Intel's HDCP DRM Scheme Defeated by a Single Sub-$300 FPGA
November 28, 2011 10:25 AM
comment(s) - last by
Researchers say pirates will likely use easier routes to crack the scheme, but that espionage risk is possible
Intel Corp. (
) has enjoyed a profitable ride off its
High-bandwidth Digital Content Protection (HDCP) hardware
, which sits inside nearly every TV/computer monitor with HDMI or DVI input. The HDMI/DVI chips with HDCP functionality open a secure encrypted channel from a source (e.g. a Blu-ray player) to a computer monitor or TV.
I. Defeating HDCP Was Easy
other content protection schemes were defeated
, HDCP hung strong. But in 2010, the
master key leaked for HDCP
giving the world the first hope of cracking the scheme. But Intel reassured its partners that they had nothing to worry about -- they laughed that unless would-be hardware hackers "made a computer chip" the scheme would be safe.
The only thing they forgot about was the growing amount of cheap reprogrammable chips known as field programmable gate arrays (FPGAs), which allow you to quickly make and test chip designs in software.
Using an ATLYS board manufactured by a company named Digilent, researchers at the
(RUB) -- a college in the town of Bochum, located roughly 2 hr. and 15 min. northwest of Frankfurt -- were able to carry out a-man-in-the-middle attack, with the FPGA posing as a legitimate interface chip and going undetected.
Prof. Dr.-Ing. Tim Güneysu, the principal investigator and senior author of the work
[press release], "We developed an independent hardware solution instead, based on a cheap FPGA board. We were able to tap the HDCP encrypted data streams, decipher them and send the digital content to an unprotected screen via a corresponding HDMI 1.3-compatible receiver."
The ATLYS board cost only 200€ (~$267). The board comes with a Xilinx, Inc. (
) Spartan-6 series FPGA, DRAM, HDMI interfaces, and a serial RS232 port. Most of the work on the project was carried out by final-year student Benno Lomb.
The little board that slew HDCP 1.x. [Image Source: RUB]
Dr.-Ing. Güneysu summarizes Intel's claims of invulnerability as foolish arrogance. He states, "[O]ur intention was to fundamentally investigate the safety of the HDCP system and to financially assess the actual cost for the complete knockout. The fact that we have achieved our goal in a degree thesis and with material costs of approximately 200 Euro definitely does not speak for the safety of the current HDCP system."
II. The Current Dangers -- Piracy, Not so Much, Espionage Maybe.
The work will be presented at the international security conference
in Cancun, Mexico, which is being held between Nov. 30 (Wed.) and Dec. 2 (Fri.).
It is unknown whether the team will publish their FPGA code, which could allow pirates and hardware hackers to buy FPGAs and defeat the protection. However, they insist that their goal was not to promote piracy. They say there's other far simpler ways of defeating HDCP available to pirates.
In October 2008 Intel
HDCP 2.0, which provides additional protection against this kind of attack. The hardware is currently on HDCP 2.1. But legacy systems abound and remain vulnerable to the HDCP 1.x capable attacks. The researchers say this could pose a security threat to the military or government agencies.
This article is over a month old, voting and posting comments is disabled
RE: So the board....
11/28/2011 4:10:46 PM
Like I mentioned earlier, the board does absolutely nothing in its base form. FPGA development boards come with a slew of chips attached to them so that you might use a board to prototype any number of different kinds of machines.
There is no processor and the board is not a computer of any kind. The Ethernet PHY doesn't enable networking, the RS-232 interface doesn't enable serial communication, the USB port doesn't let you use a USB device with it (or use itself as a USB device), and the AC97 codec doesn't generate audio.
Nothing at all happens until you design a state machine that interacts with those various chips in ways which make them do something. This is done purely by toggling signal pins high and low in patterns that cause the chip on the other end to respond in a predictable way. These state machines are written in HDLs (hardware descriptive languages) like Verilog and VHDL, not software programming languages. The syntax is similar in a lot of ways, but the fundamentals about what you're actually doing with the code are very different.
FPGAs are like an ASIC made out of Playdoh. They don't execute instructions when you program them. What you do instead is program them with a logical electrical model which is loaded into the device's cells. These cells contain inputs, outputs, and a LUT. The cells can be made to change their outputs depending on what the inputs are. When you stick a bunch of those together, you create a digital logic system--a state machine. You could create a CPU that executes instructions inside the FPGA itself, but the FPGA is not itself analogous to a computer.
