Smart TV Hack via the Broadcast Signal

This is impressive:

The proof-of-concept exploit uses a low-cost transmitter to embed malicious commands into a rogue TV signal. That signal is then broadcast to nearby devices. It worked against two fully updated TV models made by Samsung. By exploiting two known security flaws in the Web browsers running in the background, the attack was able to gain highly privileged root access to the TVs. By revising the attack to target similar browser bugs found in other sets, the technique would likely work on a much wider range of TVs.

Posted on April 20, 2017 at 7:41 AM • 54 Comments

Comments

Peter A.April 20, 2017 8:20 AM

Darn. I have purposely NOT connected my "smart" TV to (W)LAN. But DVB-x is also a data network...

Why have I bought a "smart" TV? Because I could not buy a dumb one with all the audio/video inputs I need.

My only hope now lies in the fact that I get my TV signal from a cable company and not from the air - so it would be a little more difficult to spoof. And it's a model without a camera and microphone, so even if it gets hacked there's little harm to do.

My InfoApril 20, 2017 8:55 AM

In my former religious community, we never watched TV. It was considered a sin. I do not have any particular interest in taking up the habit.


  • All the trash, junk, and smut, raucous canned laughter at filthy jokes, and so on and so forth, would be an unwelcome intrusion in my home, not to mention the offense to small children.
  • It is a very unhealthy habit and way of life of laziness, obesity, diabetes, high cholesterol, and so on and so forth.
  • The old Finns say that these modern televisions, when left plugged in, even in a "turned-off" state, can be remotely caused to catch fire and burn one's house down by these vulnerabilites.

My InfoApril 20, 2017 9:02 AM

I am not joking about the third point. Finnish insurers refuse to insure a home against fire if a television is left plugged in when it is not in actual use.

Clive RobinsonApril 20, 2017 9:09 AM

Although this attack is new, people might wonder what else would be controled by others...

There is a Digital Video Recorder built into a set top box that people used to use. Called TiVo it suffered from the problem that due to DRM etc you did not own the functioning of the box. This came ad a bit of a rude shock to users to find that the BBC had payed TiVo to force the recording of a fairly cr4p comedy show...

The thing is that the designers of such products regard the "air side" to be in effect secure, so they don't add security to the control channels, they go for obscurity at best...

Thus I would expect a lot more of this sort of SNAFU in future. Along with the compleate loss of ownership of anything with a DRM / Computer chip in it.

But it's nothing new, a couple of decades ago, this was funny,

http://dilbert.com/strip/1995-12-29

DraganApril 20, 2017 9:31 AM

Overpowering normal transmission locally on established frequencies?
Could DTV computer sticks be exploited to hack a computer?

Who?April 20, 2017 9:34 AM

@ My Info

Finnish law requires fire extinguishers in ice hotels too.

I have a small ("non smart") TV—I use it as a computer display connected to a Raspberry Pi. I do not think watching TV is a sin, but TV is so bad... I certainly prefer radio, and only listen to it one or two times a week.

MatteoApril 20, 2017 9:43 AM

@My Info
you don't have to listen everything insurance company say:
my extra years warranty for notebook explicitly said that it doesn't cover:
-mofifications of atoms (whatever it means)
-wars/revolutions
-atomic explostions
and some strange other things
i don't think is possible to do that even if you have full control.

i saw this "attack" years ago when i brought my samsung tv to the repair office because due to a bug it losed all channels when you turn off it (if they were more than about 200, if total channels are less than 200 no problem).
i read the manual and used usb flash to update the firmware (downloaded from internet) without success.
so i asked to repair office (it was in warranty)
they said that i updated tv firmware but not digital receiver firmware (because it wasn't possible by usb) so they plugged a cable in the antenna and did that.
i think that it was a signal simulator that broadcasted the update.
they also said to me that the update was being broadcasted month before i bought the tv but after some time they stopped.

k15April 20, 2017 9:44 AM

Bruce, how is that government security organization coming along?
Barring that, what organization should have UL style security ratings that would have prevented it?

Also (but off topic): how would you redesign account security monitoring, of all kinds of accounts, to make it more effective? Who is working on a simple robust (or at least, optimal) set of practices, something like the ACID test for databases?

vas pupApril 20, 2017 9:48 AM

@all
I have a question: auto industry used to mass recall faulty cars with security problem. If Samsung or other manufacturers have to do the same?

keinerApril 20, 2017 10:52 AM

@vas pup

If hard- and (!) software industry would have to keep the same product liability standards as e.g. car or household electronics makers, Microsoft, Google and many other would be the next cashcow for mass tort trial lawyers.

Question is: Would Linux (and the rest of the opensource stuff) survive that?

AJWMApril 20, 2017 11:13 AM

@keiner

Question is: Would Linux (and the rest of the opensource stuff) survive that?

Most open source licenses explicity disclaim any suitability for purpose, they're just giving you a bunch of (sourcecode) bits. If somebody is selling a product which happens to include something made (compiled) from those bits, then any product liability is on them.

Microsoft and others can't make the same claim because the bits you get from them are not in human-readable form. Plus, they're charging you money for them.

