Johannesburg - Just how safe will the government’s R3 billion investment in free set-top boxes for poorer households be from hackers, theft and use on networks outside the country?
The question provoked a terse response from Communications Minister Faith Muthambi after DA spokeswoman on telecommunications Marian Shinn raised it in a newspaper opinion piece this week, after similar concerns expressed by experts in the field.
Muthambi suggested on Friday that Shinn should take time to read the documents before she “puts pen to paper and misleads the public”.
The concern arises from the amendments to the government’s digital migration policy that were gazetted by Muthambi on Wednesday – in particular, the deletion of lines 5.1.2.2 and 5.1.2.8.
The former specified that the government STBs would have “a control system that can be used to prevent STBs from being used outside the borders of South Africa and that can be used to disable the usage of stolen STBs”.
It has been replaced by a line that says “have a control system that can be used to prevent government-subsidised free-to-air DTT (digital terrestrial television) STBs from functioning in non-South African DTT networks”.
Elsewhere in the policy this system is revealed to be a multiplexer validation system.
But experts say that without the ability to disable stolen STBs, there will be nothing to prevent them from being taken across the border and used in areas where “signal spillover” allows reception of South African broadcast signals.
These areas include the south of Botswana and Zimbabwe and parts of Lesotho and Swaziland.
On top of this, the boxes would become hot property in South Africa as they could be stolen in large numbers and exchanged for cash.
Line 5.1.2.8, deleted from the policy, said the STBs should “enable access to a secure bootloader mechanism to ensure access to the STB control system by broadcasters on the DTT platform that choose to make use of the STB control system”.
The secure bootloader, experts say, would offer an additional layer of security and, most important, allow the verification code contained in the boxes to be changed whenever it was cracked.
Cracking the code would make it possible for hackers to install malicious software – viruses – on the STBs and bring unauthorised STBs into the country on which they could install the code.
Broadcasting technical adviser Roy Kruger, who worked with two previous ministers on the policy, said MultiChoice, for example, was fending off piracy on a weekly basis by downloading security updates on to its decoders.
The government boxes would not be capable of this without a secure bootloader.
But Muthambi said on Friday the STBs would have a secure bootloader, as specified in paragraph 6.3.2.1 of SA National Standard 862 approved by the SABS for the specifications for subsidised STBs, which have been put to tender.
It begins: “The STB decoder operating system shall include a download function supporting the partial or total updating of any code stored in Flash (a ‘code update’).
“All downloads shall be subject to authentication by a double signature process, with downloads signed by both the manufacturer and the body responsible for the engineering channel on the DTT frequency network.”
Free-to-air broadcasters would now have to decide what control system to use, but their options would be “extremely limited” by Muthambi’s choice of the multiplexer validation system.
Kruger said that without the ability to implement secure over-the-air updates, the only way to change the security code once it was hacked would be for each box to be manually updated by technicians – an almost impossible task given that five million are to be distributed across the country.
The picture was complicated by the fact that more than one manufacturer would be awarded contracts to make the boxes.
“Each guy designs these things differently and he writes the code in a different manner, for example for the user interface,” Kruger said.
“For him to download his specific software, he has to have a specific code and that code must be authenticated. It can happen only with an external controller.
“They put it into what they call a cassette and that goes and checks the code and says it’s fine and then it downloads it across the network.”
The feature specified in the SANS 862 standard was a security feature, but not a secure bootloader.
The difference in price between boxes with a full security function and the cheaper version specified by Muthambi’s amendments would be $2 (about R24) each, Kruger said.
Shinn said that the feature described in SANS 862 referred only to downloads to the operating system. “Without a secure bootloader hackers could force a reference, or modified reference, operating system for the chipset directly on to the decoder,” she said.
“Conditional access systems – which offer encryption, messaging and access control – insist on providing their bootloader and never allow an STB manufacturer to supply it themselves.”
Political Bureau