Set-top boxes vulnerable to hacking

File image

File image

Published Mar 18, 2015

Share

Cape Town - Amendments to the government’s digital migration policy gazetted on Wednesday by Communications Minister Faith Muthambi have removed critical security functions from the set-top boxes (STBs) it will provide free to at least 5 million households, leaving them vulnerable to hackers and making it possible to use the boxes outside the country.

It also opens the door to a flood of cheap foreign-made STBs of inferior quality – a phenomenon that plagued Mauritius’s transition to digital broadcasting.

The Department of Communications has denied the system will be vulnerable.

Roy Kruger, a technical adviser to Muthambi’s predecessors Dina Pule and Yunus Carrim, said the choice of a multiplexer verification system (abbreviated as MUX-1) in the new policy, replacing the secure bootloader system provided for in previous versions, meant there was no protection against the downloading of malicious software.

Hackers would be able to do to private television sets what they did to computers connected to the internet – sending their own messages or spreading viruses to crash the system.

STBs will be required for all existing analogue TV sets – most of those owned by South Africans - when the country switches to a digital broadcasting system for terrestrial television in accordance with an international commitment.

The government has committed to providing 5 million free STBs to the poorest households and both ANC policy resolutions and earlier cabinet decisions insisted on a control system that would provide for encryption, a mass messaging system and localisation of the manufacturing process.

Kruger said these objectives had gone “out the window” with Muthambi’s amendments.

Among provisions inserted into the policy were that:

“The STB control system for the free-to-air DTT (digital terrestrial television) STBs shall -

(a) not have capabilities to encrypt broadcast signals for the subsidised STBs; and

(b) be used to protect government investment in subsidised STB market thus supporting the local electronic manufacturing sector.

5.1.2(C) Depending on the kind of broadcasting services broadcasters may want to provide to their customers, individual broadcasters may at their own cost make decisions regarding encryption of content.

Muthambi's spokesman, Ayanda Holo, said on Thursday morning that the minister had been clear there would be a security feature that prevented theft of the STBs.

"It would make no sense to include a security feature that was vulnerable to theft," he said.

But according to Kruger, the MUX-1 system would not support either localisation or protect the government’s investment.

It relies on a digital code in the STBs which must match the code in the broadcast signal for the box to work.

This would mean the government STBs would not be able to be used in other parts of the continent but, because there would always be a signal spillover in border areas, people in the south of Botswana, parts of Lesotho and Swaziland would be able to use the South African STBs to receive free-to-air channels using the system, creating a market for stolen STBs.

More significantly, it would be easy for hackers to work out the digital code of the MUX-1 system, allowing foreign manufacturers to flood the South African market with cheap imports.

In the experience of Mauritius, this resulted in thousands of viewers buying cheaper imported STBs, which either stopped working after a short period or which worked only intermittently.

The absence of conditional access, Kruger said, meant the key objective of moving to an e-government system in which viewers could receive messages in their home language would not be possible.

The idea had been to inform especially people in rural and poorer areas of government initiatives affecting them – such as youth employment programmes – but this would no longer be possible.

Political Bureau

Related Topics: