Jump to content

Pirate decryption: Difference between revisions

From Wikipedia, the free encyclopedia
Content deleted Content added
m Reverted edits by 41.107.28.24 (talk) to last version by BD2412
Line 110: Line 110:
Along with modifying original cards, it is possible to use the information provided by the smart card to create an encryption emulator. This, in turn, can be [[Computer programming|programmed]] into a cable or satellite receiver's internal software, and offered for download on the internet as a [[firmware]] upgrade. This allows access to the encrypted channels by those who do not even own a smart card. In recent times, many underground [[Internet forum|forum]] websites dedicated to the hobby of satellite piracy and encryption emulated [[Free To Air]] (FTA) receivers have been set up, giving up to date information on [[Satellite television|satellite]] and [[Cable television|cable]] [[Copyright infringement|piracy]], including making available firmware downloads for receivers, and very detailed encryption system information available to the public.
Along with modifying original cards, it is possible to use the information provided by the smart card to create an encryption emulator. This, in turn, can be [[Computer programming|programmed]] into a cable or satellite receiver's internal software, and offered for download on the internet as a [[firmware]] upgrade. This allows access to the encrypted channels by those who do not even own a smart card. In recent times, many underground [[Internet forum|forum]] websites dedicated to the hobby of satellite piracy and encryption emulated [[Free To Air]] (FTA) receivers have been set up, giving up to date information on [[Satellite television|satellite]] and [[Cable television|cable]] [[Copyright infringement|piracy]], including making available firmware downloads for receivers, and very detailed encryption system information available to the public.


Upon gaining the knowledge that their system has been compromised, the smart card providers often have several counter measure systems against unauthorised viewing, which can be put in place over the air, in most cases causing virtually no disruption to legitimate viewers. The simplest form of counter measure is a key change. This simply halts viewing for those viewing without authorisation temporarily, since the new key can easily be accessed in the hacked card, and implemented. There are often other more complicated procedures which update a part of the smart card in order to make it inaccessible. These procedures can also, however, be hacked, once again allowing access. This leads to a game of "cat and mouse" between the smart card provider, and the hackers. This, after several stages of progression, can leave the smart card provider in a situation where they no longer have any further counter measures to implement. This leaves them in a situation where they must perform a card and encryption change with all legitimate viewers, in order to eliminate the viewing of the service without permission, at least for the foreseeable future.
Upon gaining the knowledge that their system has been compromised, the smart card providers often have several counter measure systems against unauthorised viewing, which can be put in place over the air, in most cases causing virtually no disruption to legitimate viewers. The simplest form of counter measure is a key change. This simply halts viewing for those viewing without authorisation temporarily, since the new key can easily be accessed in the hacked card, and implemented. There are often other more complicated procedures which update a part of the smart card in order to make it inaccessible. These procedures can also, however, be hacked, once again allowing access. This leads to a game of "[[cat and mouse]]" between the smart card provider, and the hackers. This, after several stages of progression, can leave the smart card provider in a situation where they no longer have any further counter measures to implement. This leaves them in a situation where they must perform a card and encryption change with all legitimate viewers, in order to eliminate the viewing of the service without permission, at least for the foreseeable future.


Such has been the success of implementing new smart card systems, that another form of smart card piracy has grown in popularity. This method is called [[card sharing]], which works by making available the smart card decoding information in real time to other users, via a computer network. Police monitoring of unsecured card sharing networks has led to prosecutions.
Such has been the success of implementing new smart card systems, that another form of smart card piracy has grown in popularity. This method is called [[card sharing]], which works by making available the smart card decoding information in real time to other users, via a computer network. Police monitoring of unsecured card sharing networks has led to prosecutions.

Revision as of 15:24, 19 December 2011

Pirate decryption most often refers to the reception of compromised pay TV or pay radio signals without authorization from the original broadcaster. The term "pirate" in this case is used in the sense of copyright infringement and has little or nothing to do with sea piracy or pirate radio, which involved the operation of a small broadcast radio station without lawfully obtaining a license to transmit. The MPAA and other organizations which try to protect copyright and licensing agreements often call such decryption "signal theft"[1] even though there is no direct tangible loss.

History

The concept of pay TV is almost as old as TV itself and involves a broadcaster deliberately transmitting signals in a non-standard, scrambled or encrypted format in order to charge viewers a subscription fee for the use of a special decoder needed to receive the scrambled broadcast signal.