On a side note, the FPGA itself is about a $50 chip when purchased in quantities of 1. The rest of the cost goes to whatever else is on the board and profit for Digilent. It's worth noting that you could make your own board without the stuff you don't need for about $20.
RE: So the board....
11/28/2011 10:54:41 PM
Some of those "state machines" ARE micro-processors. At least one real computer has been released using an FPGA as a 'programmable' CPU allowing programs to be run on multiple chip architectures that can be soft-loaded.
Known as the C-1, the machine was designed as a hardware emulation of the C-64 and can load other state machines also.
The DTV uses an ASIC (factory programmed gate array) in a similar manner. It would be possible to substitute an FPGA for the ASIC in the DTV design.
A research machine made for the military used 1 FPGA to do image processing that required multiple custom chips. The design reprogrammed the FPGA between processing stages ... FPGA based computers are very versatile :)
In this case the FPGA was loaded with a state machine that emulates a licensed HDMI 1.x connection. The next step will be to design a state machine that emulates a licensed HDMI 2.x connection and publish the code. When that is done, HDMI will no longer be a secure connection :)
This article does not say a CPU is included in the emulation, but if one is required an FPGA can be a CPU.
RE: So the board....
11/29/2011 10:19:54 AM
I did mention that you could do that in the post you replied to. heh
It's even something most FPGA manufacturers will throw at you for free that you're welcome to load into projects and use (*Blaze from Xilinx, Nios from Altera, etc). I've created them (CPUs, entire computers) from scratch myself in my own projects using Xilinx FPGA products, actually. I'm definitely aware of it.
"Paying an extra $500 for a computer in this environment -- same piece of hardware -- paying $500 more to get a logo on it? I think that's a more challenging proposition for the average person than it used to be." -- Steve Ballmer
High-Def. DRM Master Key Crack Confirmed by Intel
September 17, 2010, 11:48 AM
AnyDVD HD Defeats HD DVD Copy Protection
February 19, 2007, 11:37 AM
First Real HDCP NVIDIA Cards
June 7, 2006, 3:32 PM
Windows 10 on Raspberry Pi, IoT Devices Sees Developer Debut
August 12, 2015, 2:41 PM
Sony Issues Bizzare "Do Not Update" Edict to VAIO PC Owners
August 11, 2015, 9:42 PM
Report: Over 25 Million Devices Upgraded to Windows 10... or Was It 67 Million?
August 7, 2015, 3:24 PM
EA Set to Milk the Star Wars Cash Cow w/ Video Games
July 31, 2015, 12:36 PM
Windows 10 to Get New Features in October Service Release 2 (SR2)
July 30, 2015, 5:50 PM
Nintendo CEO Satoru Iwata's Passing Gives the Internet the Feels
July 14, 2015, 4:48 PM
Most Popular Articles
Worth the Wait? Microsoft Teases at Windows 10 Flagship Phones to Air Oct. 6
September 15, 2015, 5:13 PM
Breaking Bad: How to Crash Google's Chrome Browser With Just 8 Characters
September 23, 2015, 11:08 AM
Apple's First Fixes to iOS 9 Land w/ iOS 9.0.1 Release
September 23, 2015, 6:11 PM
Grading Apple's iPhone 6S, a Frustrating Object of Beauty
September 10, 2015, 1:08 PM
Fakebook Pt. I: From "The Chive" to "AskMen"; How Facebook's Phonies are Born and Used
September 15, 2015, 4:00 AM
Latest Blog Posts
Sceptre Airs 27", 120 Hz. 1080p Monitor/HDTV w/ 5 ms Response Time for $220
Dec 3, 2014, 10:32 PM
Costco Gives Employees Thanksgiving Off; Wal-Mart Leads "Black Thursday" Charge
Oct 29, 2014, 9:57 PM
"Bear Selfies" Fad Could Turn Deadly, Warn Nevada Wildlife Officials
Oct 28, 2014, 12:00 PM
The Surface Mini That Was Never Released Gets "Hands On" Treatment
Sep 26, 2014, 8:22 AM
ISIS Imposes Ban on Teaching Evolution in Iraq
Sep 17, 2014, 5:22 PM
More Blog Posts
Copyright 2015 DailyTech LLC. -
Terms, Conditions & Privacy Information