Sign in with
Sign up | Sign in

Intel HDCP Cracked Using $350 Hardware Kit

By - Source: Ruhr-Universität Bochum | B 25 comments

An FPGA development board was used in a man-in-the-middle attack in obtaining and transmitting an encrypted signal from an HDMI port.

Researchers from the Ruhr University of Bochum's Secure Hardware Group in Germany have cracked the copy protection system used by HDMI ports: Intel's HDCP, or High-bandwidth Digital Content Protection. In addition to HDMI, HDCP is used to encrypt video signals transferred via DVI, DisplayPort and other connectors.

"In 2010, an HDCP master key, which is intended to form the secret core element of the encryption system, appeared briefly on a website," reads the official press release. "In response, the manufacturer Intel announced that HDCP still represented an effective protection component for digital entertainment, as the production of an HDCP-compatible chip using this master key would be highly complex and expensive."

Seemingly taking that as a challenge, the team accomplished the "inexpensive" man-in-the-middle attack by using Digilent's Atlys Spartan-6 FPGA development board. It features a Xilinx Spartan-6 LX45 FPGA (field programmable gate array) in a 324-pin BGA package, two HDMI video input ports, two HDMI video output ports, a 10/100/1000 Ethernet jack, a RS232 serial port and more.

"Our intention was rather to investigate the fundamental security of HDCP systems and to measure the actual financial outlay for a complete knockout," said team leader Prof. Dr.-Ing Tim Güneysu. "The fact that we were able to achieve this in the context of a PhD thesis and using materials costing just €200 is not a ringing endorsement of the security of the current HDCP system."

The $349 USD ($199 Academic price) board serves as the "middleman" by modifying all communications between a Blu-ray player and a flat-screen HDTV without being detected. The team was able to tap the HDCP encrypted data streams, decipher them and send the digital content to an unprotected screen via a corresponding HDMI 1.3-compatible receiver.

Yet as the team points out, this man-in-the-middle attack could allow the end-user to burn films from Blu-ray discs, but recording directly from an HDMI port results in a large amount of data. That said, this method is "of no great practical use for pirates." But Güneysu envisions a real threat to security-critical systems used by law enforcement agencies and the military.

"Although Intel is already offering a new security system, HDCP 2.0, due to the backward compatibility, the weak point will also remain a problem in coming years," he concluded.

Intel and Digilent have yet to comment on the report.

Display 25 Comments.
This thread is closed for comments
Top Comments
  • 22 Hide
    amk-aka-Phantom , November 29, 2011 10:31 AM
    Good, good. The whole marketing of this HDCP feature as profitable for the user (see image below) sickens me, as does the feature itself. I don't agree with implementing copy protection on hardware level. This might not be fully usable yet, but the effort is already there. I love seeing expensive copy protection systems meant to limit the users go to waste.

Other Comments
  • 22 Hide
    amk-aka-Phantom , November 29, 2011 10:31 AM
    Good, good. The whole marketing of this HDCP feature as profitable for the user (see image below) sickens me, as does the feature itself. I don't agree with implementing copy protection on hardware level. This might not be fully usable yet, but the effort is already there. I love seeing expensive copy protection systems meant to limit the users go to waste.

  • 7 Hide
    vaughn2k , November 29, 2011 10:33 AM
    Intel should hire these guys.
  • 9 Hide
    de5_Roy , November 29, 2011 10:42 AM
    lawl serves intel right. they're inflating this thing by adding 'security-critical systems used by law enforcement agencies and the military' into hdcp. are the military and law enforcement agencies part of riaa and mpaa who bribed financially endorsed this tech for intel to implement this tech in the first place? nope.
  • 5 Hide
    doorspawn , November 29, 2011 10:58 AM
    The graphics card: 1) decodes the HDCP data, 2) decompresses it, 3) re-encodes it.
    Then it's captured by this MitM attack and decoded.

    It seems to me there's a far superior workaround between 1 & 2 waiting to be developed.
  • 6 Hide
    custodian-1 , November 29, 2011 11:00 AM
    this goes to a core belief if you try to lock it and no matter how. Soneone will take the time to unlock it
  • 6 Hide
    keyanf , November 29, 2011 11:32 AM
    If Patton lived today, he'd likely add "copy protection" to his "Fixed fortifications are a monument to the stupidity of man" quote.
  • 4 Hide
    icepick314 , November 29, 2011 11:49 AM
    still funny to see millions of research and development in DRM cracked by mere few dollars...

    remember the Sony's music CD protection defeated by just a piece of tape or even a sharpie marker?
  • 2 Hide
    wiyosaya , November 29, 2011 12:16 PM
  • 0 Hide
    Anonymous , November 29, 2011 1:14 PM
    @doorspawn

    actually if i recall correctly and i maybe wrong, HDMI has a hardware layer, all devices that connect via HDMI is required to implement hardware layer, if i recall the HDCP data never gets trans-coded but rather transmitted as is along with the copy protected material over the HDMI protocol, the receiving device not the transmitting device will then authenticate the HDCP data, what this device does is intercepts the copy protected material and using the master key strips out the copy protection resulting in a stream that is completely copy protected free

    it should also be noted that the hardened pirates will have access to TBs of hard disk space as well as machine with hardware accelerated video capture and trans coding devices, large amount of data was rarely ever a deterrent
  • 0 Hide
    kinggremlin , November 29, 2011 1:37 PM
    doorspawnThe graphics card: 1) decodes the HDCP data, 2) decompresses it, 3) re-encodes it.Then it's captured by this MitM attack and decoded.It seems to me there's a far superior workaround between 1 & 2 waiting to be developed.