Early pay TV broadcasts in countries such as the United States used standard over-the-air transmitters; many restrictions applied as anti-siphoning laws were enacted to prevent broadcasters of scrambled signals from engaging in activities to harm the development of standard free-to-air commercial broadcasting. Scrambled signals were limited to large communities which already had a certain minimum number of unencrypted broadcast stations, relegated to certain frequencies. Restrictions were placed on access of pay TV broadcasters to content such as recent feature films in order to give free TV broadcasters a chance to air these programs before they were siphoned away by pay channels.

Under these conditions, the pay TV concept was very slow to become commercially viable; most television and radio broadcasts remained in-the-clear and were funded by commercial advertising, individual and corporate donations to educational broadcasters, direct funding by governments or license fees charged to the owners of receiving apparatus (the BBC in the UK, for example).

Pay TV only began to become common after the widespread installation of cable television systems in the 1970s and 1980s; early premium channels were most often movie broadcasters such as the US-based Home Box Office and Cinemax, both currently owned by Time Warner. Signals were obtained for distribution by cable companies using C-band satellite dish antennae of up to ten feet in diameter; the first satellite signals were originally unencrypted as extremely few individual end-users could afford the large and expensive satellite receiving apparatus.

As satellite dishes became smaller and more affordable, most satellite signal providers adopted various forms of encryption in order to limit reception to certain groups (such as hotels, cable companies, or paid subscribers) or to specific political regions. Nowadays some free-to-air satellite content in the USA still remains, but many of the channels still in the clear are ethnic channels, local over-the-air TV stations, international broadcasters, religious programming, backfeeds of network programming destined to local TV stations or signals uplinked from mobile satellite trucks to provide live news and sports coverage.

Specialty channels and premium movie channels are most often encrypted; in most countries, broadcasts consisting of explicit pornography must always be encrypted to prevent reception by those who wish not to be exposed to this sort of "adult content."

Technical issues

Initial attempts to encrypt broadcast signals were based on analogue techniques of questionable security, the most common being one or a combination of techniques such as:

  • Weakening or attenuating specific portions of the video signal, typically those required to maintain synchronization.
  • Inverting video signals so that white becomes black (and vice-versa).
  • Adding an interfering signal at one specific frequency which could be simply filtered out at a suitably equipped receiver.
  • Moving the audio portion of the signal to some other frequency or sending it in a non-standard format.

These systems were designed to provide decoders to cable operators at low cost; a serious tradeoff was made in security. Some analogue decoders were addressable so that cable companies could turn channels on or off remotely, but this only gave the cable companies control of their own descramblers — valuable if needed to deactivate a stolen cable company decoder but useless against hardware designed by signal pirates.

The first encryption methods used for big-dish satellite systems used a hybrid approach; analogue video and digital encrypted audio. This approach was somewhat more secure, but not completely free of problems due to piracy of video signals.

Direct broadcast satellites and digital cable services, because of their digital format, are free to use more robust security measures such as the Data Encryption Standard (DES) or the RSA and IDEA digital encryption standards. When first introduced, digital DBS broadcasts were touted as being secure enough to put an end to piracy once and for all. Often these claims would be made in press releases.

The enthusiasm was short-lived. In theory the system was an ideal solution, but some corners had been cut in the initial implementations in the rush to launch the service. The first US DirecTV smart cards were based on the BSkyB VideoCrypt card known as the Sky 09 card. The Sky 09 card had been introduced in 1994 as a replacement for the compromised Sky 07 card. It, the Sky 09 card, had been totally compromised in Europe at the time (1995). The countermeasure employed by NDS Group, the designers of the VideoCrypt system was to issue a new smartcard (known as the Sky 10 card) that included an ASIC in addition to the card's microcontroller. This innovation made it harder for pirates to manufacture pirate VideoCrypt cards. Previously, the program in the Sky card's microcontroller could be rewritten for other microcontrollers without too much difficulty. The addition of an ASIC took the battle between the system designers and pirates to another level and it bought BSkyB at least six months of almost piracy-free broadcasting before the pirate Sky 10 cards appeared on the market in 1996. Initial pirate Sky 10 cards had an implementation of this ASIC but once supplies ran out, pirates resorted to extracting the ASICs from deactivated Sky cards and reusing them.

The first US DirecTV "F" card did not contain an ASIC and it was quickly compromised. Pirate DirecTV cards based on microcontrollers that were often ironically more secure than that used in the official card became a major problem for DirecTV. Similar errors had been made by the developers of the UK's terrestrial digital Xtraview Encryption System, which provided no encryption and relied on hiding channels from listings.

The DirecTV "F" card was replaced with the "H" card, which contained an application-specific integrated circuit to handle decryption. However, due to similarities between the "H" and other existing cards, it became apparent that while the signal could not be received without the card and its ASIC, the card itself was vulnerable to tampering by reprogramming it to add channel tiers or additional programming, opening TV channels to the prying eyes of the pirates.

Two more card swaps would be necessary before the piracy headaches at DirecTV would finally go away; a number of other providers are also in the middle of swapping out all of their subscribers' smartcards due to compromised encryption methods or technology.

A number of vulnerabilities exist even with digital encryption:

  • The same algorithm is used, potentially, for millions of subscribed receivers and or smartcards. The designers have the choice of using their own custom, and secret algorithm or using a publicly tested one. The first approach is often referred to as security by obscurity. It can work well if the technology and the algorithm are robust. This approach also has a hidden catch for any potential pirate in that he would have to understand and emulate the custom algorithm in order to implement a pirate device.
  • With many digital TV encryption systems relying on smartcards for their security, any compromise of the smartcard would require a complete replacement of all smartcards being used. That could potentially involve the replacement of millions of smartcards. On a system with a low number of subscribers, the smartcards can be replaced periodically. However as the number of subscribers grows, the cost of replacing the smartcards and the logistics of the replacement encourages the system users to try to get the longest use out of the smartcards before replacement. The chances of a fatal compromise on the smartcard increases as the time between replacement increases.
  • Any compromise of the smartcard or algorithm will become public quickly. Computers and Internet can be used to make crucial design details publicly available. Internet sites may be located offshore in countries where local laws permit the information and software to be distributed openly; some of the more notorious software distributed to pirates ranges from NagraEdit (a program intended to edit the information stored on Swiss-designed Kudelski NagraVision 1 smartcards) to firmware which may be used to reprogram some free-to-air set-top boxes or desktop PCs equipped with Digital Video Broadcasting (DVB) tuner cards to permit them to decode encrypted broadcasts.
  • The secrecy of any algorithm is only as trustworthy as the people with access to the algorithm; if any of them were to divulge any of the design secrets, every card with the compromised algorithm may need to be replaced for security to be restored. In some cases, outside personnel (such as those employed by lawyers in the NDS vs. DirecTV intellectual property lawsuit over the P4 card design) may obtain access to key and very sensitive information, increasing the risk of the information being leaked for potential use by pirates.
  • If less secure encryption is used due to processor limitations on the smartcards, the system is vulnerable to cryptographic attack using distributed processing. While most secure Internet and online banking transactions require 128-bit encryption, 56-bit codes are not uncommon in video encryption. A cryptographic attack against a 56-bit DES code would still be prohibitively time-consuming on a single processor. A distributed approach in which many users each run software to scan just a portion of the possible combinations, then upload results to one or more central points on a network such as the Internet, may provide information of value to pirates who wish to break security. Distributed processing attacks were used, successfully in some cases, against the D2-MAC/EuroCrypt system used in Europe during the 1990s.
  • The resources available for reverse engineering increase significantly if a direct competitor with smartcard manufacturing knowledge were to attempt to maliciously compromise the system. Integrated circuits may be vulnerable to microprobing or analysis under an electron microscope once acid or chemical means have been used to expose the bare silicon circuitry. One lawsuit has already been launched by Canal+, dropped as the result of the one billion Euro deal to sell TelePiu (Italy), then continued by Echostar (USA). The suit alleged that competitor NDS Group had maliciously used reverse engineering to obtain the computer programs contained within various pay-TV smartcards (including SECA and Nagra cards) and allowed the results had been posted to Internet sites such as the notorious DR7.com.

On May 15, 2008 a jury in the Echostar vs NDS civil lawsuit(8:2003cv00950) awarded Echostar just over $1500 USD in damages, Echostar original sought 1 billion in damages from NDS however a jury was not convinced of the allegations Echostar had made against NDS and awarded damages only for the factual claims that were proven and for which the jury believed an award should be given in accordance with the laws of the United States.

  • The signals moving between the smartcard and the receiver can be easily intercepted and analyzed. They can be vulnerable to a "glitch" by which the incoming power and clock signals are disrupted for a short and carefully timed length of time (such as a millionth of a second) in order to cause the processor to skip an instruction. In many cases, off-the-shelf hardware with modified firmware designed to exploit this weakness was sold to pirates for use in tampering with cards for the US-based DirecTV system.
  • In some cases, buffer overflow exploits have been used to gain access to otherwise locked cards in order to reprogram them.
  • A scheme to monitor the exact instantaneous power consumption of smartcards as they make their computations also provides clues as to what type of computations are being performed.

