Thursday 14 August 2014

Hack Your Digital Cable TV Network Using CSRF Remote Shutdown

A Security Researcher Team Garage4Hackers share with us that How they Hack Digital Cable TV Network Using CSRF Remote Shutdown. Rahul Sasi, One of the member of Garage4Hackers team said,

"It is hard to find any Hands on cable TV security materials on the internet. This is mainly because the infrastructure used by the cable operators are not easily available for every researcher. In our case we were lucky . From November 2013 I was working with one of the largest Cable TV networks in India who provides service to nearly 1 Million users. I agreed to a contract where we would do free security audits for the Cable operators infrastructure and in return they would allow me to publish my finds in any conference of my choice . And that was a sweet deal for me . I come from an application security background. And I had no clue about Digital cable networks an year back. So in the first blog post I would explain how I cracked the deal with the Cable Operators to audit their Infrastructure.

Cracking the Deal:Meeting with the Chief Technical Officer of the Cable Company
Unlike Internet where information is viewed with suspicion and misinformation can be quickly vetted through other sources, television is a one-to-many medium where there’s no quick way to identify a false broadcast. If someone hacks into a TV news stream and publishes a news stating that a riot has happened in the nearby city, then that could create a lot of panic in a country like India. 
Example Source: Hackers took control of TV feeds in Wenzhou China and streamed anti-communist slogans to millions of viewers. .

This was the main punch line I used when trying to convince the CTO why to do a Penetration testing for their infrastructure. Since he has not seen any real world attacks on his infrastructure , he was not that convinced to give me the project. But in the end he asked me if I could find any issues from outside, sort of like a black box testing. And If I could find something serious in 2 week he would consider giving me an opportunity. 

Web Application bugs in Digital Cable TV :
I have two weeks time and I need to find something quick. I started doing my homework and I learned one thing. There are nearly 1 million users for this service provider. And there are about 2000-3000 local cable operators, the local vendors who distributes the service to individual localities. All these 2000+ cable operators need to have some sort of application where they register their locality users, manages their billing operations etc. And there need to be some sort of centralized application to perform this operation. With some awesome google hacking techniques we were able to locate their centralized billing application aka Middleware server on the Internet [Woot Woot].

Bug 1: Code execution on Billing Server
In not much time I was able to Hijack the Middleware server . A small misconfiguration on their webserver lead to this hijack[ I am not allowed to talk about it]. What you see listed in the screenshot are all the connected Setup-box users who are clients to a particular local cable operator. If you notice those red buttons on left. Those could be used to remotely shutdown users cable service in case of a missing payment or something . This was more than enough to explain the criticality but I wanted to find more bugs so that it would be convincing. 

Name:  Screen Shot 2014-08-06 at 3.01.18 am.jpg
Views: 858
Size:  23.3 KB

Bug 2 :Setup Box Hijack [STB]
The above web application allowed one operator to transfer STB to another operator. So for example if a user rahul from city Delhi relocates to city Agra. Then user rahul could get his STB unregistered from the local operator [D] at Delhi and get it reassigned to operator [A ] at Agra and continue using the STB and cable service. 

In the web application there is an option that lists all Existing local operators .Now the transfer takes place on basis of an access key. Operator A need to notify Operator B about the transfer and share his access key to operator B. This Access key implementation was flawed. 

The pseudo code was some what similar:

PHP Code:
<?php $ $apikey "select api_key from apis where username=.'mysql_escape($username)'"; $authenticated strcmp($apikey$_GET['key']); 
if (
$authenticated == 0) { 
"Logged IN !"; 
} else { 
"wrong API!"; 
Old bug PHP < 5.3.* : Passing an array will bypass the check. 
Name:  Screen Shot 2014-08-06 at 3.27.39 am.jpg
Views: 846
Size:  11.9 KB

Php version older than 5.3 strcmp() implementation does not do a strict type checking. And if the input to strcmp function is an array then it returns a Null + warning. So simply enter an array instead of Access-key string. localhost/program.php?key=hacked[] and were able to bypass the key check. Now with this bug any local operator would be able to hijack any other operators STB s with out having a valid access key. 

Name:  Screen Shot 2014-08-06 at 3.37.17 am.jpg
Views: 1156
Size:  20.3 KB

Bug 3: Cable TV Remote shutdown: CSRF bypass.

Name:  Screen Shot 2014-08-06 at 4.08.36 am.jpg
Views: 1654
Size:  16.1 KB

Cable TV Operators control Clients via unique key [Chip ID] as seen in the screenshot.
This is accomplished via API Keys specific to the logged in admin.The implementation was flawed. 
The bug allowed a remote cable operator visiting a malicious webpage to remotely shutdown all Digital TV instances.

API Key Implementation

They had a super secret JS file, which gets dynamically loaded for a given admin.

PHP Code:
<script src=“load_secrets.js”></script> They had some pretty cool anti-stealing code as well.  
function checkUrl()
  var url = get_current_url();
  return url.match(url+'$') == '';
  var api_key = "77d11aea20ff61c6d1e23f044";alert(api_key);
  populateFormFields(super_secret); // Injects this token into the hidden input fields
} else{
  alert('Bad Domain !');
The Bypass:
Attacker can load, <script src=“load_secrets.js”></script>
But, checkAdmin() returns false and the attack would not work.But attacker can bypass this using,

PHP Code:
// From <script> String.prototype.match = function() 
  return [
</script> <script src=“”></script>  
You should check out ahamed nafeez's slides from HITB to learn more cool similar js bugs.

We can host this code cross domain and make "String.prototype.match" , javascript .match() function to always return the value we specify . Any way if a local cable TV operator visits our page then we could now steal his API code hidden in the JS and then could use that to shut down all users in his locality . Remember the shutdown button I mentioned about in the previous bug. We used that shutdown feature to create a working POC. Check out the demo. Now any users cable access could be remotely shut down by an attacker."

About The Author:
Rahul Sasi, He is the member of Garage4Hackers (G4H) is an open group for Infosec enthusiasts. Our purpose is to help others develop through sharing knowledge, spreading security awareness, meeting like minded people, promoting research and obviously having fun in the process.


Post a Comment

Note: only a member of this blog may post a comment.

Toggle Footer