    Of course there is. As was noted in the article by the developers of this, it has no practical use for pirates. Despite all the ROFLCOPTER $ony OWNED idiocy in the comments, this has nothing to do with copying Bluray movies. No one would use a method like this for copying movies. If you can't afford $10 movies, you can find all the movie rips you want for free at your local torrent site.

    This crack has real security implications. Being able to tap secure corporate and military data transmissions creates a legitimate security concern. Gloating over something like this is plainly stupid. This hack serves no practical benefit to the consumer. Granted, since this is a physical hack the person would have to have direct access to the cable carrying the signal, but a real working example is cause for concern.
  • 2 Hide
    rosen380 , November 29, 2011 1:39 PM
    wiyosayaAccording to Engadget, it only cost $260.


    They might be quoting street price of the hardware while I believe engadget was quoting what they paid for it [a university discounted price]
  • 1 Hide
    ordcestus , November 29, 2011 2:23 PM
    kinggremlinOf course there is. As was noted in the article by the developers of this, it has no practical use for pirates. Despite all the ROFLCOPTER $ony OWNED idiocy in the comments, this has nothing to do with copying Bluray movies. No one would use a method like this for copying movies. If you can't afford $10 movies, you can find all the movie rips you want for free at your local torrent site.This crack has real security implications. Being able to tap secure corporate and military data transmissions creates a legitimate security concern. Gloating over something like this is plainly stupid. This hack serves no practical benefit to the consumer. Granted, since this is a physical hack the person would have to have direct access to the cable carrying the signal, but a real working example is cause for concern.

    Fortunatly at least the military does not trust these sort of systems, we need to transfer data securely? We use fiber optic cables that can't be tapped without it being obvious.
  • 1 Hide
    koga73 , November 29, 2011 3:41 PM
    I've seen this sort of thing before with HDCP. The board in the middle acts as a compatible HDCP device, strips it out, and passes the signal through. The problem with it is the HDCP key blacklist. As soon as one of these devices comes out all Intel has to do is blacklist the key and it will no longer work with future content. If they have the master key however, they may be able to generate HDCP keys themselves.
  • 1 Hide
    jezus53 , November 29, 2011 3:50 PM
    kinggremlinGloating over something like this is plainly stupid. This hack serves no practical benefit to the consumer.


    We're not gloating over it because it serves a benefit to the consumer. We're gloating over it because it shows that no matter how hard the try to prevent people from pirating, we will always find a way around it. Also, why the hell would the military be using HDMI cables? Seriously, they aren't a bunch of basement dwelling tech freaks. They just want the signal to go to the screen and that is it. I'm sure they still use VGA, but that aside, we all know this stuff was made to stop pirating, not for law enforcement and military protection. IF that was their concern then they would have just applied it to the products those areas purchase, not to the average everyday consumer.
  • 0 Hide
    ctmk , November 29, 2011 4:16 PM
    wiyosayaAccording to Engadget, it only cost $260.


    and prices may go down if this thing is improved and mass produced. (if there is a market)
  • -1 Hide
    ctmk , November 29, 2011 4:19 PM
    And we consumer bares all the cost for all this sh1t.


    custodian-1this goes to a core belief if you try to lock it and no matter how. Soneone will take the time to unlock it

  • 4 Hide
    torque79 , November 29, 2011 5:50 PM
    Consumers put up with far too much now. TV used to be as simple as plugging in a cable, poof it worked. Now you need a digital box with HDCP at both ends and an appropriate generation of HDMI cable for the functions you wish to use. Add an a/v receiver and things get even more complicated, including frequent and (extremely annoying) HDCP handshake issues with legitimate hardware. All of this does not benefit the consumer in any way, only making it all far more complicated and expensive. As the makers of this device point out, it's not terribly helpful to crack HDCP anyways. It does not DO anything beneficial, it only gets in the way of compatibility and simplicity for end users.

    I hope someday consumers fight back and lash out against all this crap that's been forced down our throats.
  • 1 Hide
    Anonymous , November 29, 2011 6:37 PM
    I'm a locksmith and I know all too well that no matter how complex the "lock" there is always a way to defeat it, bravo gentleman.
  • 0 Hide
    Camikazi , November 29, 2011 7:03 PM
    wiyosayaAccording to Engadget, it only cost $260.

    The website I found where you can actually buy it say $350 normally and $200 for academic use.
  • 1 Hide
    nikorr , November 29, 2011 7:52 PM
    One thing is for sure, it will never last. There is always someone out there....
Display more comments