In some cases, fraudulent cloning has been used to assign identical serial numbers to multiple receivers or cards; subscribe (or unsubscribe) one receiver and the same programming changes appear on all of the others. Various techniques have also been used to provide write protection for memory on the smartcards or receivers to make deactivation or sabotage of tampered cards by signal providers more difficult.

Systems based on removable smartcards do facilitate the implementation of renewable security, where compromised systems can be repaired by sending new and redesigned cards to legitimate subscribers, but they also make the task of replacing smartcards with tampered cards or inserting devices between card and receiver easier for pirates. In some European systems, the conditional access module (CAM) which serves as a standardized interface between smartcard and DVB receiver has also been targeted for tampering or replaced by third-party hardware.

Improvements in hardware and system design can be used to significantly reduce the risks of any encryption system being compromised, but many systems once thought secure have been proven vulnerable to sufficiently sophisticated and malicious attackers.

Two-way communication has also been used by designers of proprietary digital cable TV equipment in order to make tampering more difficult or easier to detect. A scheme involving the use of a high-pass filter on the line to prevent two-way communication has been widely promoted by some unscrupulous individuals as a means of disabling communication of billing information for pay-per-view programming but this device is effectively worthless as a cable operator remains free to unsubscribe a digital set-top box if two-way communication has been lost. As a device intended to pass signals in one direction only, the line filters offer nothing that couldn't be done (with the same results) by an inexpensive signal booster - a simple one-way RF amplifier already widely available cheaply and readily for other purposes. Also, many such boxes will disallow access to pay-per-view content after a set number of programs are watched before the box can transmit this data to the headend, further reducing the usefulness of such a filter.

Terminology and Definitions

Some of the terminology used to describe various devices, programs and techniques dealing with Pay-TV piracy is named for the particular hacks. The "Season" interface for example is named after the Season7 hack on Sky TV which allowed a PC to emulate a legitimate Sky-TV smartcard. The Season7 referred to the seventh and final season of Star Trek: The Next Generation which was then showing on Sky One. The "Phoenix" hack was named after the mythical bird which can reanimate itself. The hack itself reactivated smartcards that had been switched off by the providers.

Some of the terminology used on Internet discussion sites to describe the various devices, programs and techniques used in dealing with video piracy is strange, non-standard, or specific to one system. The terms are often no different to the brandnames used by legitimate products and serve the same function.

ISO/IEC 7816 smartcard terminology

  • ATR is the answer-to-reset data from an ISO/IEC 7816-compliant smartcard. A card reader would provide power, clock and reset signals to a smartcard, along with a bidirectional serial data interface to permit communication. On reset, the card would send a standard block of serial data (nominally at 9600 bit/s) to identify the card type and indicate the desired bitrate for further communication. The frequency of clock to be supplied may vary from one system or card type to another as it appears not to have been specified in the ISO standard.
  • A smart card reader is a device that allows a computer to communicate with a smartcard. Technically, these are simple devices consisting of a smartcard socket, some voltage level conversion circuitry and a crystal oscillator to supply the card with its clock signal. Early models were connected to the serial port on computers so the interface circuitry had to convert between the ISO/IEC 7816 card voltage levels and the RS-232 voltage levels used by the computer's serial port. More recent models use a USB connection to the computer. The simplest of earlier devices was the Phoenix interface. More sophisticated readers are often used in systems where the personal computer itself is to be secured using smartcard systems.
  • AVR and ATmega are trade names for a series of general-purpose 8-bit microcontroller chips manufactured by Atmel Corporation. The terms have been misused widely to refer to blank smartcards or various other hardware devices which were built around these processors. The widely available European funcard series of blank generic ISO/IEC 7816 smartcards were based upon the Atmel processor series; there was also a PIC card based on the Microchip Corporation PIC series of processors.
  • Emulation refers to the use of a personal computer in place of a smartcard using an ISO/IEC 7816-compatible "Season" interface. The PC, as far as the decoder is concerned, becomes a legitimate smartcard due to the program running on it. The program responds like a legitimate smartcard. Sometimes, for development purposes, the PC is programmed to simulate the entire instruction set of the smartcard's microcontroller to allow smartcard code to be developed more readily. As some encryption systems require an application-specific IC (ASIC) on the card to perform decryption, a pirate would also use a card which had been "auxed" (reprogrammed to pass received computer data directly to the application-specific decryption chip) in order to employ such an emulation system. Alternatively, pirates can sometimes emulate the functionality of the ASIC itself to gain access to the encrypted data.
  • A looped smartcard is one where defective or malicious program code written to non-volatile memory causes the smartcard's microcontroller to enter an endless loop on power-up or reset, rendering the card unusable. This is typically a countermeasure used by encryption system owners to permanently deactivate smartcards. In many cases, not even the ISO/IEC 7816 ATR message would be sent. Unloopers were smartcard repair stations intended to cause the card to skip one or more instructions by applying a "glitch" in some form to the power or clock signal in the hope of allowing the smartcard's microcontroller to exit from the endless loop.
  • Bootloaders were hardware which used a similar "glitch" to break a card out of an endless loop on power-up each time the card was used; these did not provide any smartcard reprogramming ability. These could permit DirecTV "H" cards (now no longer in use) to operate despite the permanent damage done by malicious code during the "Black Sunday" attack of 2001. These devices are currently believed to be obsolete.

