Pirate decryption most often refers to the reception of compromised
pay TV or pay radio signals without authorization from the original broadcaster.
The term "pirate" in this case is used in the sense of copyright infringement
and has little or nothing to do with sea piracy or pirate radio, which involved
the operation of a small broadcast radio station without lawfully obtaining a
license to transmit. The MPAA and other organizations which try to protect
copyright and licensing agreements often call such decryption "signal
theft".
The concept of pay TV is almost as old as TV itself and involves a
broadcaster deliberately transmitting signals in a non-standard, scrambled or
encrypted format in order to charge viewers a sizeable subscription fee for the
use of a special decoder needed to receive the scrambled broadcast signal.
Early pay TV broadcasts in countries such as the United States used standard
over-the-air transmitters; many restrictions applied as anti-siphoning laws were
enacted to prevent broadcasters of scrambled signals from engaging in activities
to harm the development of standard free-to-air commercial broadcasting.
Scrambled signals were limited to large communities which already had a certain
minimum number of unencrypted broadcast stations, relegated to certain
frequencies. Restrictions were placed on access of pay TV broadcasters to
content such as recent feature films in order to give free TV broadcasters a
chance to air these programs before they were siphoned away by pay
channels.
Under these conditions, the pay TV concept was very slow to become
commercially viable; most television and radio broadcasts remained in-the-clear
and were funded by commercial advertising, individual and corporate donations to
educational broadcasters, direct funding by governments (in the UK for the BBC)
or license fees charged to the owners of receiving apparatus.
Pay TV only began to become common after the widespread installation of cable
television systems in the 1970s and 1980s; early premium channels were most
often movie broadcasters such as the US-based Home Box Office and Cinemax, both
currently owned by Time Warner. Signals were obtained for distribution by cable
companies using C-band satellite dish antennae of up to ten feet in diameter;
the first satellite signals were originally unencrypted as extremely few
individual end-users could afford the large and expensive satellite receiving
apparatus.
As satellite dishes became smaller and more affordable, most satellite signal
providers adopted various forms of encryption in order to limit reception to
certain groups (such as hotels, cable companies, or paid subscribers) or to
specific political regions. Nowadays some free-to-air satellite content in the
USA still remains, but many of the channels still in the clear are ethnic
channels, local over-the-air TV stations, international broadcasters, religious
programming, backfeeds of network programming destined to local TV stations or
signals uplinked from mobile satellite trucks to provide live news and sports
coverage.
Specialty channels and premium movie channels are most often encrypted; in
most countries, broadcasts consisting of explicit pornography must always be
encrypted to prevent reception by those who wish not to be exposed to this sort
of "adult content".
Initial attempts to encrypt broadcast signals were based on analogue
techniques of questionable security, the most common being one or a combination
of techniques such as:
- Weakening or attenuating specific portions of the video signal, typically
those required to maintain synchronization.
- Inverting video signals so that white becomes black (and vice-versa).
- Adding an interfering signal at one specific frequency which could be simply
filtered out at a suitably-equipped receiver.
- Moving the audio portion of the signal to some other frequency or sending it
in a non-standard format.
These systems were designed to provide decoders to cable operators at low
cost; a serious tradeoff was made in security. Some analogue decoders were
addressable so that cable companies could turn channels on or off remotely, but
this only gave the cable companies control of their own descramblers — valuable
if needed to deactivate a stolen cable company decoder but useless against
hardware designed by signal pirates.
The first encryption methods used for big-dish satellite systems used a
hybrid approach; analogue video and digital encrypted audio. This approach was
somewhat more secure, but not completely free of problems due to piracy of video
signals.
Direct broadcast satellites and digital cable services, because of their
digital format, are free to use more robust security measures such as the Data
Encryption Standard (DES) or the RSA and IDEA digital encryption standards. When
first introduced, digital DBS broadcasts were touted as being secure enough to
put an end to piracy once and for all. Often these claims would be made in press
releases.