Who?April 20, 2017 12:27 PM

@ Matteo

My non-smart TV (a "Polaroid" one) got a few updates this way. One of these updates fixed an audio bug that was distorting audio after a few minutes listening to a source (it was required turning on the TV by night, as these updates arrived at 3 A.M.). Think on the TV firmware as the "BIOS" and on the digital receiver firmware as the "embedded controller." Both are required, and both must be synchronized to get a working device but they arrive through different channels (as Peter A. said on the first post, DVB-x is also a data network).

Who?April 20, 2017 12:35 PM

Another issue is that, after receiving that update, an automatic update mechanism was enabled on the TV. First week was a nightmare, as the non-smart TV become a truly st*pid TV that turned on automatically at 3 A.M. each night while waiting for more updates being broadcast by the manufacturer.

Now I see it continues waiting for updates even when turned off (front LED in red, but powered yet) because it is easy to hear a change in the internal PSU capacitors noise.

UApril 20, 2017 12:38 PM

Awesome security hole. Kudos to the folks who found it!

But for me...

The cable company wanted way too much money per month for cable TV. Plus it was a few hundred channels of really bad programming, reality TV and much much worse... Eventually I figured out that I could buy a new DVD every day of the month for less than what I was paying the cable company...

Then there's over the air broadcasts... Thanks to the digital conversion, all I see now is "Signal Not Found", which is somewhat worse than the previous analog ghosting images.

So, until they get this nastiness on Netflix, I'm pretty safe... The TV only really gets used for video games anymore... Or Chromecast...

keinerApril 20, 2017 12:40 PM

@AWJM

I think this paid/unpaid difference won't take you very far in practice. If trashy IOT device makers are in the focus of the big predator law companies, the focus will be pretty soon also on opensource software makers.

Who?April 20, 2017 12:46 PM

@ keiner, AJWM

In the FOSS model we do not want to be liable —it is a good thing, as we do our work as a gift to the world. Our support is usually much better than the one provided by private corporations (not to say our code is here so it can be audited!).

However, now we are talking about private corporations. Look at this part of the Microsoft License Agreement as found in https://support.microsoft.com/en-us/help/13752/windows-security-essentials-eula:

12. DISCLAIMER OF WARRANTY. The software is licensed “as-is.” You bear the risk of using it. Microsoft gives no express warranties, guarantees or conditions. You may have additional consumer rights under your local laws which this agreement cannot change. To the extent permitted under your local laws, Microsoft excludes the implied warranties of merchantability, fitness for a particular purpose and non-infringement. FOR AUSTRALIA ONLY: You have statutory guarantees under the Australian Consumer Law and nothing in these terms is intended to affect those rights.

Well it seems that they are "a bit" liable:

LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. You can recover from Microsoft and its suppliers only direct damages up to U.S. $5.00. You can't recover any other damages, including consequential, lost profits, special, indirect or incidental damages. This limitation applies to
  • anything related to the software, services, content (including code) on third party Internet sites, or third party programs; and
  • claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence, or other tort to the extent permitted by applicable law.

It also applies even if Microsoft knew or should have known about the possibility of the damages. The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential or other damages.

JasonApril 20, 2017 12:48 PM

My Samsung TV's update themselves regularly. I wonder how long it will take for this to be addressed.

ElliotApril 20, 2017 12:53 PM

Now if everyone's TVs can be bricked by this, it would be a true public service.

keinerApril 20, 2017 1:03 PM

@Who

To me the big question is FOR YEARS NOW: Why do Microsof or Adobe get away with this kind of trash? Trash as both in their software as well as in their EULAs----

JasonRApril 20, 2017 1:08 PM

With all the devices you want to use "smart" these days, I see no reason to connect the TV to the [W]LAN (plus the interfaces on those "smart" TVs really stink). If you really want to put on the tinfoil, use an HDMI isolator to make the communication from the media devices to the TV one-way. We use these devices in high-security environments as we cannot permanently disable the wireless in the TVs, but at least we can stop them from being an attack vector to gain access.

JasonRApril 20, 2017 1:12 PM

@My Info: We don't do it for fire purposes, but to save electricity: We have all of our media devices (except the DVR) on a single power strip. When we are done watching TV, the power strip is turned off. 3 gaming consoles, bluray player, and TV are real power vampires.

albertApril 20, 2017 1:45 PM

@keiner, etc.

"...To me the big question is FOR YEARS NOW: Why do Microsof or Adobe get away with this kind of trash? Trash as both in their software as well as in their EULAs----..."

A. Because they have de facto monopolies in their respective fields. Microsoft has -always- excluded themselves from -any- sort of liability. They set the standard for making shit software and taking no responsibility for it. MS and Adobe are no different than any other large multi-nationals. They fight tooth-and-claw anyone who rails against the 'quality' of their products, and need to be dragged, kicking and screaming, to be held to any sort of regulation.

Suddenly, computer security has overshadowed computer operating systems bugs (except as they relate to security; not all do)

-Someone- will need to decide what will done about security issues, and the sooner, the better.

Before the whole house of cards comes tumbling down; then it will be too late.

Over reliance on technology is a fools game.

It'll be 'interesting' to see how this plays out. I sincerely hope that no one gets seriously harmed when it happens, karma notwithstanding.

. .. . .. --- ....