Receiver (IRD) and microprocessor terminology

  • DVB is an international standard for digital video broadcasting used by virtually all European broadcasters; some North American providers use incompatible proprietary standards such as DSS (DirecTV) or DigiCipher (Motorola) which predate the DVB standardisation effort. The packet size, tables and control information transmitted by proprietary systems require proprietary non-DVB receivers, even though the video itself nominally in some form will often still adhere to the MPEG-2 image compression standard defined by the Moving Picture Experts Group.
  • An IRD is an integrated receiver-decoder, in other words a complete digital satellite TV or radio receiver; "decoder" in this context refers not to decryption but to the decompression and conversion of MPEG video into displayable format.
  • FTA is often used to refer to receivers and equipment which contain no decryption hardware, built with the intention of being able to receive unencrypted free-to-air broadcasts; more properly FTA refers to the unencrypted broadcasts themselves.
  • A CAM or conditional access module is defined by the DVB standard as an interface between a standardised DVB Common Interface receiver and one or more proprietary smartcards for signal decryption. It is not the smartcard itself. The standard format of this module follows PCMCIA specifications; some receivers bypass the requirement for a separate module by providing embedded CAM functionality in the receiver to communicate with specific proprietary smartcards such as Nagravision, Conax, Irdeto, Viaccess, Betacrypt. In the North American market, most "package receivers" sold by signal providers provide embedded CAM operation; terminology is therefore often misused to misidentify the smartcard as a CAM.
  • JTAG is a standard test interface defined by the Joint Test Action Group and supported on many late-model digital receivers for factory test purposes. Operating using a six-wire interface and a personal computer, the JTAG interface was originally intended to provide a means to test and debug embedded hardware and software. In the satellite TV world, JTAG is most often used to obtain read-write access to nonvolatile memory within a digital receiver; initially programs such as Wall and JKeys were used to read box keys from receivers with embedded CAMs but JTAG has since proven its legitimate worth to satellite TV fans as a repair tool to fix receivers where the firmware (in flash memory) has been corrupted.
  • The Sombrero de Patel is another device used to obtain direct memory access to a receiver without physically removing memory chips from the board to place them in sockets or read them with a specialized device programmer. The device consists of a standard PLCC integrated circuit socket which has been turned upside-down in order to be placed directly over a microprocessor already permanently soldered to a printed circuit board in a receiver; the socket makes electrical contact with all pins of the microprocessor and is interfaced to one or more microcontrollers which use direct memory access to pause the receiver's microprocessor and read or write directly to the memory. The term sombrero is used for this hack as the novel use of an inverted IC socket somewhat resembles a hat being placed upon the main processor.

SmartCard Piracy

Smart card piracy involves the illegitimate use of conditional access smart cards, in order to gain, and potentially provide to others, unauthorised access to pay-TV or even private media broadcasts. Smart card piracy generally occurs after a breach of security in the smart card, exploited by computer hackers in order to gain complete access to the card's encryption system.

Once access has been gained to the smart card's encryption system, the hacker can perform changes to the card's internal information, which in turn tricks the conditional access system into believing that it has been allowed access, by the legitimate card provider, to other television channels using the same encryption system. In some cases, the channels do not even have to be from the same television provider, since many providers use similar encryption systems, or use cards which have the capacity to store information for decoding those channels also. The information on how to hack the card is normally held within small, underground groups, to which public access is not possible. Instead, the hacking groups may release their hack in several forms. One such way is simply to release the encryption algorithm and key. Another common release method is by releasing a computer program which can be used by the smart card user to reprogram their card. Once complete, the now illegally modified smart card is known as a "MOSC." (Modified Original Smart Card). A third such method, more common in recent times, is to sell the information gained on the encryption to a third party, who will then release their own smart card, such as the K3 card. This third party, for legal reasons, will then use a fourth party to release encrypted files, which then allow the card to decode encrypted content.