The enthusiasm was short-lived. In theory the system was an ideal solution,
but some corners had been cut in the initial implementations in the rush to
launch the service. The first US DirecTV smart cards were based on the BSkyB
VideoCrypt card known as the Sky 09 card. The Sky 09 card had been introduced in
1994 as a replacement for the compromised Sky 07 card. It, the Sky 09 card, had
been totally compromised in Europe at the time (1995). The countermeasure
employed by NDS Group, the designers of the VideoCrypt system was to issue a new
smartcard (known as the Sky 10 card) that included an ASIC in addition to the
card's microcontroller. This innovation made it harder for pirates to
manufacture pirate VideoCrypt cards. Previously, the program in the Sky card's
microcontroller could be rewritten for other microcontrollers without too much
difficulty. The addition of an ASIC took the battle between the system designers
and pirates to another level and it bought BSkyB at least six months of almost
piracy-free broadcasting before the pirate Sky 10 cards appeared on the market
in 1996. Initial pirate Sky 10 cards had an implementation of this ASIC but once
supplies ran out, pirates resorted to extracting the ASICs from deactivated Sky
cards and reusing them.
The first US DirecTV "F" card did not contain an ASIC and it was quickly
compromised. Pirate DirecTV cards based on microcontrollers that were often
ironically more secure than that used in the official card became a major
problem for DirecTV. The DirecTV "F" card was replaced with the "H" card, which
contained an application-specific integrated circuit to handle decryption.
However, due to similarities between the "H" and other existing cards, it became
apparent that while the signal could not be received without the card and its
ASIC, the card itself was vulnerable to tampering by reprogramming it to add
channel tiers or additional programming, opening TV channels to the prying eyes
of the pirates.
Two more card swaps would be necessary before the piracy headaches at DirecTV
would finally go away; a number of other providers are also in the middle of
swapping out all of their subscribers' smartcards due to compromised encryption
methods or technology.
A number of vulnerabilities exist even with digital encryption:
- The same algorithm is used, potentially, for millions of subscribed
receivers and or smartcards. The designers have the choice of using their own
custom, and secret algorithm or using a publicly tested one. The first approach
is often referred to as security by obscurity. It can work well if the
technology and the algorithm are robust. This approach also has a hidden catch
for any potential pirate in that he would have to understand and emulate the
custom algorithm in order to implement a pirate device.
- With many digital TV encryption systems relying on smartcards for their
security, any compromise of the smartcard would require a complete replacement
of all smartcards being used. That could potentially involve the replacement of
millions of smartcards. On a system with a low number of subscribers, the
smartcards can be replaced periodically. However as the number of subscribers
grows, the cost of replacing the smartcards and the logistics of the replacement
encourages the system users to try to get the longest use out of the smartcards
before replacement. The chances of a fatal compromise on the smartcard increases
as the time between replacement increases.
- Any compromise of the smartcard or algorithm will become public quickly.
Computers and Internet can be used to make crucial design details publicly
available. Internet sites may be located offshore in countries where local laws
permit the information and software to be distributed openly; some of the more
notorious software distributed to pirates ranges from NagraEdit (a program
intended to edit the information stored on Swiss-designed Kudelski NagraVision 1
smartcards) to firmware which may be used to reprogram some free-to-air
set-top boxes or desktop PCs equipped with DVB tuner cards to permit them to
decode encrypted broadcasts.
- The secrecy of any algorithm is only as trustworthy as the people with
access to the algorithm; if any of them were to divulge any of the design
secrets, every card with the compromised algorithm may need to be replaced for
security to be restored. In some cases, outside personnel (such as those
employed by lawyers in the NDS vs. DirecTV intellectual property lawsuit over
the P4 card design) may obtain access to key and very sensitive information,
increasing the risk of the information being leaked for potential use by
pirates.
- If less secure encryption is used due to processor limitations on the
smartcards, the system is vulnerable to cryptographic attack using distributed
processing. While most secure Internet and online banking transactions require
128-bit encryption, 56-bit codes are not uncommon in video encryption. A
cryptographic attack against a 56-bit DES code would still be prohibitively
time-consuming on a single processor. A distributed approach in which many users
each run software to scan just a portion of the possible combinations, then
upload results to one or more central points on a network such as the Internet,
may provide information of value to pirates who wish to break security.
Distributed processing attacks were used, successfully in some cases, against
the D2-MAC/EuroCrypt system used in Europe during the 1990s.
- The resources available for reverse engineering increase significantly if a
direct competitor with smartcard manufacturing knowledge were to attempt to
maliciously compromise the system. Integrated circuits may be vulnerable to
microprobing or analysis under an electron microscope once acid or chemical
means have been used to expose the bare silicon circuitry. One lawsuit has
already been launched by Canal+, dropped as the result of the one-thousand
million Euro deal to sell TelePiu (Italy), then continued by Echostar (USA). The
suit alleged that competitor NDS Group had maliciously used reverse engineering
to obtain the computer programs contained within various pay-TV smartcards
(including SECA and Nagra cards) and allowed the results had been posted to
Internet sites such as the notorious but now defunct DR7.com.
- The signals moving between the smartcard and the receiver can be easily
intercepted and analyzed. They can be vulnerable to a "glitch" by which the
incoming power and clock signals are disrupted for a short and carefully-timed
length of time (such as a millionth of a second) in order to cause the processor
to skip an instruction. In many cases, hardware designed to exploit this
weakness was sold to pirates for use in tampering with cards for the US-based
DirecTV system.
- In some cases, buffer overflow exploits have been used to gain access to
otherwise locked cards in order to reprogram them.
- A scheme to monitor the exact instantaneous power consumption of smartcards
as they make their computations also provides clues as to what type of
computations are being performed.
In some cases, fraudulent cloning has been used to assign
identical serial numbers to multiple receivers or cards; subscribe (or
unsubscribe) one receiver and the same programming changes appear on all of the
others. Various techniques have also been used to provide write protection for
memory on the smartcards or receivers to make deactivation or sabotage of
tampered cards by signal providers more difficult.
Systems based on removable smartcards do facilitate the implementation of
renewable security, where compromised systems can be repaired by sending new and
redesigned cards to legitimate subscribers, but they also make the task of
replacing smartcards with tampered cards or inserting devices between card and
receiver easier for pirates. In some European systems, the conditional access
module (CAM) which serves as a standardized interface between smartcard and DVB
receiver has also been targeted for tampering or replaced by third-party
hardware.
Improvements in hardware and system design can be used to significantly
reduce the risks of any encryption system being compromised, but many systems
once thought secure have been proven vulnerable to sufficiently sophisticated
and malicious attackers.
Two-way communication has also been used by designers of proprietary digital
cable TV equipment in order to make tampering more difficult or easier to
detect. A scheme involving the use of a high-pass filter on the line to prevent
two-way communication has been widely promoted by some unscrupulous individuals
as a means of disabling communication of billing information for pay-per-view
programming but this device is effectively worthless as a cable operator remains
free to unsubscribe a digital set-top box if two-way communication has been
lost. Also, many such boxes will disallow access to pay-per-view content after a
set number of programs are watched before the box can transmit this data to the
headend, further reducing the usefulness of such a filter.
Some of the terminology used to describe various devices, programs and
techniques dealing with Pay-TV piracy is named for the particular hacks. The
"Season" interface for example is named after the Season7 hack on Sky TV which
allowed a PC to emulate a legitimate Sky-TV smartcard. The Season7 referred to
the seventh and final season of Star Trek: The Next Generation which was then
showing on Sky One. The "Phoenix" hack was named after the mythical bird which
can reanimate itself. The hack itself reactivated smartcards that had been
switched off by the providers.
Some of the terminology used on Internet discussion sites to describe the
various devices, programs and techniques used in dealing with video piracy is
strange, non-standard, or specific to one system. The terms are often no
different to the brandnames used by legitimate products and serve the same
function.
- ATR is the answer-to-reset data from an ISO7816-compliant smartcard. A card
reader would provide power, clock and reset signals to a smartcard, along with a
bidirectional serial data interface to permit communication. On reset, the card
would send a standard block of serial data (nominally at 9600 bit/s) to identify
the card type and indicate the desired bitrate for further communication. The
frequency of clock to be supplied may vary from one system or card type to
another as it appears not to have been specified in the ISO standard.
