On the Black Hat 2010 conference in Crystal City notorious smart card hacker Christopher Tarnovsky explained how he managed to hack current Trusted Platform Modules by Infineon.
This time Tarnovsky managed to read secured data from TPM chips like RSA and DES crypto keys. His approach took six months and a lab consisting of devices for about US$ 200,000. After having found out the exacty way to compromise Infineon’s chips it took only six hours to compromise an XBox 360’s TPM chip.
On the Black Hat 2008 in Amsterdam Tarnovsky said he was offered US$ 100,000 to crack the Xbox 360’s TPM:
A Microsoft engineer is wondering: “Did you take an interest in the processor of our Xbox360 game console?” – “I was offered 100’000 dollars to break it”, says Tarnovsky. “But I replied that that wasn’t enough.”
For people generally interested in approaching smart card security check this article with a video Wired.com featuring Tarnovsky in his security lab.
The forums and news sites are again full of coverage about a hack of the german Pay-TV channel Premiere (forthcoming name: Sky Germany). As we already stated in april, 2009 this is a hoax. There are no evidences or proofs whatsoever. Anyway you’d better read on, why we believe searching for a hack is useless.
In german forums people are rumoring that the NDS Videoguard encryption for the german Pay-TV channel Premiere has been compromised. As this has not been confirmed we currently expect this to be a hoax like the Nagra3 hack that has been reported in august 2008.
For completeness we release a translation of the hacker’s statement (original in german to be found here on Gulli.com) of the allegedly hackers:
NDS hack eventually confirmed!
In the meantime the NDS hack has been confirmed by an admin and a smartcard distributor. They have been send pre-programmed white DPSCs (digital pirate smart cards).
At this moment the NDS hack has only been confirmed to be working for Premiere (german Pay TV station). The hack is based on the NDS temp crypthack from october 2008. This has been the starting point. In combination with the BlueCryptCam that also has a weakness in its NDS Videoguard implementation.
With a little modification it then became possible to access and dump the NDS card’s Eeprom and Rom areas. If this hack can also be applied to Sky Italia or Great Britain is currently unknown and will take some time.
Kudelski seems not to be involved in this hack although this is rumored.
There won’t be any emulators (emu). The “blue cards” containing an own operating system will be released and distributed within the next week . They will be programmable using a Phoenix, CAS3 or Infinity programmer.
More news to come…
Kind regards from the Ukraine
From a technical point of view this statement does not look serious. As the described approach is far to vague. The described NDS temp crypthack was an exploit during the transition phase from Nagra2 Aladin to Nagra3 or NDS Videoguard. Some satellite receivers got an unencrypted firmware update over the air that allowed to watch Premiere even without any smartcard (more information in german here on Dragon-Cam.org). As this was only possible during the transition phase, it is highly unlikely that this might be the basis for a successful compromise of NDS videoguard.
Moreover even if this card was real, we would not expect this card to see the light of day. There haven’t been many NDS hacks in the last years. Among other gentleman like business practices (read on TheRegister.co.uk, on Denver Business Journal and on Wired.com) NDS as a company of Rupert Murdoch’s imperium is rumored to have hired the best investigators to at least monitor hacking scene activities.
Update: March 30, 2009: reliable sources from the scene say this is a hoax. Further information are not available currently.
Update: March 31, 2009:We found a nice “Wired” Video. Tarnovski – one of the best known hackers on this planet – describes how to hack nowadays smart cards. It “only” takes some equipment and a “little” bit of experience ;-)