>> Welcome to old school hacking Porn Free! And I'd like to introduce Major Malfunction, but before I turn over the mic, I just want to point out that if there's any under age folks in the room, this is going to be a little bit racy, so -- [Applause] Bear that in mind that if your parents are in here with you, you might want to go walk about but that being said -- >> My parents are with me. >> Well, there you go. Major Malfunction! [Applause] >> Thank you. And you'll notice I hadn't actually put my name on the slide, so I was hoping to kind of make this anonymous, so. [Laughter] And I'm sorry by the way if I've just ruined a favorite childhood song tune of yours. You'll never hear that in quite the same light again. And actually, the words even, you know, if you start hearing the words and think of it in this context, it starts to mean different things. It's kind of weird. So let's get on. So I'll make a few disclaimers first. I'm going to do a live demo, the reason this talk is so late is because now in the UK it's after midnight, so draw your own conclusions from that. [Laughter] He says it's going to be a bit salty, I have no idea, it may be a bit salty, it may be a bit Granny, who knows. [Laughter] I have no control over what's going to happen. So the live demo may not work. It may work, but you may wish it hadn't. [Laughter] And some warnings. I believe in responsible disclosure. Everything I do for white hat, I try and disclose bad stuff to people. I am disclosing now there will be sexual content probably, or at least what passes for sex in the UK after midnight. [Laughter] And as it was mentioned earlier, there may be some young people here. We've got some young people here, we've got what was called DEFCON Kids last year, I think it's now Roots, very cool program. So I've made a DEFCON Kids friendly version of this slide. [ Laughter ] >> How inappropriate is that? Actually looking around the room, I was wondering just how appropriate is this talk for DEFCON and there's so many bad people here. What's wrong with you all? Jesus. Didn't you read the synopsis? Actually, the creepy thing is that slide, that's the original. [ Laughter ] >> That's the modified slide. [Laughter] Yeah, a little site called dancing bear. Yeah. Jesus! What the... okay. Okay. So one of my roles here, I'm a goon, I run chem stores. I got given a patch . Yes, you have wasted 15 plus years of your life at DEFCON, so. [Applause] >> So for years one of my jobs has been when we do spot the Fed, now I'm not sure because I'm kind of stuck in the back room and I hear rumors, there are talks and stuff, and I don't really get to see it, we used to do spot the Fed and people would drag it up on the stage, you remember the early days of DEFCON, Feds would try and sneak in, we would see a guy with like, you know, really short hair and loafers and white socks just like, trying to blend in with a Polo shirt and we'd go, ooh, wonder who he could be? So we would drag him up on stage and make them admit they're a Fed and when they did they got a T-shirt that says "I am the Fed." And the guy who spotted them would get a T-shirt that said "I spotted a Fed." Is that still going on? Are people being dragged up on stage? No? Now we need to, you know, we need to introduce that. So anyway these T-shirts have become such a thing that they actually -- oh, dear. [Applause] >> If they make me drink now, it is all gonna go horribly horribly wrong. >>Just keep going. >>Holy crap! >>Bad people! >> Yeah. >> Okay. So while they're getting ready, I'll finish my point, shall I? So in the early days, the criteria for being a Fed was you had to, when you came to claim your T-shirt, I would say, try and figure out if they were a real Fed as far as we were concerned. And the criteria was you had to have power of arrest and you had to carry a sidearm and that's what Feds did, you know, 15 years ago. Since then, we've gone all cyber, and so now you've got cyber Feds, and so we were talking about, well, what's the criteria now? Well, you know, you're a Fed that works in cyber. So you don't need power of arrest, you don't need a sidearm 'cause your weapon is the Interwebs. So-- >>Be quiet! [Laughter] >> He's gonna spoil my big joke! >>All right. So, you know, we do this thing about new speakers but some of us have been here so fucking long, we've rolled over back to 0, so... [ Laughter ] >> I suppose that's fair enough. [Applause] >> All right! Second one? >> No. >> All right. [Laughter] >> Thank you guys, that's very thoughtful of you. Okay. So cyber Feds, so it seems to me the Feds have gone full cyber on us. Now you get an FBI warning at the beginning of your porn. [Laughter] Porn's on the internet, but that doesn't make it cyber, but apparently it does. So the FBI are now the guardians of all porniverse. [Laughter] Imagine