Polski

SE-2011-01 Vendors status

This page presents current status of the communication process with vendors of affected technologies.

Vendors not responding to our email messages for 7+ days:

  • Advanced Digital Broadcast
    awaiting response to the message from 11-Jan-2012
  • ITI Neovision
    awaiting response to the message from 01-Feb-2012
  • STMicroelectronics
    awaiting response to the message from 11-Apr-2017
  • NC+
    awaiting response to the message from 23-Feb-2018
  • CERT-FR
    awaiting response to the message from 15-Mar-2018
  • Vivendi
    awaiting response to the message from 24-Mar-2018
  • IT-CERT
    awaiting response to the message from 03-Apr-2018
  • Canal+
    awaiting response to the message from 03-Apr-2018

Summary of the communication process:

  • 02-Jan-2012
- Initial requests for security contacts are sent to Onet.pl S.A, Advanced Digital Broadcast, STMicroelectronics, ITI Neovision, Conax AS, DreamLab Onet.pl S.A.
- Contact information received from Onet.pl S.A. and DreamLab Onet.pl S.A.
  • 03-Jan-2012
- Vulnerability Notices are sent to Onet.pl S.A (Issues 1-4) and DreamLab Onet.pl S.A. (Issue 24).
- Contact information received from ITI Neovision - awaiting response and PGP key.
  • 04-Jan-2012
- As a result of no response to our Jan 2nd inquiry, Advanced Digital Broadcast, STMicroelectronics and Conax AS are contacted again and asked for proper security contact.
- Request for confirmation of a successfull report decryption is sent to Onet.pl S.A. / DreamLab Onet.pl S.A.
- Onet.pl S.A. / DreamLab Onet.pl S.A. confirms successfull reception and decryption of vulnerability reports.
- Advanced Digital Broadcast responds to our contact inquiry.
- Contact information received from Conax AS to which Vulnerability Notices are sent (Issues 22-23).
- Conax AS confirms successfull reception and decryption of vulnerability reports.
- PGP key received from ITI Neovision to which Vulnerability Notices are sent (Issues 20-21).
- ITI Neovision confirms successfull reception and decryption of vulnerability reports.
- Contact information received from STMicroelectronics to which Vulnerability Notices are sent (Issues 17-19).
- Contact information received from Advanced Digital Broadcast to which Vulnerability Notices are sent (Issues 5-16).
  • 05-Jan-2012
- Requests for confirmation of successfull reports decryption are sent to Advanced Digital Broadcast and STMicroelectronics
  • 06-Jan-2012
- STMicroelectronics confirms successfull reception and decryption of vulnerability reports.
  • 07-Jan-2012
- Advanced Digital Broadcast confirms successfull reception and decryption of vulnerability reports.
  • 11-Jan-2012
- Inquiries about the impact of the reported vulnerabilities are sent to Advanced Digital Broadcast and STMicroelectronics.
  • 12-Jan-2012
- Request for status update regarding fixed bugs is sent to Onet.pl S.A. / DreamLab Onet.pl S.A.
  • 17-Jan-2012
- STMicroelectronics informs that no confidential information will be disclosed to Security Explorations in response to its impact inquiry (question about the list of vulnerable DVB chipsets models/versions, questions about set-top-box manufacturers and digital satellite TV providers relying on affected chipsets, etc.). STMicroelectronics informs that it is still under the process to analyse received data.
  • 23-Jan-2012
- Security Explorations asks STMicroelectronics whether the list of products vulnerable to reported security issues is also company's confidential information.
  • 01-Feb-2012
- Requests for status update / results of the analysis are sent to Onet.pl S.A, Advanced Digital Broadcast, ITI Neovision, Conax AS, DreamLab Onet.pl S.A.
- Onet.pl S.A / DreamLab Onet.pl S.A. confirm fixing of reported security issues (Issues 1-4 and 24).
  • 03-Feb-2012
- Conax AS provides the results of its analysis of reported issues. The company informs Security Explorations that it does not regard Issues 22 and 23 as security bugs. Issue 22 is assumed to be caused by a configuration feature of Conax CAS.
- Security Explorations responds to Conax AS and expresses a disagreement with the results of the company's analysis. Security Explorations provides its reasoning and asks Conax AS whether the company still considers reported issues 22 and 23 as non-security ones. Security Explorations also seeks for confirmation of the nature of Issue 22.
  • 22-Feb-2012
- Conax AS provides additional information regarding Issue 22. The company informs that upon additional data and analysis, Issue 22 is understood not to be caused by a previously assumed configuration feature of Conax CAS, but is the result of running the affected service in a way specific to older generation of Conax systems.
  • 16-Mar-2012
- STMicroelectronics informs that company's teams are completing analysis of the work and details provided by Security Explorations. The company asks for confirmation of one attack detail.
- Security Explorations confirms the attack detail to STMicroelectronics.
  • 22-Mar-2012
- STMicroelectronics asks for confirmation of one attack detail regarding Issue 18.
- Security Explorations responds that it cannot provide the confirmation and delivers its answer based on the conducted analysis and tests.
  • 23-Mar-2012
- Security Explorations provides STMicroelectronics with additional information / results of the tests regarding Issue 18.
  • 11-Apr-2017
- Security Explorations asks STMicroelectronics whether 5 years after the disclosure of the issues and in the context of the company exiting the set-top box chipsets business, STMicroelectronics is ready to provide a list of ST chipsets that were vulnerable to the issues found and reported as part of SE-2011-01 project.
  • 19-Feb-2018
- Security Explorations inquiries NC+ about a replacement of STBs offered to subscribers (whether STBs vulnerable to STMicroelectronics vulnerabilities are replaced, whether the replacement process is required by content providers, how many vulnerable STB's got replaced, what costs were incurred by end users). The UOKiK - Polish Government's Office of Competition and Consumer Protection is attached to the message.
  • 23-Feb-2018
