PowerVu management keys hacked This document shows multiple security flaws in the PowerVu encryption system that is used for digital television. It was possible to find out management keys that are used to encrypt key updates. So decrypting the Video & Audio of PowerVu programs from multiple providers (AFN, Teleippica Discovery Europe, ...) was possible. 05.12.2014 (Version 1.0) up-to-date version http://colibri-dvb.info => PowerVu Colibri <colibri.dvb@gmail.com> 16E_12653H_UNIRE 1 - GRIGIO 16E_12699H_SNAI Sat Active 5E_12303H_True Movies 1 1W_12303V_Animal Planet HD Here a few sample screen-shots from different providers (different ECM keys) that use the PowerVu system. 9E_11766V_AFN Sports HD Abstract In my previous paper the "Cryptanalysis of PowerVu television broadcast encryption" [1] I have described how it was possible find out the ECM key that can decrypt the video & audio DES keys. For this old hack a security chip was necessary that had valid keys inside. A special hacking hardware (for the old timing and the new key change interruption attack) was necessary also. For the new hack the security chip isn't needed. A self build hacking hardware isn't needed too. As hardware only a DVB-S2 card and a graphic card that supports CUDA is needed. To find some management keys it has taken me one day (GeForce GTX 470). A slower card need more time. It's a brute fore attack on the EMMs, but because of multiple security flaws in the PowerVu system it isn't necessary to test the full 56 bit key space to find a key. Overview of the PowerVu system You will know some of the pictures from my previous work. Here the key hierarchy is show: The audio & video gets encrypted by a random DES key. The DES key will change after a few seconds. The DES key gets encrypted by the PowerVu algorithm and the Entitlement Control Message (ECM) key. Typically the ECM key will change after months or years. The security chips (ISEs) within a provider will have the same ECM key. The ECM key gets encrypted by the PowerVu algorithm and the Entitlement Management Messages (EMM) key. Each ISE has individual EMM keys. Each ISE has a unique address (UA) also. There is a permanent EMM stream loop for all subscribed ISEs. I saw also EMMs for ISEs that are not subscribed anymore, but the decrypted ECM key shows that the ECM key is invalid (fake key). A valid key typically has 7 random looking bytes (with the exception of some channels on 5E and 1W that have a very simple ECM key), but all fake keys I have seen starts with the three bytes "00 00 30". So the provider can overwrite a valid key with a fake key to make the ISE useless. Some details of the PowerVu algorithm can be found in my previous papers, the remaining details can be extracted from the ISE firmware [2] But to break an EMM key by a brute force attack it's not enough to know the algorithm. We need also a corresponding cipher/plain text pair to verify that our random EMM key we tried is correct. Here is an example of an EMM: 82 80 80 80 80 80 5D 30 C2 C2 C2 C2 C2 F7 9B 72 70 73 71 76 E4 10 68 4B F6 EE DE 01 99 01 0E 28 3F F8 2F 7F 5A BF 91 C9 2F 4B D4 87 93 46 (crc32) 00 AF 61 F0 09 D1 00 F8 64 A1 6C 7C 00 16 6B 25 CD 49 06 13 D0 40 D0 D6 8F FE D7 EF 67 0B 00 D6 E7 65 6B E3 5D 4D 24 18 2E BD 9C 95 B2 6D E2 E8 8A 32 F7 52 F4 79 00 AB F5 66 BD 34 00 95 A6 62 40 6D 03 B2 16 C0 96 17 F4 46 54 CC C4 89 BD 1C DD 9D 3F 0D 0E 06 60 E8 7E F0 76 BE 62 74 73 B4 3B 3F 3F 2E FD B0 2B 34 3D 15 7B C3 61 64 75 66 The first line starts with the table id (82) and shows unencrypted info like the UA (00 5D 9C 8A) of the ISE that should process this EMM. Each of the next 5 lines have a fixed length and contains one plain text header (80) that indicates that the remaining data is encrypted by an EMM key and should be forwarded by the IRD to the ISE. So the ISE can decrypt the EMM and store the data to the internal EEPROM. The last line shows the 4 byte crc32 check-sum of the previous data. Not all the five blocks for the ISE are used to update the ECM key. There is not only one ECM key, instead there are two ECM keys (called even and odd key). One key is in use, the other key can be changed. Lets say the even key is in use. For a key change the provider will send the same even key but a new odd key. After all ISEs have received the keys the provider will use the odd key to encrypt the ECM. The plain ECM header will indicate if the even or the odd key must used to decrypt the ECM. So there is no outage at the customer side during a key change. So one block is used to update the even ECM key and even tiers. One block is used to update the odd ECM key and odd tiers. One block is used to update the even extended tiers and even blackout codes. One block is used to update the odd extended tiers and odd blackout codes. One block is used to update blackout codes, location and lat comp. Take a look at the 5 blocks and ignore the first 3 bytes that look similar. Do you see the pattern in some of the blocks? Here is one block with a pattern: 80 C2 70 4B 2F 7F 5A 61 64 6B D0 D7 E7 24 B2 F7 F5 A6 16 46 BD 0D 7E 74 3F 34 61 It's easier if we remove the spaces: 80C2704B2F7F5A61646BD0D7E724B2F7F5A61646BD0D7E743F3461 OK, on the next page I will reveal it. 80C2704B2F7F5A61646BD0D7E724B2F7F5A61646BD0D7E743F3461 You can see two times the pattern 4B2F7F5A61646BD0D7E7 in an encrypted block. Only a bad algorithm shows pattern in an encrypted stream. The PowerVu algorithm is a stream cipher with a 56 bit key. The key is the state of the shift register. The output function (S-Box) is complex, but the security flaw is that the