FA+
Shop
A Security Hole The Size Of A Mack Truck
7 years ago
General
I suppose now that it's been fixed, I can talk about a pretty significant hole I stumbled across on Comcast's cable network. It's a good story so grab a drink and settle in.
It started when Glee was on opposite Grey's Anatomy and I got fed up with choosing which one to record and which one to watch OnDemand later. At the time the Freevo was still using an analog video encoder and needed the cable box to tune in the proper channel and output it to the card. So I decided it was time for a change: I got a Silicon Dust HDHomerun Prime box, which is a nifty little box that connects to your cable system, takes a cablecard and then sends the raw digital program stream over the network to a device for viewing or recording. The Freevo had no support for it whatsoever but I had faith in my ability to write up a plug-in module to drive it (and it turns out that faith was not misplaced).
I got the HDHomerun delivered but it would be two more days before I could get to the cable company to get a cablecard for it. Of course, I couldn't just sit and not play with it, so I hooked it up and began tinkering. You can tune it to different (frequency) channels and it will report if it finds any digital streams there and what the PIDs are for that stream. Almost everything I found was encrypted (no surprise) but just north of channel 100, I ran in to a few unencrypted streams. Odd. So I began streaming them to the VLC player on my desktop to see what they were.
I found King of the Hill... but it was "off the clock": it ended at 20 minutes after the hour. I found other miscellanea and ended up watching the latter half of a MTV werewolf series. I found it only a little odd that there were no commercial breaks, but I thought maybe that's the way MTV operated in the wee hours of the morning. I never watch MTV, what did I know?
The next day I went perusing those channels again. It was funny... a real hide-and-seek game. PIDs that were there for one scan would sometimes be gone when I went back again. And while the encrypted ones would often have the channel name with them (like TBS or HGTV), these had no such labels. Then I tuned in one and realized I was watching Fast and the Furious Six. Which was really odd... because that had just come out on DVD that week. No channel would be showing FF6, not this close to the DVD release. And that's when the light bulb came on...
I was eavesdropping the OnDemand video streams! It explained why the MTV show had no commercials. Why finding functioning PIDs on a channel was a snipe hunt and why they kept disappearing and re-appearing. And it explained why FF6 was playing! As if to confirm my suspicions, I changed to another channel and witnessed a sweet martial arts fight. And when it was done, the video stopped... rewound... and played the fight again.
The implications were staggering. Mainly, if the HDHomerun could stream it for me to watch, then it could stream it for me to record. If you could catch someone just starting to stream a movie, you could roll off your own copy of it... for free! And since the HDHomerun pulls the full program stream, you get everything: full-res video, all the audio channels (including alternate audio streams)... even closed captioning! This was a full rip! You were just at the mercy of whomever was playing the movie.
It was probably months later that I got to thinking... if I can eavesdrop other people's OnDemand streams... why couldn't I eavesdrop my own stream, that I started and was controlling? Not only did it work, it was actually fairly easy to find which stream was your own. If you started an OnDemand show and paused it, you could scan the channels and look for the PID that was there but marked as having no data. Tune it in, stream it to VLC and when you unpaused it on the cablebox, it began playing in VLC too! And it was easy enough to tell the control software to tune in and record that channel. When you unpaused it, it would record the stream. I made up a lot of missed recordings that way when the Freevo would hiccup and not record a show. I just found the episode in the OnDemand library and recorded it. It had to record in real time, but that wasn't such a bad thing.
There were just two things that were weird. First, the commercial breaks were spliced in on the fly, and they would almost always have a different Presentation Timestamp (PTS) sequence. The PTS is a timestamp for each piece of data so that if the stream was somehow jumbled, the decoder could try to re-assemble them in the proper order (depending on the buffer size). Mplayer2 did not take kindly to sudden jumps in PTS and it would throw the audio sync completely out the window. Fortunately, ffmepg has the ability to take a video file and rebuild the PTS as a contiguous sequence.