- NC+ responds that it undertakes multiple measures aimed at providing high security of the offered content. The goal of a replacement process of set-top-boxes is to improve security level of a broadcasted signal, which is a requirement of agreements signed with content providers. Any information pertaining to technology area is a confidential information of the company and cannot be disclosed to general public.
- Security Explorations asks NC+ for a contact at Canal+ group where questions pertaining to security / STB replacement could be sent. The company also asks NC+ about the reasons of 1) charging NC+ subscribers for a replacement of STBs containing vulnerable ST chipsets 2) of not incurring these costs by NC+ operator or providers of the flawed devices (STB manufacturer, chipset vendor), 3) treating confirmation of STB devices being affected to STMicroelectronics flaws as confidential information of the company.
  • 03-Mar-2018
- Security Explorations asks CERT-FR (French governmental CSIRT) and IT-CERT (CERT Nazionale Italia) for assistance aimed at obtaining information from STMicroelectronics regarding security issues found in their chipsets (information about vulnerable chipset models and their versions, whether vulnerable IC such as TKD Crypto core of STi7111 SoC was used in other vendors' solutions such as e-passports, banking cards and SIM cards, information about STMicroelectronics actions conducted to address the issues). Additionally, the company asks CERT-FR for a contact to the security team of Canal+ Group where inquiries regarding the replacement process of STBs vulnerable to STMicroelectronics issues by NC+ operator in Poland could be sent.
- CERT-FR informs that provided information has been forwarded to the appropriate teams and is currently being reviewed.
  • 13-Mar-2018
- Security Explorations asks IT-CERT for a confirmation of a successful reception of the message from Mar 3, 2018.
- IT-CERT confirms reception of the message. The team declares to keep Security Explorations informed about further developments.
  • 15-Mar-2018
- Security Explorations repeats a request to CERT-FR for a contact to the security team of Canal+ Group.
- CERT-FR responds that it is not in direct contact with the Canal+ team, and as it is part of a contracted relation between ST and their clients, it is not CERT-FR's role to transfer this information to Security Explorations. CERT-FR recommends to contact directly ST society (ST CSIRT team attached to the message), which will be able to answer Security Explorations' request.
- Security Explorations asks CERT-FR for clarification, whether the response received also means that CERT-FR will not assist Security Explorations in obtaining information from STMicroelectronics regarding security issues found in their chipsets (information about affected products and addressing of the issues).
  • 24-Mar-2018
- Security Explorations asks Vivendi (a parent company of Canal+ Group) for e-mail contact where questions could be sent regarding a security and replacement process of set-top-box devices based on STMicroelectronics chipsets used by NC+ operator from Poland.
  • 03-Apr-2018
- Security Explorations asks IT-CERT whether there have been any developments / whether IT-CERT has been able to obtain any information from STMicroelectronics pertaining to the request from Mar 3, 2018.
- Security Explorations contacts a person responsible for a security at Canal+ Group. The company inquiries Canal+ about security and a replacement of STBs offered by NC+ to subscribers (whether STBs vulnerable to STMicroelectronics vulnerabilities are replaced, how many vulnerable STB's got replaced, what costs were incurred by end users, the reasons of charging NC+ subscribers for a replacement of STBs containing vulnerable ST chipsets, the reasons of not incurring these costs by NC+, Canal+ Group or providers of the flawed devices such as STB manufacturer or a chipset vendor).
  • 05-Apr-2018
- Security Explorations asks a person responsible for a security at Canal+ Group for a confirmation of a successful reception of the message from Apr 03, 2018. The company also asks for a more official e-mail address to Canal+ Group security team or its representative, which could be used for further communication.
  • 11-Apr-2018
- Security Explorations asks US-CERT (US government CERT) for assistance aimed at obtaining information from STMicroelectronics regarding security issues found in their chipsets (information about vulnerable chipset models and their versions, whether vulnerable IC such as TKD Crypto core of STi7111 SoC was used in other vendors' solutions such as e-passports, banking cards and SIM cards, information about STMicroelectronics actions conducted to address the issues).
  • 16-Apr-2018
- Security Explorations asks US-CERT for a confirmation of a successful reception of the message from Apr 11, 2018.
- US-CERT confirms successful reception of the message. The organization provides a ticket number and informs that it is currently assigned to its analysts for review.
  • 18-Apr-2018
- Security Explorations contacts STMicroelectronics' CSIRT team. The company requests information from STMicroelectronics regarding security issues found in their chipsets (information about vulnerable chipset models and their versions, whether vulnerable IC such as TKD Crypto core of STi7111 SoC was used in other vendors' solutions such as e-passports, banking cards and SIM cards, information about STMicroelectronics actions conducted to address the issues).
- Security Explorations informs NC+, a person responsible for security at Canal+ Group and Vivendi that the company is awaiting a response to an inquiry pertaining to the replacement process of STB devices affected by security vulnerabilities in ST chipsets conducted by NC+ operator in Poland. No response to the inquiry along information received from NC+ on Feb, 23 2018 will be at the base of filing a formal notification to the UOKiK - Polish Government's Office of Competition and Consumer Protection.
  • 19-Apr-2018
- Security Explorations asks STMicroelectronics' CSIRT team for a confirmation of a successful reception of the message from Apr 18, 2018.

Copyright 2008-2018 Security Explorations. All Rights Reserved.