Clive RobinsonApril 20, 2017 2:01 PM

@ Keiner,

Why do Microsof or Adobe get away with this kind of trash?

Because, you are not "purchasing" but "leasing" the software...

vas pupApril 20, 2017 2:10 PM

@Clive Robinson • April 20, 2017 2:01 PM
OMG! (Bleeping)corporate lawyers found loophole to deny you any chance at all!

albertApril 20, 2017 2:12 PM

@WWIII,
Notwithstanding the content, you couldn't wait for Friday Squid?
@Moderator?

@Clive,

Leasing doesn't absolve the lessor. Are you implying that MS is a def facto lessor? That was always a goal.

. .. . .. --- ....

keinerApril 20, 2017 2:25 PM

I still don't see why software companies are not liable for their products. You CAN'T exclude any liability by simply making customers mouse-clicking away a EULA nonsense page. Otherwise car makers would do the same with their products. But they can't!

What is so special about software to make it the only product in the world nobody is responsible for regarding functionality and product failure (attack surfaces in the size of a barn door)

Clive RobinsonApril 20, 2017 2:37 PM

@ Albert,

Are you implying that MS is a def facto lessor?

It depends on the actual legal definition in your jurisdiction, but yes that's what they are doing with the EULA if you read through what your rights are you will find that you don't own the software, and MS can order you to cease using it at any point in time. The only way they can do that is by leasing or renting it to you. As some jurisdictions decided it was not leasing they went down the Office365 route where you rent, with even less rights.

Oh and check the status of the files generated, whilst the copyright of the contents might be yours, the files are not as Microsoft in effect owns the format thus when they tell you to stop using the software you lose the right to use the file...

Clive RobinsonApril 20, 2017 2:59 PM

@ Keiner,

What is so special about software to make it the only product in the world nobody is responsible for regarding functionality and product failure

It's not the the only product that nobody is responsible for... Try looking in the front of books that have IP that can be applied to products or services.

You might own the book but it does not give you the right to use the information within to develop a product from it, and if you do there is absolutly no warranty express or implied.

autuMNApril 20, 2017 5:48 PM

@Peter A. "My only hope now lies in the fact that I get my TV signal from a cable company and not from the air - so it would be a little more difficult to spoof."

Or easier? DOCSIS nodes generally have hundreds of homes, which means there are several hundred internet-connected transmitters attached to your coaxial cable. Rarely analyzed, strong monocultural tendencies, and, bonus: ISPs can push firmware updates even when they don't own the modems. I have no idea how a modem knows whether it's really from the ISP but I don't remember any key exchange with the ISP before activation.

Even viewing cable TV requires two-way coax traffic these days. Nobody's proven a smart TV can transmit a wireless TV signal, but we know for a fact every cable subscriber can transmit into that network.

information that can result in harm when reader thinks they understandApril 20, 2017 6:55 PM

adding to Clive's comment on disclaimers :


Most sources of information, e.g. recipes, tax explanations, legal explanations, safety guidelines, security information etc carry a risk whereby the writer cannot guarantee the impact, meaning, understanding, nor the environment of the readers and therefore need to protect from litigious sorts when harm ensues from either defective information or defective understanding by the reader or plain bad luck due language biases or language ambiguities.

software, computers, blog posts and any tools out there inherently carry those risks

GweihirApril 20, 2017 8:07 PM

TV is obsolete IMO. The "great altar of passive entertainment" has lost its appeal to me more than a decade ago. The few series I watch are available from other sources and would be dubbed horribly here anyways.

So yes, this is cool demonstration of something already expected by any real expert, but I do not think it matters much.

keinerApril 21, 2017 2:01 AM

McDonalds is responsible if I buy a hot coffee an burn myself with it.

Pharma is responsible is doctors don't follow the label of the drug and harm patients.

Car makers are responsible when they use faulty parts and harm users of their products.

WHY should this be different with Microsoft or Adobe or Samsung selling products which have security holes like Swiss cheese? NO disclaimer in the whole world can keep me from being responsible for my product. End of story!

Clive RobinsonApril 21, 2017 3:59 AM

@ keiner,

NO disclaimer in the whole world can keep me from being responsible for my product. End of story!

No it's not the end of the story.

The law is about restitution for harms caused by others be it criminal or civil sanctions.

For most of the history of legislation it has been about assessing the harms, as evidenced by damage to physical objects or by degenerate or immoral behaviours.

The idea of Intellectual Property protection in modern law first started in England back before 1331 by royal "letters of patent". By Elizabeth the First's reign the process was more formal. However she famously rejected a patent application for a machine to knit stockings allegadly because it did not work with silk[1]. However the requirment to disclose or publish the idea for all to see, to get the legal protection was a Venitian idea from around 1450. And arguably it was this that made litigation for harms possible, and the ideas of primary and secondary patents.

However in Europe and most other parts of the world you could only patent physical designs and processes not intangible information (which was protected by copyright and trade mark legislation). The US however decided to be different which still causes significant problems to this day.

But in general the idea that ideas "belong to all" still holds, thus the notion of liability for an idea's use belongs to the user of the idea not the originator of the idea.

The idea of software is arguably less than a hundred years old (ie Church/Turing not Babbage). The notion of atomization by electrical devices such as motor driven actuators is also of a similar age. It was not untill the 1960's that "ladder logic" started to be replaced by Turing machines, but it's general acceptence in "industrial control" was as late as the 1980's. Thus the idea of harm by computer is in legal terms very modern being less than fifty years old.

The likes of Adobe, Google, Microsoft, Oracle etc do not want the idea of "software liability" to happen by either direct legislation or case law, and soend a great deal of money to prevent that happening. Thus much of the EULAs is "tap dancing around" product liability and fitness of merchantability legislation. Part of this is trying to force such action into the US court system, where deep pockets can outspend lesser resources, and keep things out of civil court more or less permanently thus stoping case law. Then being real chummy with the US legislature on both sides and "spreading the love with a free hand" via lobbyists and other backhanders keeps detrimental legislation being formed.

If you want that to change then you need to become a serious activist in the EU legislature to stop the same US corrupt practices taking hold.

[1] The reverend William Lee (1563 – 1614) was an English inventor who devised the first stocking frame knitting machine. He was refused a patent in 1589 by Tudor Queen Elizabeth the First, allegedly as the stockings were of course wool and not as fine as silk stockings from Spain. However the reality was because she could see the likely result on the workers that hand knited stockings. He built an improved machine that increased the number of needles and by 1598 he could knit silk, however James the First likewise refused to grant a patent.

response to Peter AApril 21, 2017 4:52 AM

@Peter A.

You say your TV doesn't have any microphone, but don't forger that any component able to make sound can be used in reverse just like you can plug your headphone in the mic port and it (sort of) works. I have no idea how to protect against that though.

Tony PelliccioApril 21, 2017 7:21 AM

When smart TV's first came out my first thought was I wonder if they'll accept attacks over the air. It's why I've kept my dumb TV running. All it takes is replacing capacitors every few years.

keinerApril 21, 2017 7:26 AM

@Clive

"If you want that to change then you need to become a serious activist in the EU legislature to stop the same US corrupt practices taking hold. "

Guess to late. Microsoft bought the EU as well. Last proof: They moved their headquater to Munich, suddenly Munich stopped its famous LiMux opensource initiative for the city administration.

So: Fu**ed. Big money buys all our politicians.

Clive RobinsonApril 21, 2017 7:46 AM

@ keiner,

So: Fu**ed. Big money buys all our politicians.

To borrow an American euphemism,

    "If when you slap it down on the table you have a larger measure you win..."

It should not work that way but unfortunately it does. The problem with hierarchies like political structures the closer you are to the top the larger the bribes you can command if so tempted. Most politicos and senior civil servants these days go for the "nest feather" where they do the deed in return for a 20,000USD / hour speaking engagment or when they retire a 5hours a year directorship on the "ethics committee" or "salary and renumeration board".

keinerApril 21, 2017 9:09 AM

...and the only way to keep the world-wide kleptocracy up and running is to make a sufficient number of voters profit from the system. Otherwise you end with Trump, Putin, Erdogan, Le Pen etc. as the "avengers" for the "loosers"...

It's a pain.

autuMNApril 21, 2017 12:14 PM

"You say your TV doesn't have any microphone, but don't forger that any component able to make sound can be used in reverse just like you can plug your headphone in the mic port and it (sort of) works. I have no idea how to protect against that though."

Open up the TV and detach the speakers. Of course you'll want to attach new speakers and make sure the TV can't use them as microphones. Connect to an external amplifier using the Toslink port, if available: that's a one-way connection for sure. Electrical connections to an amplifier are probably safe. These assume the amplifier isn't also "smart".

Anon Y. MouseApril 21, 2017 12:32 PM

"McDonalds is responsible if I buy a hot coffee an burn myself with it."

No it isn't. That oft-cited case is widely misunderstood and in fact does
not support your argument.

Microsoft does not lease its software. Nor does it sell it.

If you use something like Office365, you are paying for a service.

If you purchase, say, Microsoft Windows or Office, either standalone or
bundled with a computer, you are not leasing the software. There are no
ongoing payments at regular intervals. You are buying a *license* to use
the software, paying a one-time fee. This is part of the reason why the
comparison of software to physical goods like automobiles or coffee breaks
down. What that argument also fails to recognize that all liability exists
within a legal framework. In the U.S. for example, firearms manufacturers
are specifically exempted from liability for shooting deaths caused by their
products.

Even assuming deep enough pockets to sue a big company for alledged damage
because of flaws in their software, part of their defense would undoubtably
to cast doubt on whether the plaintiff followed "best computing practices:"
regular & timely application of all patches and updates, using recommended
anti-virus s/w etc., and most importantly, having an effective procedure for
file backups. Anyone who correctly does the usual risk mitigation is also
unlikely to suffer catastrophic damages from software failure.

albertApril 21, 2017 6:02 PM

@Clive, keiner, etc.

In the US, a EULA, or TOS is considered a legal contract. One unlucky fellow lost copyrights to his own work, because he failed to note the TOS of the website that said contributions would copyrighted by the website. Another copied public domain material from a website and republished it in an easy-to-search format. He didn't notice that the website had copyrighted the format, so he had to withdraw the material. (He could have gone to the original sources, but that would have been more difficult).

It's a PITA, but READ THE TOS!

. .. . .. --- ....