The other thing was that since the HDHomerun box is a legal, commercial device, it was obligated to honor the various digital video flags. If a video was flagged "Watch Once" or "Do Not Record", it would not record it. Fortunately, almost no network bothered to set these flags on their videos. The only one I found that did was Adult Swim. I tried to make up a recording of Attack on Titan and all it recorded were commercials and bumps because the actual program was flagged "Do Not Record".
By now I'm sure you've made the leap I made after all this: if I can eavesdrop my own stream that I control... could I order an OnDemand movie for $5 and record it to keep permanently? Yes... yes you could. I rented "The Big Short" to show someone else and before the rental ran out (it was a 48-hour rental window) I tried just that. I recorded the first 90 seconds of the movie as proof-of-concept, Yeah, I couldn't bring myself to rip the whole movie, because I liked it so much I thought the companies deserved the money for their time and effort. Sure, it wasn't a DVD or BluRay quality rip -- the video is compressed to go over the cable system -- but it's still 1080p with 5.1 channel surround... for $5? I wouldn't complain.
Sadly, several months later I tried to pick up a video that the Freevo had hiccuped on and found that all those over-100 channels held encrypted streams. Apparently Comcast finally decided that security-by-obscurity wasn't cutting it anymore and those streams should be properly scrambled. So this trick no longer works. But for a glorious year or two, Comcast had a hole in their system that would have made any MPAA executive wake up screaming in a cold sweat.
Back there I talked about tuning in "frequency" channels. I had to make that distinction because the channel you enter into your cable box is not related at all to the frequency that it is on. Instead you're tuning in virtual channel numbers. When you punch in 755 to watch TBS, the cable box has a look-up table from the cable company and it knows that 755 (TBS) is channel 35, program 4. Just like digital broadcast TV, one frequency channel can carry several program streams: channel 35 also carries ESPND, NHL, FS1, CNBC, ESPNU, BIG10 and FXDEP.
And what do you know! The channel is QAM-256. Who woulda thought it... ^_^
It started when Glee was on opposite Grey's Anatomy and I got fed up with choosing which one to record and which one to watch OnDemand later. At the time the Freevo was still using an analog video encoder and needed the cable box to tune in the proper channel and output it to the card. So I decided it was time for a change: I got a Silicon Dust HDHomerun Prime box, which is a nifty little box that connects to your cable system, takes a cablecard and then sends the raw digital program stream over the network to a device for viewing or recording. The Freevo had no support for it whatsoever but I had faith in my ability to write up a plug-in module to drive it (and it turns out that faith was not misplaced).
I got the HDHomerun delivered but it would be two more days before I could get to the cable company to get a cablecard for it. Of course, I couldn't just sit and not play with it, so I hooked it up and began tinkering. You can tune it to different (frequency) channels and it will report if it finds any digital streams there and what the PIDs are for that stream. Almost everything I found was encrypted (no surprise) but just north of channel 100, I ran in to a few unencrypted streams. Odd. So I began streaming them to the VLC player on my desktop to see what they were.
I found King of the Hill... but it was "off the clock": it ended at 20 minutes after the hour. I found other miscellanea and ended up watching the latter half of a MTV werewolf series. I found it only a little odd that there were no commercial breaks, but I thought maybe that's the way MTV operated in the wee hours of the morning. I never watch MTV, what did I know?
The next day I went perusing those channels again. It was funny... a real hide-and-seek game. PIDs that were there for one scan would sometimes be gone when I went back again. And while the encrypted ones would often have the channel name with them (like TBS or HGTV), these had no such labels. Then I tuned in one and realized I was watching Fast and the Furious Six. Which was really odd... because that had just come out on DVD that week. No channel would be showing FF6, not this close to the DVD release. And that's when the light bulb came on...
I was eavesdropping the OnDemand video streams! It explained why the MTV show had no commercials. Why finding functioning PIDs on a channel was a snipe hunt and why they kept disappearing and re-appearing. And it explained why FF6 was playing! As if to confirm my suspicions, I changed to another channel and witnessed a sweet martial arts fight. And when it was done, the video stopped... rewound... and played the fight again.
