Pirate Decryption - Counter-piracy Techniques

Counter-piracy Techniques

A number of strategies have been used by providers to control or prevent the widespread pirate decryption of their signals.

One approach has been to take legal action against dealers who sell equipment which may be of use to satellite pirates; in some cases the objective has been to obtain lists of clients in order to take or threaten to take costly legal action against end-users. Providers have created departments with names like the "office of signal integrity" or the "end-users group" to pursue alleged pirate viewers.

As some equipment (such as a computer interface to communicate with standard ISO/IEC 7816 smartcards) is useful for other purposes, this approach has drawn strong opposition from groups such as the Electronic Frontier Foundation. There have also been US counter-suits alleging that the legal tactics used by some DBS providers to demand large amounts of money from end-users may themselves appear unlawful or border on extortion.

Much of the equipment is perfectly lawful to own; in these cases, only the misuse of the equipment to pirate signals is prohibited. This makes provider attempts at legal harassment of would-be pirates awkward at best, a serious problem for providers which is growing due to the Internet distribution of third-party software to reprogram some otherwise legitimate free-to-air DVB receivers to decrypt pay TV broadcasts with no extra hardware.

US-based Internet sites containing information about the compromised encryption schemes have also been targeted by lawyers, often with the objective of costing the defendants enough in legal fees that they have to shut down or move their sites to offshore or foreign Internet hosts.

In some cases, the serial numbers of unsubscribed smartcards have been blacklisted by providers, causing receivers to display error messages. A "hashing" approach of writing arbitrary data to every available location on the card and requiring that this data be present as part of the decryption algorithm has also been tried as a way of leaving less available free space for third-party code supplied by pirates.

Another approach has been to load malicious code onto smartcards or receivers; these programs are intended to detect tampered cards and maliciously damage the cards or corrupt the contents of non-volatile memories within the receiver. This particular Trojan horse attack is often used as an ECM (electronic countermeasure) by providers, especially in North America where cards and receivers are sold by the providers themselves and are easy targets for insertion of backdoors in their computer firmware. The most famous ECM incident was the Black Sunday attack launched against tampered DirecTV "H" on 3 January 21, 2001 and intended to destroy the cards by overwriting a non-erasable part of the cards internal memory in order to lock the processor into an endless loop.

The results of a provider resorting to the use of malicious code are usually temporary at best, as knowledge of how to repair most damage tends to be distributed rapidly by hobbyists through various Internet forums. There is also a potential legal question involved (which has yet to be addressed) as the equipment is normally the property not of the provider but of the end user. Providers will often print on the smartcard itself that the card is the property of the signal provider, but at least one legal precedent indicates that marking "this is mine" on a card, putting it in a box with a receiver and then selling it can legally mean "this is not mine anymore". Malicious damage to receiver firmware puts providers on even shakier legal ground in the unlikely event that the matter were ever to be heard by the judiciary.

The only solution which has shown any degree of long-term success against tampered smartcards has been the use of digital renewable security; if the code has been broken and the contents of the smartcard's programming widely posted across the Internet, replacing every smartcard in every subscriber's receiver with one of different, uncompromised design will effectively put an end to a piracy problem. Providers tend to be slow to go this route due to cost (as many have millions of legitimate subscribers, each of which must be sent a new card) and due to concern that someone may eventually crack the code used in whatever new replacement card is used, causing the process to begin anew.

Premiere in Germany has replaced all of its smartcards with the Nagravision Aladin card; the US DirecTV system has replaced its three compromised card types ("F" had no encryption chip, "H" was vulnerable to being reprogrammed by pirates and "HU" were vulnerable to a "glitch" which could be used to make them skip an instruction). Both providers have been able to eliminate their problems with signal piracy by replacing the compromised smartcards after all other approaches had proved to provide at best limited results.

Dish Network and Bell TV had released new and more tamper-resistant smart cards over the years, known as the ROM2, ROM3, ROM10, ROM11 series. All these cards used the Nagravision 1 access system. Despite introducing newer and newer security measures, older cards were typically still able to decrypt the satellite signal after new cards were released (A lack of EEPROM space on the ROM2 cards eventually led to them being unable to receive updates necessary to view programming). In an effort to stop piracy, as by this point the Nagravision 1 system had been thoroughly reverse-engineered by resourceful hobbyists, an incompatible Nagravision 2 encryption system was introduced along with a smart card swap-out for existing customers. As more cards were swapped, channel groups were slowly converted to the new encryption system, starting with pay-per-view and HDTV channels, followed by the premium movie channels. This effort culminated in a complete shutdown of the Nagravision 1 datastream for all major channels in September, 2005. Despite these efforts to secure their programming, a software hack was released in late August, 2005, allowing for the decryption of the new Nagravision 2 channels with a DVB-S card and a PC. Just a few months later, early revisions of the Nagravision 2 cards had been themselves compromised. Broadcast programming currently uses a simulcrypt of Nagravision 2 and Nagravision 3, a first step toward a possible future shutdown of Nagravision 2 systems.

One of the most severe sentences handed out for satellite TV piracy in the United States was to a Canadian businessman, Martin Clement MULLEN, widely known for over a decade in the satellite industry as "Marty" Mullen.

Mullen was sentenced to seven years prison with no parole and ordered to pay DirecTV and smart card provider NDS Ltd. US$24 million in restitution. He pled guilty in a Tampa, Florida court in September 2003 after being arrested when he entered the United States using a British passport in the name "Martin Paul Stewart".

Mr. Mullen had operated his satellite piracy business from Florida, the Cayman Islands and from his home in London, Ontario Canada. Testimony in the Florida court showed that he had a network of over 100 sub-dealers working for him and that during one six-week period, he cleared US$4.4 million dollars in cash from re-programing DirecTV smartcards that had been damaged in an electronic counter measure.

NDS Inc. Chief of Security John Norris is credited with pursuing Mullen for a decade in three different countries. When Mullen originally fled the United States to Canada in the mid-1990s, Norris launched an investigation that saw an undercover operator (a former Canadian police officer named Don Best) become one of Mullen's sub-dealers and his closest personal friend for over a year. In summer of 2003 when Mullen travelled under another identity to visit his operations in Florida, US Federal authorities were waiting for him at the airport after being tipped off by Canadian investigators working for NDS Inc..

Ironically the NDS Group were accused (in several lawsuits) by Canal+ (dismissed) and Echostar (now DishNetwork) of hacking the Nagra encryption and releasing the information on the internet. The jury awarded EchoStar $45.69 actual damages (one month's average subscription fee) in Claim 3.