some Fed and I wonder if it's just the FBI, or in the UK, you know, the Feds all kind of step on each other's territory, so I'm just wondering if the NSA and the CIA and all those guys are also, oh yeah, we're gonna regulate as well, so. What are you doing tonight darling? I'm working on a really big national important project-- [Laughter] We've got to make sure they're all under 18, it's national security, you know. Did I say under 18? They're fucking me up already, over 18! [Laughter] So just in case you weren't sure where we're going with this talk, that's the quality we're going for, okay? So if youngsters in the room want to stay, well I know that you do, duh. [Laughter] Parents of youngsters in the room, I hold no responsibility for what happens next. Ok, so, obviously, we're going to be talking about some taboo subjects here and we're gonna have to confront some difficult subjects I suppose. And, you know, talk about the origins of this, you know, where did, this is hard. And I've kind of envisioned saying this, I felt like it was going to be a lot easier, but you know, I'm going to have to admit some stuff here. But what do I do, where does this stuff come from? I travel a lot, ok, I'm on my own. [Laughter] I'm in a hotel room, no one to really keep an eye on me and see what I'm doing. You know, people do stuff. And actually, before I go any further, this kind of sexism thing works both ways right, if I was a girl up here, about to say what I'm about to say, some you of, well probably half of you would think it was pretty cool. [Laughter] Some of the guys, too. Sorry. Some of the guys, too. But, you know, a guy doing it, that's just sad, okay, and I do it, well, I must admit, I've been doing it a lot recently. So you know, when I'm on my own I'm not in the room on my own, I admit occasionally I do use -- oh, God! [Laughter] >> Java, so there! [ Laughter ] >> Don't judge me! So I know you guys do, but I'm a Python guy, so I'm kind of used to that semi-strictness, you know, we think we're kind of the hipsters of programming, it's all nice and neat and tidy, but we can, we're free rolling and we do what we like. Not like the Perl guys just all over the shop. So Perl guys, they use Java when they want a bit of strength, you know, so we're used to it, we have to do indentation. So anyway, enough of the disclaimers, we put the difficult bit out of the way and now we're going to get on to the talk, so starring, obviously... [Music Playing] >> That's not me, hang on. There we go! [Laughter] [Music Playing] >> You do realize the descriptions of these pictures are all painted with bodily fluids, right? [Music Playing] >> Ok. Previously seeing stuff I've done before, so I did some hotel TV hacking using infrared. [Applause] >> Thank you. And funnily enough, what came out of that, who knew? There's boobies on the hotel TV. And then I did some satellite hacking. Anyone see that? [Applause] And, guess what? >> All right, all right. You're over stimulated. Let's get some beer in you and then it's right to bed. >>Woohoo! >> That was a bit distorted. She said, "You're over stimulated, let's get some beer in you and get you off to bed." Okay. So in this talk we will also be starring: [Music Playing] >>Which kind? >>Which kind? The BBC. The British Broadcast-- oh, sorry, I'll just play. This is her majesty's television. [Laughter] [Music Playing] So in the UK we didn't have any TV so she said you know, well I'm gonna make me a television company. [Laughter] And we have this thing called the red button. So we're going to be playing with the queen's red button in this, so. [Laughter] Is that wrong? We're going to be looking at a thing called MHEG-5, which is ISO 13522-5 apparently. Otherwise known as how to transmit porn. [Laughter] [Music Playing] >> And the culprit space station extra, so you see in the UK, we only have one X, you guys are all XXX, one X is enough for us because we're British you know. [ Laughter ] [Music Playing] >> And these guys are pornographers, obviously. Television X again, just the one X for you, Brit. And again, pornographers. Okay. Sorry about the background noise. And sorry about the cheesy 70s porno font that's too hard to read. So MHEG, what is MHEG, so it's basically an extra service. It was designed to provide kind of, text, textual services on top of the broadcast TV, but it's a bit more powerful. It's like the old teletext. In fact I call it teletext on steroids so you can do really quite cool things with it, you can actually stream multimedia within your textual environment and you can create games and so on. It's basically an ASN.1 encoded program that's transmitted alongside the video, the digital video and audio and it gives you the ability to create objects, move things around, as I said, stream audio and video, it can store stuff