logic (the two XORs) that produce the next internal state from the current state and the plain text during an encryption is to simple. So when encryption a series of 0 bits the internal state will repeat and you can see the above pattern in the encrypted block. An other security flaw is of course the small key size of 56 bits only. Here a picture of the PowerVu algorithm that is used for decryption. For encryption swap the arrows on the bottom so that they point from right to left: So we can assume when we see a long pattern e.g. the 10 bytes in the encrypted block that the corresponding plain text is 0. So when we see the pattern we have the needed crypt and plain text pair that we need for the brute force attack. After the key was found you can see the following plain text. The place holder (XX) represents the even ECM key and the (YY) represents the odd ECM key. The last three bytes (5D 9C 8A) must match the last three bytes of the UA or the ISE will drop the block. 80 80 80 80 80 0C 0C 0C 0C 0C 00 02 01 03 06 XX 00 YY 00 C0 XX 00 YY 00 00 XX 00 YY 00 00 XX 00 YY 00 00 XX 00 YY 00 00 XX 00 YY 00 00 XX 00 YY 00 00 7F 00 7F 00 00 FF 00 FF 00 00 FF 00 FF 00 00 FF 00 FF 00 00 FF 00 FF 00 00 FF 00 FF 00 00 FF 00 FF 00 00 FF 00 FF 00 00 FF 00 FF 00 00 FF 00 FF 00 00 FF 00 FF 00 00 FF 00 FF 00 00 F8 00 F8 00 00 04 04 04 04 00 5D 5D 5D 5D 5D 9C 9C 9C 9C 9C 8A 8A 8A 8A 8A To make a brute force attack the length of the known plain text should be a little bit larger than the key. If you encrypt a much longer plain text the brute force attack would take unnecessary longer. I have taken 9 bytes (72 x '0' bits) and encrypted it with different keys and checked if the encrypted pattern match. Even with the small 56 bit key space and the CUDA system that can try a few hundred keys in parallel this will take to long. So the trick is not to compare the encrypted '0' bits with one EMM, but with more than 131072 (17 bit). So you need to try only a 39 bit key space instead of 56 bit to find a key. So I have first recorded nearly all PowerVu EMMs of the different providers I got. Then I have made a program that scans all the EMM files for a pattern that is at least 9 bytes long and is present twice in a block. Than the program save a 256*256*256*9 byte table to a file. The other CUDA program do only a single look-up to check if the encrypted text match the pattern. It takes the first 3 bytes of the 9 bytes pattern multiplied by 9 and use it as an offset for the look-up table. So the compare function after a key try is very fast. AFN has the most subscribers and therfore the most EMMs with a pattern, so you will get most likely an AFN key first. But back to the plain text block: 80 0C 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 5D 9C 8A Ignore always the first header byte (80), because it's never encrypted. For us only the payload is interesting. You can see that the pattern don't start at the first payload byte. If it would, a found key is directly the EMM key that can be used to decrypt the two blocks that contains the even/odd ECM keys. Typically the pattern will occur at an offset of 16 or 20 bits. So the key is always only the pattern key instead of the EMM key. A key is always the internal state of the 56 bit shift register. So we need the state that the shift register had 16 bits before. If we manage this then we have the EMM key. So we need do to the singe steps during the decryption of a single bit backwards (e.g. shift the register to the other direction swap some XOR input/output ports). It's possible that two previous stats will produce the same encrypted bits. So you must test both when doing the next step backward. After that you may be have 4 possible states or maybe only 1 again because 3 of the 4 states produce an encrypted bit that doesn't match our encrypted bit. To keep the possible intermediate states and the final possible EMM key low we need to know as much as possible plain text of the 16 bits. The typical plain text of the 16 bits is the following: 00001100 00000xxx For the case you got more than one possible EMM key you can decrypt one of the remaining 4 blocks. If the last three bytes of the decrypted block match the last three bytes of the UA that are present unencrypted in the header of the EMM your key is valid. Typically max. only a few keys must be tested. If you collect the 9 bytes patterns for your look-up table, don't take only one pattern per EMM, instead take all up to three pattern that you can be found in the blocks. So you will find faster a key during the brute force attack. Conclusion It's the worst case scenario that it's possible to find management keys for the PowerVu system in just one day. No security chip is needed to find the keys, the data from an encrypted EMM stream is enough. Only cheap standard hardware (a DVB-S2 card and a graphic card with CUDA support) is needed. Other conditional access manufacturers have improved the security element (smart card) from time to time, but in the PowerVu system still the very old chip/algorithm is used. I saw some PowerVu receivers with a smart card slot. Maybe some provider that use the PowerVu system to protect the content can ask Cisco Systems (in 2005 they have purchased the company Scientific Atlanta that has developed the PowerVu system) if the can provide a secure smart card with an improved PowerVu system in the future. References [1] http://colibri-dvb.info => PowerVu [2] pvufull.zip from cinosana http://id-discussions.com/forum/showthread.php?t=79393 referred in thread http://id-discussions.com/forum/showthread.php?t=79487