Clive RobinsonApril 21, 2017 6:32 PM

@ Albert,

In the US, a EULA, or TOS is considered a legal contract

It's actually worse than that. In meatspace breaching a contract may result in civil action and thus financial restitution. In cyberspace however breaching a TOS is actually a criminal offense due to the overly broad scope of computer misuse legislation, thus not just fines but almost unlimited jail time, even though you've committed no identifiable harm...

Sancho_PApril 21, 2017 6:46 PM

Re responsibility / liability
(btw. no contract is valid if against the law)

(IANAL!)
Whatever you produce or sell, your liability basically corresponds to what you claim it to be.
In the tangible domain (product) it’s easy:
Be it a candle, a transportable gas container, a boiler safety system, body paint, a car or a railway equipment. There are laws, technical norms / guidelines / best practice as a minimal standard to fulfill to avoid gross negligence.

In the intangible world (service, SW) it’s somewhat obscure:
A body guard, personal trainer, an OS or a word processor, it may be hard to find the laws and the border to gross negligence.
What does a word processor do, or did you sell it as “secure word processor”?
How much are you liable if in a very special environment, in very rare cases, only by chance, one menu option isn’t available, or the saved document is different from the written text by 1 bit (by chance sending the wrong poor chap to jail)?.

albertApril 22, 2017 11:48 AM

@Clive,
"...In cyberspace however breaching a TOS is actually a criminal offense ......"

No, hacking is already covered by law. It's not necessary to state that in a TOS, and might even be a problem if you misstate something.

Those cases involved copyrights and normal use of a website, which are civil offenses....so far:) I think it should be quite clear to most that hacking a website for any reason is a criminal offense. See the Aaron Swartz case. IIRC, the material he downloaded was available for free; the 'crime' was the bulk download. (Remarkable was the mass resignation of the JSTOR Board)

. .. . .. --- ....

TatütataApril 22, 2017 1:40 PM

I'm slightly shocked by these news of an OTA vulnerability, although, upon reflection, not altogether surprised.

I then remembered a funny 1978 short film by National Film Board of Canada called the "Bronswik Affair". In short: boob tube commandeers watchers' brains and make them do stoopid things. So the logical next step would be logically to find vulnerabilities in our open-source DNA...

I was quite young at the time, and was very much taken in by the serious tone of the commentary. The French original version I was acquainted with is quite different from the English one linked above, it almost seems like a different film.

Clive RobinsonApril 22, 2017 2:47 PM

@ Albert,

The problem is the Computer Fraud and Abuse Act (CFAA), it is overly generalised, and under it a Terms of Service is the basis of the authorisation to access a computer.

The fun starts based on "knowing" or agreeing to the TOS and the act ot removing information.

In theory you can write a TOS such that using the service, even if just to look at the TOS and nothing else can be in breach of the TOS therefore under the CFAA you have commited a crime

It's the same as if your Terms of Employment say that you must work within the IT Policy which is not made available with your TOE. If your boss requires you to have a Linked in account for "proffessional use" but the ITP says "no personal use" and you include a single item of personal information into the Linked in information "from work" then under the CFAA you are guilty of a crime not a breach of contract that you TOE actualy is.

albertApril 23, 2017 5:45 PM

@Clive,

A contract cannot force one to do something illegal, nor can it sanction an illegal act. Most websites have a copyright notice somewhere:

(c)2017, XYZ Co., All Rights Reserved.
(c)2017, XYZ Co., All Rights Reserved, except.......

IANAL, but the website, if published, may already be copyrighted. Only specific permissions granted may be allowed. Even CC licenses have restrictions.

So be careful with copyrights.

"...In theory you can write a TOS such that using the service, even if just to look at the TOS and nothing else can be in breach of the TOS therefore under the CFAA you have commited a crime..."

AFAIK, this has never happened. It's unlikely that a court would find someone guilty of reading a TOS, in order to agree to follow it. CFAA latitude works both ways.

. .. . .. --- ....

RachelApril 23, 2017 7:22 PM

@ Albert, @ Clive

' A contract cannot force one to do something illegal, nor can it sanction an illegal act.
... It's unlikely that a court would find someone guilty of reading a TOS '

I'm not saying Clive is wrong. Don't do that. That sort of assertion has consequences, including spontaneously bricking all ones hardware and software,and that of your offspring, in all locations, including ones you haven't purchased yet Apparently it has something to do with Clive being related to Chuck Norris.

But I can offer, at least in the commonwealth countries, and I suppose in the US, there are laws against self incrimination of any kind that are extremely solid. [ and, I now await a ton of (factually correct) responses shooting this down in flames ]

Further,theres whats known as prima facie evidence, which basically means 'on the face of it'. Which can be considered an attempt to maintain a reasonable and literal assessment of a situation. Occams razor.
The guy was sitting in the car, holding car keys. It is safe to consider he was about to drive, or had just finished driving. One could not reasonbly argue he was in fact NOT driving but in fact about to perform a tracheotomy on himself using the keys, because of the superior hygiene of a drivers seat

A TOS claiming you had committed an illegal act by just reading it is going to encounter a seriously strong defence. In fact such a case may be welcomed as, after being laughed out of the court room, it would establish a precedent that may give Sillicon Valley pause for reflection.
My cousin once had a catering job trackside of a formula one racing car event, serving drinks to VIPS etc.
As it was considered a dangerous environment, with potential crashes, all the staff were required to sign a waiver and keep it on the person at all times.
So the family couldn't sue after a death. It was required for employment but
it was widely understood it wouldn't hold up in court. Aside from being somewhat offensive

on the other hand, I am reminded of the FDA declaring cannabis was breaching intellectual property, because the plant contained a compound that was found in a newly approved cannabis-related pharmaceutical.