locally for replay or it can pull it off the air. And it kind of looks like this. It's, this is, you'll notice I didn't use the porn font there so you can actually read the bloody thing, but this is -- it's essentially just a very simple programming language. It's interpreted and executed by the TV itself. What could possibly go wrong? [ Laughter ] >> So let's get on to her majesty's red button. So red button is a service that uses MHEG, so on every BBC channel you've got the option to press the red button, so this guy in the top right-hand corner, if I press the red button, it will pop up some MHEG content and we'll start to see, you know, options, what we can do within the channel, so we choose a sub-menu and this is pretty cool, it then minimizes, I mean it's a bit like the EPGs you get on the TV, so that's probably written in something similar, so it minimizes you've got the picture in picture and you can go off and do other stuff but it's designed for information and added value services so it's supposed to enhance the channel you're already watching. But now they've, some bright spot said wow, ooh, we could use it and do something secure with it. So they've created some secure channels that use MHEG. Basically pay per view. So the challenge is how do you create a pay per view system when you don't have an infrastructure for pay per view, you don't have a head in, you don't have a back channel, you know, you don't have any way of injecting a specific authorization code to a specific crypto card that's listening in like a normal encrypted scrambled channel would. So they figured out we can do it with MHEG. [Audio clip: Boobies] Did I say that out loud? So where can you do it? Embedded TV, all modern TVs support MHEG, it happens I have a couple of devices at home, Samsung TV, there's a really good site if you have a Samsung and you are interested in figuring out what goes on under the hood. Samygo.tv. Really detailed stuff. It hasn't actually gone that far, they're still figuring out what they can do with it, at the moment you can pretty much just Telnet to that sort of logging console. On the HUMAX devices they've gotten further, so hummy.tv, they've actually got a complete distribution that you can load on to your HUMAX and you then get SSHX, you got full root onto the box, so that looked like the ideal place to have a go. So here's my HUMAX box, I'm shelled in as root, you can see in slash bin, it's just a standard busy box distribution, so pretty much fair game, anything I want to do I can do on here. I can compile my own code, I can you know, do whatever I want. Unfortunately, it then turned out that the actual executable is just one giant binary, every single function in there is just done in one giant binary, and so it looked like it was going to be pretty hard to actually reverse it, I would have to reverse engineer that entire binary file. So then I thought well, why not just do it, you know, I've already got a PC, there are cheap dongles available, I had the same issue when I was doing satellite hacking. I initially started on an intelligent satellite box on an embedded Linux box and ended up just kind of battling with the Linux, with the distribution and with the functionality of the satellite box in order to do what I wanted. So I'm like okay, screw that, I'll just do it on the PC. Buy a cheap little DVB dongle, plug it in, see what happens. So what happens is you end up with a very simple structure, basically when you start pulling the data out of the stream, you end up with this tree, so you have a direct tree with three subdirectories in it, cash, carousel and services, and in the services directory there's a channel number, and within that, it points at a carousel, and within the carousel there's individual files. There will always be a file called A or Start, and that's the file that runs first. And if you look at it, it's this ASN.1 encode binary blob, and again we've already seen that, if I encode that specific blob, that's what it looks like. The tools are readily and easily available, there's a MHEG encoder and decoder, which will, so it decompiles, so you just take the binary, so you run it through the decompiler and you get nice commented, or not commented but you know, easy to read code. These guys incidentally, is the actual PIDs of embedded or multiplexed streams coming down on the transport stream. Okay, so what are our targets? We've already discussed Television X and BabestationX but there is also this thing called Top Up TV, so there's talk of believe it or not did not start as, oh, I'm going to hack some porn, although obviously it's a benefit. But there was this service called Top Up TV and Top Up TV was basically was what it sounds like, you know, it was extra services, pay per view services doing things like educational programs