particular includes unauthorized capture and sharing of a digital satellite signal with arbitrary (non-paying) audience

All four satellite receivers (ITI5800S, ITI5800SX, ITI2850ST, ITI2849ST) tested in Security Explorations' lab were the products of Advanced Digital Broadcast company [2] built for ITI Neovision [3]. All of them implement Conax [4] conditional access system [5] with additional security feature called chipset pairing [6]. The goal of the latter is to prevent set-top-box hijacking and unauthorized sharing / distribution of a satellite TV programming.

Security Explorations discovered several security weaknesses in the implementation of the chipset pairing functionality used by the aforementioned devices.

Security Explorations also verified that a digital satellite signal can be shared with non-paying subscribers. The shared signal received by a set-top-box of a non-paying subscriber could be also captured in HD quality and in a form of a movie (MPEG) file for later redistribution over the Internet.

This is the first time, real malware threat is being demonstrated in the context of a digital satellite TV platform. This is also the first time successful attack against digital satellite set-top-box equipment implementing Conax conditional access system with advanced cryptographic pairing function is presented. The attack is achieved regardless of the fact that all Conax pairing set-top boxes / secure DVB chipsets undergo a "rigorous evaluation and testing regime" [7].

For the purpose of illustrating all weaknesses found and actual security threats posed by a compromised satellite set-top-box receiver, Security Explorations developed comprehensive proof of concept code implementing over 70 different commands.

The weaknesses found by Security Explorations span across multiple vendors, whose software / hardware products were used to create digital satellite platform "N".

The outcome of Security Explorations' project illustrates the need for more thorough security evaluation of complex and less known software or hardware platforms and technologies. Embedded devices such as set-top-boxes and smart TVs are increasingly gaining on popularity. Once connected to the global network they can however pose serious security risks, which should be addressed not only in the interest of digital content providers, but final users of a given technology in particular.

On Jan 03 2012, Security Explorations started the process of publication and notification of the following companies about either direct security issues in their products or products they directly rely on:

  • Onet.pl S.A (Issues 1-4),
  • Advanced Digital Broadcast (Issues 5-16),
  • STMicroelectronics (Issues 17-19),
  • ITI Neovision (Issue 20-21),
  • Conax AS (Issues 22-23),
  • DreamLab Onet.pl S.A. (Issue 24),

More information about this project can be found at: http://www.security-explorations.com/en/SE-2011-01.html


  1. [1] Digital satellite platform "N" (http://n.pl)
  2. [2] Advanced Digital Broadcast (http://www.adbglobal.com)
  3. [3] ITI Neovision (http://n.pl/iti_neovision.html)
  4. [4] Conax AS (http://www.conax.com)
  5. [5] Conditional Access System (http://en.wikipedia.org/wiki/Conditional_access_system)
  6. [6] Conax chipset pairing (http://www.conax.com/en/solutions/advancedsecurity/)
  7. [7] Conax Client Device Security (http://www.conax.com/en/solutions/clientdevicesecurity/)

Copyright 2008-2016 Security Explorations. All Rights Reserved.