Clive RobinsonApril 24, 2017 5:28 AM

@ Albert,

A contract cannot force one to do something illegal, nor can it sanction an illegal act.

Whilst true, it is NOT the issue under consideration here.

A contract can and often does contains limitations, that restrict the activities of one or both parties quite legally and bindingly.

Under normal circumstances if a party breached one of those restrictive terms the options open to the other party was to pursue remediation by civil action. This happens regularly enough not to draw much comment when it does happen.

The problem in this case is as I noted above, that the Computer Fraud and Abuse Act (CFAA), is overly generalised or to broad of scope. Thus under it the contract that is the Terms of Service forms the basis of the "authorisation" to access a computer. The CFAA makes such unauthorised access to a system a criminal act.

Thus a limitation such as usage of a service that would not cause comment in other domains of business and would have only civil action remediation, has through the CFAA become a matter of criminal prosecution...

The same issue arises under UK law due to the legislation (1990 Computer Misuse Act) brought in after the Crown -v- Schiffren and Gold, that was used to try and cover up significant security failings by the UK's British Telecom. This week marks the 32nd aniversary of their arrest and long series of trials.

The reason I remember it so well was not only was I very much involved with it but that BT had tried a similar trick on me in Sept/Oct 1983 a while before their arrest. Thus the only reason it was not my name in the court papers, was "my gut feeling" and luck.

Though others now say it was timing as well. I was quite sensitive about it as I'd written a piece to a Micronet 800 closed user group from Len Stewart's front room very shortly after the hacking of BT Gold had become known to around 20 million viewers of the BBC Micro live program one sunday. When the head of Acorn Computers Hermann Hauser's --now KBE, FRS, FREng, FInstP, CPhys-- BT Gold account ACN001 was logged into and "The Hackers Song" from Oz and Yug scrolled up the screen, and reputedly made "The Big Red Mac" even reder than he normally was. The account had had the password changed to something short and simple so that the demonstration would go well on television...

However at that time BT was being denationalised and UK Prime Minister Margret Thatcher was very keen that all should go well as she had big plans for the cash windfall that was expected. So BT senior managnent took out very expensive full page advertorials in the "important newspapers" in which there were some glaring factuall inacuracies. Which was what I wrote up to inform people in my article in the closed "editors group" on the BT Prestel system. Essentially I said that BT was "being economical with the truth" in their advertorials and this could be seen by the use of a systems command that had been changed to in effect hide the guilty and blaim the innocent.

The word came back via Dave Babsky of Micronet 800 that BT would like me to go up to their London office to demonstrate what I had said. This struck me as odd as I had provided sufficient information that a blind one legged dog could demonstrate it so I told Len Stuart and Vernon Quaintance of the ACC that there was no reason for me to demonstrate it to BT Gold staff, especially as I was not going to get paid for my time... Thus for once me sticking my heels in had "saved my bacon".

Some months later the problem with the BT Prestel test system called Pandora came up and I told various people involved not to demonstrate it to Micronet 800 and especially Dave Babsky in particular as it was not just me that thought he could not be trusted in any way, but also another person involved Simon Williams who's girlfriend just happened to be Dave Babsky's personal assistant, thus had the inside track on the wretch and was happy to say what a creep Dave was.

But Robert Schifren was a journalist working for Acorn User and having "a big story in his sights" was concentraiting on the story asspect not the ludicrous and quite suspect behaviour of Micronet 800 and BT engineering staff and their managers, and as we later found out the UK Priminister Margaret Thatcher, who some now claim was incandescent and beeting up senior BT managers. Thus it was Robert and Steven who had their collars felt not me.

What went wrong with BT Prestel in the mid 1980's is an abject lesson in things not to do. Basically there was two glaring security faults that should not have happened then but a third of a centry later still happen with regular monotony...

Firstly all the passwords including that of the administrators were stored in plaintext in files that were accessable to anyone with even lowely credetials such as those of tech support workers on the end of a telephone line...

Secondly Prestel had public and private pages all of which were addressed by a number. Thus the reason Micronet 800 was called that was because it's route page was 800. The second system security fault was if you tried to go to a page on Prestel and you couldn't reach it for some reason, you'd get a standard "Page not found" error at the bottom of the screen. But depending on whether the message started right at the far left of the screen, or 1 character in, you would know whether the page really didn't exist or whether it was a private page you weren't allowed to see it. This "feature" was independently discovered by quite a few people, thus teenagers with time on their hands started "private page hunts".

Prestel had more than a few technical problems and it's structure was such that they needed a number of servers that you accessed by "local number" dial in, thus they appeared to be all over the country and each server had a name. You could by looking for private pages work out which server realy held your account and which ones did not, and any anomalies were also noted by teenagers with time on their hands.