Along with modifying original cards, it is possible to use the information provided by the smart card to create an encryption emulator. This, in turn, can be programmed into a cable or satellite receiver's internal software, and offered for download on the internet as a firmware upgrade. This allows access to the encrypted channels by those who do not even own a smart card. In recent times, many underground forum websites dedicated to the hobby of satellite piracy and encryption emulated Free To Air (FTA) receivers have been set up, giving up to date information on satellite and cable piracy, including making available firmware downloads for receivers, and very detailed encryption system information available to the public.

Upon gaining the knowledge that their system has been compromised, the smart card providers often have several counter measure systems against unauthorised viewing, which can be put in place over the air, in most cases causing virtually no disruption to legitimate viewers. The simplest form of counter measure is a key change. This simply halts viewing for those viewing without authorisation temporarily, since the new key can easily be accessed in the hacked card, and implemented. There are often other more complicated procedures which update a part of the smart card in order to make it inaccessible. These procedures can also, however, be hacked, once again allowing access. This leads to a game of "cat and mouse" between the smart card provider, and the hackers. This, after several stages of progression, can leave the smart card provider in a situation where they no longer have any further counter measures to implement. This leaves them in a situation where they must perform a card and encryption change with all legitimate viewers, in order to eliminate the viewing of the service without permission, at least for the foreseeable future.

Such has been the success of implementing new smart card systems, that another form of smart card piracy has grown in popularity. This method is called card sharing, which works by making available the smart card decoding information in real time to other users, via a computer network. Police monitoring of unsecured card sharing networks has led to prosecutions.

Virtually every common encryption system is publicly known to have been compromised. These include Viaccess, Nagravision, SECA Mediaguard and Conax. The MediaCipher system, owned by Motorola, along with Scientific Atlanta's PowerKEY system, are the only digital TV encryption systems which have not publicly been compromised. This is largely thanks to there being no PC card Conditional Access Modules (CAMs) available for either encryption system.

Despite the unauthorised decryption of media being illegal in many countries, smart card piracy is a crime which is very rarely punished, due to it being virtually undetectable, particularly in the case of satellite viewing. Laws in many countries do not clearly specify whether the decryption of foreign media services is illegal or not. This has caused much confusion in places such as Europe, where the proximity of many countries, coupled with the large land mass covered by satellite beams, allows signal access to many different providers. These providers are reluctant to pursue criminal charges against many viewers as they live in different countries. There have, however, been several high profile prosecution cases in the USA, where satellite dealers have been taken to court resulting in large fines or jail time.[1]

Political issues

In some countries such as Canada and many Caribbean nations, the black market in satellite TV piracy is closely tied to the gray market activity of using direct broadcast satellite signals to watch broadcasts intended for one country in some other, adjacent country. Many smaller countries have no domestic DBS operations and therefore few or no legal restrictions on the use of decoders which capture foreign signals.

The refusal of most providers to knowingly issue subscriptions outside their home country leads to a situation where pirate decryption is perceived as being one of the few ways to obtain certain programming. If there is no domestic provider for a channel, a grey market (subscribed using another address) or black market (pirate) system is prerequisite to receive many specific ethnic, sport or premium movie services.

Pirate or grey-market reception also provides viewers a means to bypass local blackout restrictions on sporting events and to access hard-core pornography where some content is not otherwise available.

The grey market for US satellite receivers in Canada at one point was estimated to serve as many as several hundred thousand English-speaking Canadian households. Canadian authorities, acting under pressure from cable companies and domestic broadcasters, have made many attempts to prevent Canadians from subscribing to US direct-broadcast services such as Liberty Media's DirecTV and Echostar's Dish Network.

While litigation has gone as far as the Supreme Court of Canada, no judicial ruling has yet been made on whether such restrictions violate the safeguards of the Canadian Charter of Rights and Freedoms which are intended to protect freedom of expression and prevent linguistic or ethnic discrimination. Domestic satellite and cable providers have adopted a strategy of judicial delay in which their legal counsel will file an endless series of otherwise-useless motions before the courts to ensure that the proponents of the grey-market systems run out of money before the "Charter Challenge" issue is decided.

According to K. William McKenzie, the Orillia Ontario lawyer who won the case in the Supreme Court of Canada, a consortium headed by David Fuss and supported by Dawn Branton and others later launched a constitutional challenge to defeat section 9(1)(c) of the Radiocommunication Act on the basis that it breached the guarantee of Freedom of Expression enshrined in section 2 (c) of the Canadian Charter of Rights.

The evidence compiled by Mr. McKenzie from his broadcasting clients in opposition to this challenge was so overwhelming that it was abandoned and the Court ordered that substantial costs be paid by the applicants.