- A smart card reader is a device that allows a computer to communicate with a
smartcard. Technically, these are simple devices consisting of a smartcard
socket, some voltage level conversion circuitry and a crystal oscillator to
supply the card with its clock signal. Early models were connected to the serial
port on computers so the interface circuitry had to convert between the ISO 7816
card voltage levels and the RS-232 voltage levels used by the computer's serial
port. More recent models use a USB connection to the computer. The simplest of
earlier devices was the Phoenix interface. More sophisticated readers are
often used in systems where the personal computer itself is to be secured using
smartcard systems.
- AVR and Atmega are trade names for a series of general-purpose
8-bit microcontroller chips manufactured by Atmel Corporation. The terms have
been misused widely to refer to blank smartcards or various other hardware
devices which were built around these processors. The widely-available European
funcard series of blank generic ISO7816 smartcards were based upon the
Atmel processor series; there was also a PIC card based on the Microchip
Corporation PIC series of processors.
- Emulation refers to the use of a personal computer in place of a smartcard
using an ISO 7816-compatible "Season" interface. The PC, as far as the decoder
is concerned, becomes a legitimate smartcard due to the program running on it.
The program responds like a legitimate smartcard. Sometimes, for development
purposes, the PC is programd to simulate the entire instruction set of the
smartcard's microcontroller to allow smartcard code to be developed more
readily. As some encryption systems require an application-specific IC (ASIC) on
the card to perform decryption, a pirate would also use a card which had been
"auxed" (reprogramd to pass received computer data directly to the
application-specific decryption chip) in order to employ such an emulation
system.
- A looped smartcard is one where defective or malicious
program code written to non-volatile memory causes the smartcard's
microcontroller to enter an endless loop on power-up or reset, rendering the
card unusable. This is typically a countermeasure used by encryption system
owners to permanently deactivate smartcards. In many cases, not even the ISO
7816 ATR message would be sent. Unloopers were smartcard repair stations
intended to cause the card to skip one or more instructions by applying a
"glitch" in some form to the power or clock signal in the hope of allowing the
smartcard's microcontroller to exit from the endless loop.
- Bootloaders were hardware which used a similar "glitch" to break a
card out of an endless loop on power-up each time the card was used; these did
not provide any smartcard reprogramming ability. These could permit DirecTV "H"
cards (now no longer in use) to operate despite the permanent damage done by
malicious code during the "Black Sunday" attack of 2001. These devices are
currently believed to be obsolete.
Receiver (IRD) and microprocessor
terminology 
- DVB is an international standard for digital video broadcasting used by
virtually all European broadcasters; some North American providers use
incompatible proprietary standards such as DSS (DirecTV) or DigiCipher
(Motorola) which predate the DVB standardisation effort. The packet size, tables
and control information transmitted by proprietary systems require proprietary
non-DVB receivers, even though the video itself nominally in some form will
often still adhere to the MPEG-2 image compression standard defined by the
Moving Picture Experts Group.
- An IRD is an integrated receiver-decoder, in other words a complete digital
satellite TV or radio receiver; "decoder" in this context refers not to
decryption but to the decompression and conversion of MPEG video into
displayable format.
- FTA is often used to refer to receivers and equipment which contain no
decryption hardware, built with the intention of being able to receive
unencrypted free-to-air broadcasts; more properly FTA refers to the unencrypted
broadcasts themselves.
- A CAM or conditional access module is defined by the DVB standard as an
interface between a standardised DVB Common Interface receiver and one or more
proprietary smartcards for signal decryption. It is not the smartcard itself.
The standard format of this module follows PCMCIA specifications; some receivers
bypass the requirement for a separate module by providing embedded CAM
functionality in the receiver to communicate with specific proprietary
smartcards such as Nagravision, Conax, Irdeto, Viaccess, Betacrypt. In the North American market, most "package receivers"
sold by signal providers provide embedded CAM operation; terminology is
therefore often misused to misidentify the smartcard as a CAM.