One big technical gripe with Prestel originally was content providers had to go online to put in content by hand and with 75baud up and 1200baud down this was slooow... Thus BT was looking for software on home micros to take this pain out and thus the idea of "Bulk Upload Software" came to peoples minds.

However someone related to Micronet 800 convinced somebody at BT that these same teenagers with time on their hands would write the code for free if BT provided them with a server to test on...

Well somewhere the message got lost in translation. BT Prestel did indeed setup such a server and it was called Pandora... The people setting it up were lazy, ill informed or both, because what they did was take a backup off of a live server and copy it onto Pandora, then edit the front page and add an administative account ID and Password on the front page...

So not only did all those private pages become available, but also that text file with all the user paswords in, including that of HRH Prince Philip the Queen's husband who has always been a bit of a techno buff...

Thus when Robert and Steve told David Babsky about it, and that they were writing a story about it, my earlier actions came back to haunt both them and BT. Now Margaret Thatcher is dead people are pointing the finger at her not the incompetent BT managment, and they are saying it was her insistance that prosecutions be made...

I guess the truth of it will never realy become known. I've already had a run in with one University accademic back in the 90's because he conflated the two seperate incidents together in a book he published. And he was far from happy to be told he should have done his research better, as in come out of his office walk a very short distance to the office I was in and ask me... Since then the conflation and other inacuracy issues have got worse. Neither I nor Robert are getting any younger and Steven is sadly nolonger with us, and I suspect most if not all those BT managers are likewise gone thus the ability to "correct academic research" mistakes is quite literally "dying out in front of our eyes".

TatütataApril 24, 2017 8:22 AM

Clive,

I looked up that R. v Gold and Schifreen case you mentioned.

I was startled to read this:

Unknown to Schifreen and Gold, the Prestel computer network operated on a distributed basis and was intended to act as a hot standby in the event of the UK going to war — in the event that the primary UK military computers were down, the Prestel network could be used to control and launch the UK's nuclear missiles.

Is that true? I couldn't find any other confirmation for that (e.g. at Vulture Central). Could it be that the authors are confusing Prestel with BT's X.25 network? Using X.25 to trigger Armageddon is somewhat less implausible than co-hosting a "War Games" type server with Sagittarius horoscopes. X.25 offered a "closed user group" facility, which I found out first hand that it could be much worse than useless.

The other shocker in that story for me is the notion of the Duke of Edinburgh accomplishing any activity remotely involving intelligence or even mere technical competence...

Clive RobinsonApril 24, 2017 7:32 PM

@ ,

Prestel computer network operated on a distributed basis and was intended to act as a hot standby in the event of the UK going to war — in the event that the primary UK military computers were down, the Prestel network could be used to control and launch the UK's nuclear missiles.

Whilst the first bit is true, don't read to much into the second bit.

Back then Maggie Thatcher was in power and spending lots and lots of money on hardening the UK seats of both central and regional power in case the cold war went hot as the CCCP started to colapse. Nuclear bunkers were being built anew or being refurbished and they were equipped with all sorts of communications systems. Part of which was an old fashioned manualy switched telephone network one hub of which I was shown by Vernon Quaintance when at a meeting in a BT building in London just around the corner from the Barbican Center.

That network was to replace that of the old Automobile Association (AA) telephone boxes, that a long previous government had decided after WWII would be used by the Prime Minister to communicate launch commands if away from Whitehall. It always ammused me because due to one of those quirks of human existance the switching points in the AA network became radio based, and nearly all the nodes were next to stratigic targets. One that I used to see several times a week was at the south side of Tolworth Railway Station at the junction of Jubilee Way. The Government had a top secret part of their map makers to the north of the railway and just south of the A3 and a large coal depot (now a bus storage/maintanence and industrial park) to the west of this was Decca Radar's special research facility where they tested military and then later civil radar to their sports ground just east of the coal depot. Jubilee way went around to what was called the Chesington Industrial Estate that in the 70's and 80's still had a number of manufacturers of top secret equipment including diving gear. Funnily enough one of them later became the office/workshop of FOCA who now run Formular One racing and Bernnie Ecclstan tried to do cloak and dagger feeding of information into the sports press. During the second world war Tolworth Railway station was frequently attacked by the Luftwaffe and as a child playing in the farmland to the south I used to find live ammunition that had been dropped by those providing anti-aircraft emplacment protection and shrapnel from the German guns and bombs. My father used to escort me down to the local police station on a Saturday morning to hand in any "live ammunition" I had found, and the desk sergeant used to ask what I had brought him in almost as though I was bringing him a present. It was a far cry from what happens these days where they would close down a 100meter area around the police station and call in the bomb squad in the name of health and safety...

As for some of the larger bunkers I snuck into when a bit older they had their own TV and Radio studios and transmitters. They also had millitary networks based on an "all valve" D11 transmitter/receiver and the likes of the BID610 and later 700 family crypto equipment, as well as masive generator sets to provide light and power and importantly the air scrubbing systems and recycling facilities as well as the sewerage cannons that blasted emacerated waste out of the facility.

Thus due to Maggie Thatchers apparent --to our modern eyes-- paranoia an easy way for BT to get very large amounts of funding for their BT Gold and Prestel communications systems was to sell it as part of the seat of government solution, because Maggie was hemorrhaging spending in that direction.