and so on, so I was curious, that's what got me curious, how secure this stuff is. Then I went to their website. Top Up TV has ceased broadcasting as of last November, it's like, dammit! That's the consumer side. If you click on the business button, oh, well, this is what we do, we have pay TV experts, we can help you do pay TV systems, and BT Sport so I guess they're doing stuff for BT Sport, so maybe there's a target there. So should we look up BT Sport. Obviously not. [Laughter] Unless you're into beach volleyball or something, and it's you know, it's not a very common sport in the UK so forget that. Back to Television X. So how do they use MHEG to create pay per view content. So basically it's very simple, when you connect to the channel, it doesn't give you a video stream, what it gives you is a little program and the program pops up this picture and it says if you want to receive this content, you have to join our little club and it costs you 10 pound a month and you do it by pressing the red button or the blue button and it will then take you to another page and they give you a challenge. So the challenge is basically so this is the text example, so you text this number, 364245 to that number, and you will get back a PIN which you put in here and it will then unlock the screen and take you to the content. If you type 123456 which you do to experiment obviously, wrong PIN, doesn't let you through, you do that three times and it starts again, so the challenge will change, you don't get to brute force that PIN. And so my first idea was okay, well, I've got a running environment, why don't I just freeze it, take a snapshot, and then just go back and brute force, do three, start again, do three, start again so the state is contained and I actually brute force the whole thing but then I realize actually it's a 6-digit number so that's a lot of trouble even for the reward of you know, boobies, so. [Laughter] So I have to come up with a different scheme. BabestationX, same thing, live shows, only they're cheaper, 5 pounds but that's per night actually, so they're not cheaper, really. Press your red button, same deal. Off you go, send that number, get back an unlock code. Put in 123456, PIN is incorrect, please try again, exactly the same deal, you get three or four goes, then it resets. [ Laughter ] >> You've always got to get your toll out in a porno scenario, so. Okay. So that's what we're doing, I'm going to have a go at both of those channels live. [Applause] So, I'm sorry, this will take a few seconds to get going. So I'm going to create a tunnel back to, those of you who saw my satellite talks will have seen I did the same thing at the time my kids weren't that old, and the only TV in the house was connected to the satellite I was hacking, so I hope I didn't scar them for life, I'm not sure what time it was, but, you know, so. -- Say again, oh, you've met my son, and yes, I did, okay, sorry. Okay, so. As I said in the satellite one, sniff that bitches. [Laughter] Okay. Bring up tunnel, oh, it's a good sign! Okay. So we have a tunnel. [ Laughter ] [Applause] >> Demo gods, be good to me. What the fuck's my password? [Laughter] [Applause] Is that long enough? Okay. So I'm logged in, this is my box called Nighty and it's in the attic in a building in Silverton just outside London, and it's got a TV tuner and an antenna. So what I will do is look for the service I'm going to attack, which in this case is Babestation. And it's in Tzap. Okay. So adult Babestation, so the way it works is you need that number, that's the channel number. So I'm going to run RV download, this goes somewhere, it goes somewhere pristine. Okay. I'm dyslexic. RV Download. Okay. So you see the three directories have appeared and if I look in services. We've got our guy, and there's all our files, so that program is pulling down all the MHEG content, so what I can do now is run another process locally which is going to use that as a server to transmit the pron to me so look away boys. You want to be able to see this window 'cause some fun stuff is gonna happen here. So RB browser, remote. This guy. All right. That's live. Okay? [Applause] >> You're minutes away from having to run screaming from the room. [Laughter] So press the red button, we get a challenge. [ Laughter ] Ah! Okay. So what I'm going to do, I'm going to put 123456, and this guy has actually died. Dammit. Doesn't matter how many times you test these things. [ Laughter ] >> Woo! >> For those that didn't hear, he said, can't get it up? Curse you! Happens to everyone, yeah. It may not be fatal. Okay. The annoying thing is we should be seeing a whole bunch of debuggers in this window, so which we're not seeing. And I have no idea why. Try moving out of temp. Okay. Audience participation, now I was hoping we weren't going to go