In most cases, broadcast distributors will require a domestic billing address before issuing a subscription; post boxes and commercial mail receiving agencies are often used by grey-market subscribers to foreign providers to circumvent this restriction.

The situation in the US itself differs as it is complicated by the legal question of subscriber access to distant local TV stations. Satellite providers are severely limited in their ability to offer subscriptions to distant locals due to the risk of further lawsuits by local affiliates of the same network in the subscribers home designated market area. California stations have sued satellite providers who distributed New York signals nationally, as the distant stations would have an unfair advantage by broadcasting the same programming three hours earlier.

There is also a small "reverse gray market" for Canadian signals, transmitted with a footprint which sends full-strength DBS signals to many if not all of the contiguous 48 US states. This is desirable not only to receive Canadian-only content, but because some US-produced programs air in Canada in advance of their US broadcast. The question of signal substitution, by which Canadian cable and satellite providers substitute the signal of a local or domestic channel over a foreign or distant channel carrying the same program, is rendered more complex by the existence of a reverse grey market.[clarification needed] Signal substitution had already been the cause of strong diplomatic protests by the United States, which considers the practice to constitute theft of advertising revenue.

The lack of domestic competition for premium movie channels in Canada is one factor encouraging grey-market reception; language is another key issue as most Spanish-language programming in North America is on the US system and most French-language programming is on the Canadian system. A larger selection of sports and ethnic programming is also available to grey-market subscribers.

It could be said that the 1000-channel universe is a reality in North America, but only for the signal pirates as many legal and geographic restrictions are placed on the ability to subscribe to many if not most of the physically available channels.

Other countries such as Iran (Islamic Republic of Iran) and Afghanistan during Taliban rule and Iraq during the Saddam Hussein régime, have attempted to prohibit their citizens from receiving any satellite broadcasts from foreign sources.

The situation in Europe differs somewhat, due to the much greater linguistic diversity in that region and due to the use of standardized DVB receivers capable of receiving multiple providers and free-to-air signals. North American providers normally lock their subscribers into "package receivers" unable to tune outside their one package; often the receivers are sold at artificially low prices and the subscription cost for programming is increased in order to favour new subscribers over existing ones. Providers are also notorious for using sales tactics such as bundling, in which to obtain one desired channel a subscriber must purchase a block of anywhere from several to more than a hundred other channels at substantial cost. Many European companies like British Sky Broadcasting prohibit subscriptions outside of the UK. But other satellite providers like Premiere Germany do sell yearly subscription cards legally to customers in other European countries without the need for an address or other personal information. The latter also applies to virtually all the Adult channel cards sold in Europe.

Counter-piracy techniques

A number of strategies have been used by providers to control or prevent the widespread pirate decryption of their signals.

One approach has been to take legal action against dealers who sell equipment which may be of use to satellite pirates; in some cases the objective has been to obtain lists of clients in order to take or threaten to take costly legal action against end-users. Providers have created departments with names like the "office of signal integrity" or the "end-users group" to pursue alleged pirate viewers.

As some equipment (such as a computer interface to communicate with standard ISO/IEC 7816 smartcards) is useful for other purposes, this approach has drawn strong opposition from groups such as the Electronic Frontier Foundation. There have also been US counter-suits alleging that the legal tactics used by some DBS providers to demand large amounts of money from end-users may themselves appear unlawful or border on extortion.

Much of the equipment is perfectly lawful to own; in these cases, only the misuse of the equipment to pirate signals is prohibited. This makes provider attempts at legal harassment of would-be pirates awkward at best, a serious problem for providers which is growing due to the Internet distribution of third-party software to reprogram some otherwise legitimate free-to-air DVB receivers to decrypt pay TV broadcasts with no extra hardware.

US-based Internet sites containing information about the compromised encryption schemes have also been targeted by lawyers, often with the objective of costing the defendants enough in legal fees that they have to shut down or move their sites to offshore or foreign Internet hosts.

In some cases, the serial numbers of unsubscribed smartcards have been blacklisted by providers, causing receivers to display error messages. A "hashing" approach of writing arbitrary data to every available location on the card and requiring that this data be present as part of the decryption algorithm has also been tried as a way of leaving less available free space for third-party code supplied by pirates.

Another approach has been to load malicious code onto smartcards or receivers; these programs are intended to detect tampered cards and maliciously damage the cards or corrupt the contents of non-volatile memories within the receiver. This particular Trojan horse attack is often used as an ECM (electronic countermeasure) by providers, especially in North America where cards and receivers are sold by the providers themselves and are easy targets for insertion of backdoors in their computer firmware. The most famous ECM incident was the Black Sunday attack launched against tampered DirecTV "H" on 3 January 21, 2001 and intended to destroy the cards by overwriting a non-erasable part of the cards internal memory in order to lock the processor into an endless loop.