- JTAG is a standard test interface defined by the Joint Test Action Group and
supported on many late-model digital receivers for factory test purposes.
Operating using a six-wire interface and a personal computer, the JTAG interface
was originally intended to provide a means to test and debug embedded hardware
and software. In the satellite TV world, JTAG is most often used to obtain
read-write access to nonvolatile memory within a digital receiver; initially
programs such as Wall and JKeys were used to read box keys from receivers with
embedded CAM's but JTAG has since proven its legitimate worth to satellite TV
fans as a repair tool to fix receivers where the firmware (in flash memory) has
been corrupted.
- The Sombrero de Patel is another device used to obtain direct memory
access to a receiver without physically removing memory chips from the board to
place them in sockets or read them with a specialized device programr. The
device consists of a standard PLCC integrated circuit socket which has been
turned upside-down in order to be placed directly over a microprocessor already
permanently soldered to a printed circuit board in a receiver; the socket makes
electrical contact with all pins of the microprocessor and is interfaced to one
or more microcontrollers which use direct memory access to pause the receiver's
microprocessor and read or write directly to the memory. The term
sombrero is used for this hack as the novel use of an inverted IC socket
somewhat resembles a hat being placed upon the main processor.
In some countries such as Canada and many Caribbean nations, the black market
in satellite TV piracy is closely tied to the gray market activity of using
direct broadcast satellite signals to watch broadcasts intended for one country
in some other, adjacent country. Many smaller countries have no domestic DBS
operations and therefore few or no legal restrictions on the use of decoders
which capture foreign signals.
The refusal of most providers to knowingly issue subscriptions outside their
home country leads to a situation where pirate decryption is perceived as being
one of the few ways to obtain certain programming. If there is no domestic
provider for a channel, a grey market (subscribed using another address) or
black market (pirate) system is prerequisite to receive many specific ethnic,
sport or premium movie services.
Pirate or grey-market reception also provides viewers a means to bypass local blackout restrictions on sporting events and to access
hard-core pornography where some content is not otherwise available.
The grey market for US satellite receivers in Canada at one point was
estimated to serve as many as several hundred thousand English-speaking Canadian
households. Canadian authorities, acting under pressure from cable companies and
domestic broadcasters, have made many attempts to prevent Canadians from
subscribing to US direct-broadcast services such as News Corporation's DirecTV
and Echostar's Dish Network.
While litigation has gone as far as the Supreme Court of Canada, no judicial
ruling has yet been made on whether such restrictions violate the safeguards of
the Canadian Charter of Rights and Freedoms which are intended to protect
freedom of expression and prevent linguistic or ethnic discrimination. Domestic
satellite and cable providers have adopted a strategy of judicial delay in which
their legal counsel will file an endless series of otherwise-useless motions
before the courts to ensure that the proponents of the grey-market systems run
out of money before the "Charter Challenge" issue is decided.
According to K. William McKenzie, the Orillia Ontario lawyer who won the case
in the Supreme Court of Canada, a consortium headed by David Fuss and supported
by Dawn Branton and others later launched a constitutional challenge to defeat
section 9(1)(c) of the Radio communication Act on the basis that it breached the
guarantee of Freedom of Expression enshrined in section 2 (c) of the Canadian
Charter of Rights.
The evidence compiled by Mr. McKenzie from his broadcasting clients in
opposition to this challenge was so overwhelming that it was abandoned and the
Court ordered that substantial costs be paid by the applicants.
In most cases, broadcasters will require a domestic billing address before
issuing a subscription; post boxes and commercial mail receiving agencies are
often used by grey-market subscribers to foreign providers to circumvent this
restriction.
The situation in the US itself differs as it is complicated by the legal
question of subscriber access to distant local TV stations. Satellite providers
are severely limited in their ability to offer subscriptions to distant locals
due to the risk of further lawsuits by local affiliates of the same network in
the subscribers home designated market area. California stations have sued
satellite providers who distributed New York signals nationally, as the distant
stations would have an unfair advantage by broadcasting the same programming
three hours earlier.
