[FoRK] Pwnage, brought to you by DirectTV
sdw at lig.net
Fri Sep 7 10:10:37 PDT 2012
Read it and weep. Bastards, both DirectTV (have you no shame or security expertise?) and the clueless contract owners /
installers. DirectTV and Dish have arrangements with certain properties that they will not deal directly with the residents,
forcing them to go through a local contract company for all sales, installation, service, and management. As long as it is
competent, responsive, and not too extra expensive, it makes sense when sharing infrastructure like dishes and distribution.
However, I've just noticed a probably rampant security issue:
We noticed a while ago that extra shows were being recorded, with the info preceded by [number]. We thought that this must have
been some kind of suggested recording indication. We would just delete the extra shows.
Then about a week ago, we started getting many more shows preceded with [aa]. Then two days ago nearly everything was deleted
from our DVR, all of our content except one item, totaling 40+ shows or movies.
That happened once before after a software upgrade of the DVR, but there has been no software update and presumably that is not
supposed to ever happen even then.
I happened to be examining the system when it reported in a popup "aa has disconnected". At that point, I realized what was
The current DirectTV system requires an Internet connection. To easily support multi-room service, child units connect to coax
cable that connects all units in the house together to share that Internet connection. The main unit then provides network
access over that cable along with antenna signal. The main unit also connects to the incoming satellite cable, which is
connected to splitters and amplifiers. Normally, this would be a private connection to a dish serving a house or individual
apartment. To avoid the need for multiple dishes, this complex shares a set of dishes on the roof, which are then amplified and
distributed to each unit.
The problem seems to be that the splitters used at the level of apartments are bidirectional, not filtering uplink traffic like
they should. DirectTV seems to have built their receivers in a way that assumes that any receiver that can get to it over its
"private" coax network is authorized to connect. The unit does allow you to enable/disable any connectivity, and it allows you
to toggle whether other units can delete (which I've now toggled). However, it has no concept of password or other
authorization for units. It implicitly assumes that the coax network is trusted. Ironically, when configuring the network, it
cautions you to have a password on your home network (which makes sense if it is wireless).
So, what appears to have been happening is that my receiver was sharing recording listings from two other nearby devices. We
were accidentally deleting shows from someone else's unit and someone just deleted everything on our unit. This was a privacy
breach because other people could see what we recorded. Additionally, it was possibly a much worse security breach because it
is possible there is some way to route other network traffic over this illicit network route. In other words, our home network
was in some sense directly connected to other people's home networks. Hopefully the DVR wouldn't allow arbitrary packet
routing, but there is no way for us to know. This is a potentially major security problem.
More information about the FoRK