The results of a provider resorting to the use of malicious code are usually temporary at best, as knowledge of how to repair most damage tends to be distributed rapidly by hobbyists through various Internet forums. There is also a potential legal question involved (which has yet to be addressed) as the equipment is normally the property not of the provider but of the end user. Providers will often print on the smartcard itself that the card is the property of the signal provider, but at least one legal precedent indicates that marking "this is mine" on a card, putting it in a box with a receiver and then selling it can legally mean "this is not mine anymore". Malicious damage to receiver firmware puts providers on even shakier legal ground in the unlikely event that the matter were ever to be heard by the judiciary.

The only solution which has shown any degree of long-term success against tampered smartcards has been the use of digital renewable security; if the code has been broken and the contents of the smartcard's programming widely posted across the Internet, replacing every smartcard in every subscriber's receiver with one of different, uncompromised design will effectively put an end to a piracy problem. Providers tend to be slow to go this route due to cost (as many have millions of legitimate subscribers, each of which must be sent a new card) and due to concern that someone may eventually crack the code used in whatever new replacement card is used, causing the process to begin anew.

Premiere in Germany has replaced all of its smartcards with the Nagravision Aladin card; the US DirecTV system has replaced its three compromised card types ("F" had no encryption chip, "H" was vulnerable to being reprogrammed by pirates and "HU" were vulnerable to a "glitch" which could be used to make them skip an instruction). Both providers have been able to eliminate their problems with signal piracy by replacing the compromised smartcards after all other approaches had proved to provide at best limited results.

Dish Network and Bell TV had released new and more tamper-resistant smart cards over the years, known as the ROM2, ROM3, ROM10, ROM11 series. All these cards used the Nagravision 1 access system. Despite introducing newer and newer security measures, older cards were typically still able to decrypt the satellite signal after new cards were released (A lack of EEPROM space on the ROM2 cards eventually led to them being unable to receive updates necessary to view programming). In an effort to stop piracy, as by this point the Nagravision 1 system had been thoroughly reverse-engineered by resourceful hobbyists, an incompatible Nagravision 2 encryption system was introduced along with a smart card swap-out for existing customers. As more cards were swapped, channel groups were slowly converted to the new encryption system, starting with pay-per-view and HDTV channels, followed by the premium movie channels. This effort culminated in a complete shutdown of the Nagravision 1 datastream for all major channels in September, 2005. Despite these efforts to secure their programming, a software hack was released in late August, 2005, allowing for the decryption of the new Nagravision 2 channels with a DVB-S card and a PC. Just a few months later, early revisions of the Nagravision 2 cards had been themselves compromised. Broadcast programming currently[when?] uses a simulcrypt of Nagravision 2 and Nagravision 3, a first step toward a possible future shutdown of Nagravision 2 systems.

One of the most severe sentences handed out for satellite TV piracy in the United States was to a Canadian businessman, Martin Clement MULLEN, widely known for over a decade in the satellite industry as "Marty" Mullen.

Mullen was sentenced to seven years prison with no parole and ordered to pay DirecTV and smart card provider NDS Ltd. US$24 million in restitution. He pled guilty in a Tampa, Florida court in September 2003 after being arrested when he entered the United States using a British passport in the name "Martin Paul Stewart".

Mr. Mullen had operated his satellite piracy business from Florida, the Cayman Islands and from his home in London, Ontario Canada. Testimony in the Florida court showed that he had a network of over 100 sub-dealers working for him and that during one six-week period, he cleared US$4.4 million dollars in cash from re-programing DirecTV smartcards that had been damaged in an electronic counter measure.

NDS Inc. Chief of Security John Norris is credited with pursuing Mullen for a decade in three different countries. When Mullen originally fled the United States to Canada in the mid-1990s, Norris launched an investigation that saw an undercover operator (a former Canadian police officer named Don Best) become one of Mullen's sub-dealers and his closest personal friend for over a year. In summer of 2003 when Mullen travelled under another identity to visit his operations in Florida, US Federal authorities were waiting for him at the airport after being tipped off by Canadian investigators working for NDS Inc..

Ironically the NDS Group were accused (in several lawsuits) by Canal+ (dismissed) and Echostar (now DishNetwork) of hacking the Nagra encryption and releasing the information on the internet. The jury awarded EchoStar $45.69 actual damages (one month's average subscription fee) in Claim 3.

See also

References