Thursday, 2 November 2006

IP over DAB Digital Radio

Speaking of DAB digital radio, Symantec's Ollie Whitehouse alerts us to the standard for tunneling IP over DAB, ETSI ES 201 735 [PDF]. This sounds extremely cool for broadcast or multicast data to inexpensive devices.

Looks like the HTC Monet uses this, not DVB-H (handheld DVB) to show TV. Virgin Mobile UK is branding it as the Lobster. El Reg has an interesting review.

Ollie is worried about the security aspects though:

Looking at this from a 30,000 ft viewpoint, a number of different and obvious attack surfaces appear to exist:
• The DAB protocol stack
• The IP stack
• Media codecs

Then, your mind starts to work:
• I wonder if they firewall the DAB connection on the device?
• Can I spoof content? If so, how hard is it to attack the media codec with this spoofed content?
• Is it possible to leverage that old IP stack DoS and take out every DAB-IP enabled mobile/cell phone in a 10-mile radius?

You end up with a situation where you could conceivably "broadcast" exploits to a geographic area if you were able to successfully attack any of the attack surfaces outlined above. It makes you think, doesn't it?
Update: also noted at...

1 comment:

nickpiggott said...

The authentication issue is a really interesting one in this environment. It's generally assumed there is implied authentication because "who else, other than a licensed broadcaster, would be running a DAB multiplexer?". That's a dangerous assumption in my opinion, and one that should be challenged.

The Eureka 147 technology makes some fundamental assumptions that you can trust whatever you receive because it can only come from a trusted source (e.g. licensed by the authorities). That might be true now, but it only takes a Dell PC, a D->A card, some software (admittedly complex), and an old UHF TV transmitted and voila - you too can look like a trusted source in your local area. (I have a bet on with a colleague that we'll see Pirate DAB radio in London within 5 years).

In the case of the BT Movio service, there is some authentication using Microsoft DRM, but that all happens way way way after the IP stack, and the IP packets from DAB are fed into the bottom of that.

There are more obvious things to attack, and frankly there's so few Movio handsets out there you'd hardly create a murmur. Have a go at transmitting Spam on DLS, Slideshow or EPG - that'd be easier and more effective.

Post a comment