there in this one, so. [Applause] >> Pull two -- no. Some things just can't be unseen. >> Ahh! >> Whoever you are, I love you, you're my new best friend! Well, nearly except I'm still not, OK, screw this. Back to the slides. We'll do another live one in a second. It's a different technique but I have, as you -- so we'll skip over that, hang on. We'll come back to that. [ Laughter ] [Applause] >> Here's what I prepared earlier. So same deal, three windows. >> How about some porn music? No, I think I'll pass on that one. Okay. So yeah, as you saw, same deal, we're downloading the stuff, here we have -- this is what should have happened. Okay? And pay attention to the top left-hand screen, or it's the bottom screen, okay. So notice it's doing, the debuggers are actually showing me what numbers are being compared, so it compared integer 987862 which is our challenge to 999999, okay, so it just does that during its startup. I'm now going to type in 123456. Oh my God! [Applause] At this point, it crashed, of course. But in a way that was good, because it's prolonging the whole experience! [Laughter] I've done like one line of code, I've put one line of debugging in and I've dialed into the, you know, I've got into the system and I started the process of hacking into it, and who would have thought, after three minutes on a porn channel, I'd be feeling unsatisfied, it's, you know. So restart the process, try again. So this time our pin is 738461. Bam! [ Laughter ] [Applause] >> Don't look kids! [ Laughter ] That was close! [ Laughter ] >> So the other thing, I thought well, that's all very well but I don't want to be watching high quality content like that on my crappy little screen, I want to be able to do that from my TV, so don't want to hack the TV but maybe I can just use the PC to get me the code and the, you know, watch it on the TV. So I wrote a little script in Python. [ Laughter ] >> You tell it what channel you want, you tell it the challenge, and you tell it you want to do it over the air, so this is going to pull the live stream, extract the sorts, 'cause they use a sort, hint hint, for those that are gonna have a go at this, so PIN for that challenge is 299517. Incidentally, the debugging process, for figuring out their algorithm was maybe 2 more lines of code, so, you know. So we've got the PIN. How am I doing? Demo gods don't love me. Come on, next slide. Dear God! [ Laughter ] >> What the hell is it even called these days? Impress, isn't it? Die. [ Laughter ] >> Yeah. Let's try that again. [ Laughter ] >> Okay. Let's try that one. [Applause] >>Anyone remember the PIN? [ Laughter ] >> 299. [ Laughter ] >> Woohoo! [Applause] >> Boobies! Stop. I'm trying, I'm trying, honestly. [ Laughter ] >> I love my job! [Laughter] Okay. We have genuinely got a major meltdown here, so... okay. So let's go back to live and see if we can do TVX, why not? We've got time. So TVX was a different, TelevisionX was a completely different proposition, because that guy was just so easy, I mean, it was ridiculous, as I say, very unsatisfactory. Television X, they appear to be doing some actual real crypto, when I started debugging it was like endless calls to a loop, doing really complicated maths, I was going round and round and round, and it took me a couple of hours to think no, I'm not going down this route, I'm just spending way too much time on this. There must be an easier way. So if you remember the process, the process is you download a stream and the TV then interprets that stream and it acts, it turns it into a program and it acts on the program. Well, if what is happening is the program is saying I'm going to check this PIN and I'm going to do all this crypto and then I'm going to, if it's correct, I'm going to jump to this page and if it's not correct I'm going to jump to this page, how hard can it be, right? So we have a startup file pre-prepared which I've recompiled, I've decompiled, changed the way the instruction goes and then recompiled it, so we should be able to, assuming nothing is running still, we're going to look for . . . Still going. Okay. So just to make sure it really is locked, we do an RB. Oh God I'm an idiot, look, here but my debugger is coming up in this window. [Laughter] Okay. I'm a tool. So here we are, Television X live and locked. So all I'm going to do now is copy my startup poned to the services, 15 startup. So I'm overwriting the existing one and then go back to my browser, bam. [Applause] >> That's all I've got. [Applause] So if anyone dares to admit they have a question -- [ Laughter ] >> Q and A mic, so not only do you have to admit you have a question, you have to come and stand in front of the whole audience. No, I didn't think so, okay. Okay. Well that was it, it was just a bit of fun, and I thought it was fun, so thank you. [Applause]