Somebody I used to know through the South West London Pirate Radio station "Radio Jackie" had other interests in finding out about these secret nuclear bunkers and getting into them to photograph them. Let's just say that if you travel from London to Bath by train you go through a two mile long tunnel built by Brunel where if you look carefully you can see an underground station sidings and spurs that go off into the old stone quarry (mine). Known as "The Box Tunnel Complex" they were originally used as underground munitions storage and factories built into the quarry complex. It was here that the central seat of government was to be evacuated to on one side of the tunnel and the south west regional seat was "on the other side of the tracks". It became a vast underground city in the 1950's and code named "Burlington" it could house 4000 civil servants for three months and had someyhing like sixty miles of passages set out on a grid system.
Oddly perhaps these "ultra secret" locations were quite well known around where they were and it was not difficult to find them, nor were they actually well protected thus getting into them was not that difficult. In the case of Box you just had to find an opportune time to walk through the tunnel or an entrance by the railway... As a result one heck of a lot of photographs of not just the facilities but books and papers inside them were taken and spread around like minded people. The city was so vast it even had officers clubs and a pub called the Rose and Crown, workshops, a hospital --with a maternity section-- and major catering facilities. It also had a huge manuall telephone exchange. It finally got decommissioned in the 1990's but rumours persist that some parts of the vast complex of mine tunnels are still a secret base. When it was an ammunition factory in WWII they had a problem of how to get people up and down 100ft effectively, much to the anoyance of the then London Underground two escalator systems were taken and installed in the complex.

Even the "Post Office Railway" that went under London from the Mount Pleasent sorting office to other sorting offices got an injection of cash for upgrades so it could transport rather more than mail bags. Then there were the "BT Deep Tunnels" with the Kingsway underground telephone exchange where the US-Russia "hot-line" went through and were used for a time by SOE/MI6 for some realy "sneaky beaky" stuff prior to the construction of Pindar. Also the likes of closed underground tunnels got converted to secret bunkers. They even put a couple of parallel tunnels in under Whitehall that are still there today and one end is very close to Westminster Underground Station. This is over and above the "dock" network of tunnels under what is now known as "The Churchill War Rooms". During their design to help make the tunnels shock proof for the communications equipment they held they had a tunnel in a tunnel design with the inner tunnel built with a cork shock absorber a couple of feet thick on the inside of the outer tunnel. The public became aware of these tunnels existence, when during "renovations" somebody using a metal cutting torch set the cork on fire, and it could not be put out. So it was alowed to burn it's self out, and for many days a huge pall of acrid black smoke hung over Whitehall bilowing out from ventilation shafts. The big problem with digging such tunnels is who does it and how do you get the dirt out without comment. Which is probably why the building of Westminster underground station is rumoured to be a hub / nexus for secret tunnels...

A lot of the WWII underground facillities such as the Dock are conveniently close to Whitehall and mostly now not known in their extent. However tunneling is known to have continued and it's known that there are new "atom bomb proof" underground networks well well below the hundred feet or so deep level of the 1980's and WWII systems. These are known as "Pindar" and is where one of the COBRA crissis romes is situated. It was started in the 1990's and cost over 125million GBP back then. It's known to have a number of street level exits as well as being rumoured to have connections out of the bottom of Westminster Underground station away to the MI6 building at Vaxhaul Cross and one or two other similar but less well known places, much like the old tunnel from St Ermin's Hotel lobby in Caxton Street.

Maybe as with the BT Deep Tunnels we will get to know one day when they get sold off.

What I do know about Westminster underground station is that if you go there when it's quieter you could easily believe the stories because it does look oh so much like a Bond Villain secret base. It has the heavy concrete walls and columns, the stainless steel walkways and odd doors etc to look the part. Which almost certainly means it's not ;-) as the bunkers I've been in realy are,just like sections of underground tunnel run in parallel with smaller cross tunnels as this is a very strong construction design. They don't have large open areas inside except for the old home radar command centers with their plotting rooms.

Any way most of the 1980's and earlier secret bunkers have been repurposed or sold off a number just "capped off" like subteranian tombs or time capsuals awaiting archiologists in some future time, one of which now has a school playground on top of it. However not all have suffered such ignominious fates one in Epsom Surrey south of London got refitted as a rather plush training center inside, but still looks like a drab repository building at the entrances. Some that have been sold off have become "data centers" for modern computer networks and data exchanges. With a new craze for commercial "Cyber Command Bunkers" and EMP proof data repositories for banks and the like some of the old "holes" may see new commercial life, and get decked out looking like the bridge of the Enterprise in Startrek.

But one part of the British Nuclear deterrent is fairly well known. On coming into office each new Priminister hand writes letters for the captins of the nuclear subs that are sealed in the old fashioned way and locked in a safe on each submarine. There is a flow chart convention of how the captins get to the point of opening the letters, one step of which used to be to surface and listen for the BBC World Service. But as that has now been decimated by cut backs it's likely that this step has be replaced or augmented in some way. Hopefully we will never have to find out in anger.

You might find the photographs if the Dock in this article of interest,

http://londonist.com/2015/02/the-secret-bunker-below-londons-secret-bunker

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.