There is also a small "reverse gray market" for Canadian signals, transmitted
with a footprint which sends full-strength DBS signals to many if not all of the
contiguous 48 US states. This is desirable not only to receive Canadian-only
content, but because some US-produced programs air in Canada in advance of their
US broadcast. The question of signal substitution, by which
Canadian cable and satellite providers tamper with foreign or distant broadcasts
on their systems by substituting the signal of a local or domestic channel
carrying the same program, is rendered more complex by the existence of a
reverse grey market. Signal substitution had already been the cause of strong
diplomatic protests by the United States, which considers the practice to
constitute theft of advertising revenue.
The lack of domestic competition for premium movie channels in Canada is one
factor encouraging grey-market reception; language is another key issue as most
Spanish-language programming in North America is on the US system and most
French-language programming is on the Canadian system. A larger selection of
sports and ethnic programming is also available to grey-market subscribers.
It could be said that the 1000-channel universe is a reality in North
America, but only for the signal pirates as many legal and geographic
restrictions are placed on the ability to subscribe to many if not most of the
physically-available channels.
Other countries such as Iran, Afghanistan during Taliban rule and Iraq during
the Saddam Hussein régime, have attempted to prohibit their citizens from
receiving any satellite broadcasts from foreign sources; reception of news
services such as Qatar-based Al Jazeera are the target of restrictive
legislation in some nations.
The situation in Europe differs somewhat, due to the much greater linguistic
diversity in that region and due to the use of standardized DVB (digital video
broadcasting) receivers capable of receiving multiple providers and free-to-air
signals. North American providers normally lock their subscribers into "package
receivers" unable to tune outside their one package; often the receivers are
sold at artificially low prices and the subscription cost for programming is
increased in order to favour new subscribers over existing ones. Providers are
also notorious for using sales tactics such as bundling, in which to obtain one
desired channel a subscriber must purchase a block of anywhere from several to
more than a hundred other channels at substantial cost.
A number of strategies have been used by providers to control or prevent the
widespread pirate decryption of their signals.
One approach has been to take legal action against dealers who sell equipment
which may be of use to satellite pirates; in some cases the objective has been
to obtain lists of clients in order to take or threaten to take costly legal
action against end-users. Providers have created departments with names like the
"office of signal integrity" or the "end-users group" to pursue alleged pirate
viewers.
As some equipment (such as a computer interface to communicate with standard
ISO7816 smartcards) is useful for other purposes, this approach has drawn strong
opposition from groups such as the Electronic Frontier Foundation. There have
also been US counter-suits alleging that the legal tactics used by some DBS
providers to demand large amounts of money from end-users may themselves appear
unlawful or border on extortion.
Much of the equipment is perfectly lawful to own; in these cases, only the
misuse of the equipment to pirate signals is prohibited. This makes provider
attempts at legal harassment of would-be pirates awkward at best, a serious
problem for providers which is growing due to the Internet distribution of
third-party software to reprogram some otherwise legitimate free-to-air DVB
receivers to decrypt pay TV broadcasts with no extra hardware.
US-based Internet sites containing information about the compromised
encryption schemes have also been targeted by lawyers, often with the objective
of costing the defendants enough in legal fees that they have to shut down or
move their sites to offshore or foreign Internet hosts.
In some cases, the serial numbers of unsubscribed smartcards have been
blacklisted by providers, causing receivers to display error messages. A
"hashing" approach of writing arbitrary data to every available location on the
card and requiring that this data be present as part of the decryption algorithm
has also been tried as a way of leaving less available free space for
third-party code supplied by pirates.
Another approach has been to download malicious code to smartcards or
receivers; these programs are intended to detect tampered cards and
maliciously damage the cards or corrupt the contents of non-volatile memories
within the receiver. This particular Trojan horse attack is often used as an ECM
(electronic countermeasure) by providers, especially in North America where
cards and receivers are sold by the providers themselves and are easy targets
for insertion of backdoors in their computer firmware. The most famous ECM
incident was the Black Sunday attack launched against tampered DirecTV "H" cards
just before Super Bowl XXXV and intended to destroy the cards by overwriting a
non-erasable part of the cards internal memory in order to lock the processor
into an endless loop.
The results of a provider resorting to the use of malicious code are usually
temporary at best, as knowledge of how to repair most damage tends to be
distributed rapidly by hobbyists through various Internet forums. There is also
a potential legal question involved (which has yet to be addressed) as the
equipment is normally the property not of the provider but of the end user.
Providers will often print on the smartcard itself that the card is the property
of the signal provider, but at least one legal precedent indicates that marking
"this is mine" on a card, putting it in a box with a receiver and then selling
it can legally mean "this is not mine anymore". Malicious damage to receiver
firmware puts providers on even shakier legal ground in the unlikely event that
the matter were ever to be heard by the judiciary.
The only solution which has shown any degree of long-term success against
tampered smartcards has been the use of digital renewable security; if the code
has been broken and the contents of the smartcard's programming widely posted
across the Internet, replacing every smartcard in every subscriber's receiver
with one of different, uncompromised design will effectively put an end to a
piracy problem. Providers tend to be slow to go this route due to cost (as many
have millions of legitimate subscribers, each of which must be sent a new card)
and due to concern that someone may eventually crack the code used in whatever
new replacement card is used, causing the process to begin anew.
Premiere in Germany has replaced all of its smartcards with the Nagravision
Aladin card; the US DirecTV system has replaced its three compromised card types
("F" had no encryption chip, "H" was vulnerable to being reprogramd by pirates
and "HU" were vulnerable to a "glitch" which could be used to make them skip an
instruction). Both providers have been able to eliminate their problems with
signal piracy by replacing the compromised smartcards after all other approaches
had proved to provide at best limited results.
Dish Network and Bell ExpressVu had released new and more tamper-resistant
smart cards over the years, known as the ROM2, ROM3, ROM10, ROM11 series. All
these cards used the Nagravision 1 access system. Despite introducing newer and
newer security measures, older cards were typically still able to decrypt the
satellite signal after new cards were released (A lack of EEPROM space on the
ROM2 cards eventually led to them being unable to receive updates necessary to
view programming). In an effort to stop piracy, as by this point the Nagravision
1 system had been thoroughly reverse-engineered by resourceful hobbyists, an
incompatible Nagravision 2 encryption system was introduced along with a smart
card swap-out for existing customers. As more cards were swapped, channel groups
were slowly converted to the new encryption system, starting with pay-per-view
and HDTV channels, followed by the premium movie channels. This effort
culminated in a complete shutdown of the Nagravision 1 datastream for all major
channels in September, 2005. Despite these efforts to secure their programming,
a software hack was released in late August, 2005, allowing for the decryption
of the new Nagravision 2 channels with a DVB-S card and a PC. Just few months
later, early revisions of the Nagravision 2 cards have been themselves
compromised.
One of the most severe sentences handed out for satellite TV piracy in the
United States was to a Canadian businessman, Martin Clement MULLEN, widely known
for over a decade in the satellite industry as "Marty" Mullen.
Mullen was sentenced to seven years prison with no parole and ordered to pay
DirecTV and smart card provider NDS Ltd. US$24 million in restitution. He pled
guilty in a Tampa, Florida court in September 2003 after being arrested when he
entered the United States using a British passport in the name "Martin Paul
Stewart".
Mr. Mullen had operated his satellite piracy business from Florida, the
Cayman Islands and from his home in London, Ontario Canada. Testimony in the
Florida court showed that he had a network of over 100 sub-dealers working for
him and that during one six-week period, he cleared US$4.4 million dollars in
cash from re-programming DirecTV smartcards that had been damaged in an
electronic counter measure.
NDS Inc. Chief of Security John Norris is credited with pursuing Mullen for a
decade in three different countries. When Mullen originally fled the United
States to Canada in the mid 1990's, Norris launched an investigation that saw an
undercover operator (a former Canadian police officer named Don Best) become one
of Mullen's sub-dealers and his closest personal friend for over a year. In
summer of 2003 when Mullen traveled under another identity to visit his
operations in Florida, US Federal authorities were waiting for him at the
airport after being tipped off by Canadian investigators working for NDS Inc..