The implications were staggering. Mainly, if the HDHomerun could stream it for me to watch, then it could stream it for me to record. If you could catch someone just starting to stream a movie, you could roll off your own copy of it... for free! And since the HDHomerun pulls the full program stream, you get everything: full-res video, all the audio channels (including alternate audio streams)... even closed captioning! This was a full rip! You were just at the mercy of whomever was playing the movie.
It was probably months later that I got to thinking... if I can eavesdrop other people's OnDemand streams... why couldn't I eavesdrop my own stream, that I started and was controlling? Not only did it work, it was actually fairly easy to find which stream was your own. If you started an OnDemand show and paused it, you could scan the channels and look for the PID that was there but marked as having no data. Tune it in, stream it to VLC and when you unpaused it on the cablebox, it began playing in VLC too! And it was easy enough to tell the control software to tune in and record that channel. When you unpaused it, it would record the stream. I made up a lot of missed recordings that way when the Freevo would hiccup and not record a show. I just found the episode in the OnDemand library and recorded it. It had to record in real time, but that wasn't such a bad thing.
There were just two things that were weird. First, the commercial breaks were spliced in on the fly, and they would almost always have a different Presentation Timestamp (PTS) sequence. The PTS is a timestamp for each piece of data so that if the stream was somehow jumbled, the decoder could try to re-assemble them in the proper order (depending on the buffer size). Mplayer2 did not take kindly to sudden jumps in PTS and it would throw the audio sync completely out the window. Fortunately, ffmepg has the ability to take a video file and rebuild the PTS as a contiguous sequence.
The other thing was that since the HDHomerun box is a legal, commercial device, it was obligated to honor the various digital video flags. If a video was flagged "Watch Once" or "Do Not Record", it would not record it. Fortunately, almost no network bothered to set these flags on their videos. The only one I found that did was Adult Swim. I tried to make up a recording of Attack on Titan and all it recorded were commercials and bumps because the actual program was flagged "Do Not Record".
By now I'm sure you've made the leap I made after all this: if I can eavesdrop my own stream that I control... could I order an OnDemand movie for $5 and record it to keep permanently? Yes... yes you could. I rented "The Big Short" to show someone else and before the rental ran out (it was a 48-hour rental window) I tried just that. I recorded the first 90 seconds of the movie as proof-of-concept, Yeah, I couldn't bring myself to rip the whole movie, because I liked it so much I thought the companies deserved the money for their time and effort. Sure, it wasn't a DVD or BluRay quality rip -- the video is compressed to go over the cable system -- but it's still 1080p with 5.1 channel surround... for $5? I wouldn't complain.
Sadly, several months later I tried to pick up a video that the Freevo had hiccuped on and found that all those over-100 channels held encrypted streams. Apparently Comcast finally decided that security-by-obscurity wasn't cutting it anymore and those streams should be properly scrambled. So this trick no longer works. But for a glorious year or two, Comcast had a hole in their system that would have made any MPAA executive wake up screaming in a cold sweat.
Back there I talked about tuning in "frequency" channels. I had to make that distinction because the channel you enter into your cable box is not related at all to the frequency that it is on. Instead you're tuning in virtual channel numbers. When you punch in 755 to watch TBS, the cable box has a look-up table from the cable company and it knows that 755 (TBS) is channel 35, program 4. Just like digital broadcast TV, one frequency channel can carry several program streams: channel 35 also carries ESPND, NHL, FS1, CNBC, ESPNU, BIG10 and FXDEP.
And what do you know! The channel is QAM-256. Who woulda thought it... ^_^
Hauke
~hauke
Crazy. But then I suspect the people who put these things together don't sit and think about all the possible ways someone might access them...they find these holes accidentally.
kiyofox
~kiyofox
Hahaha you are such an ethical hacker! You find a significant gap in security, but only use it sparingly. I'm not sure I would have had the same restraint.
expandranon
~expandranon
You should have seen if you could sell them that information. It's possible they had no idea what was happening.
