TiVo Awarded Patent For Password You Can't Hack

Davis Freeberg writes "TiVo has always been known for thinking outside of the box, but this week they were awarded an unusual patent related to locking down content on their hard drives. According to the patent, they've invented a way to create password security that is so tough, it would take you longer than the life of a hard drive in order to figure it out. They could be using this technology to prevent the sharing of content or it could be related to their advertising or guide data, but if their encryption technology is really that good, it's an interesting solution for solving the problem of securing networks."

Re:A really long one?

[Anonymous Coward]

Reminds me of a trick I pulled on an old HP-UX box. I somehow managed to put a backspace keystroke in my password I could log in on the console (which treated backspace as a normal keystroke) but not over ssh or ftp (since there is no obvious way to type a backspace into one of those clients).

I suppose if I ever figured out how to put a newline into my password I would have one heck of a time logging on.

Clone Drives?

[Tuoqui]

If it exceeds the life of the drive theres an easy way to just clone the drive or remove the platters and put them into another hard drive (yeah very sensitive operation likely requiring the conditions of a clean room).

Its hard to make something undefeatable and if you claim such it is only going to attract people as a challenge. Maybe that is what they want?

Of course if someone proves that it isnt 'impossible' then does that void the patent?

Blog spam is just plain wrong

[asdfghjklqwertyuiop]

it's an interesting solution for solving the problem of securing networks.

This has nothing to do with networks at all. The patent is about making sure a hard disk can only talk to a certain host.

Its just another attempt to prevent people form using their own hardware how they want to.

Man in the middle?

[Koookiemonster]

I am no expert, but couldn't you create a device that reads the input + output of the hard disk, then grab the challenge + response and by doing so improve your chances of cracking the key?

Or maybe the password is just "Iceberg" -- "Even if they hit that key, it won't cause a crack."

Hamel's Folly

[eddy]

On the dangers of assuming keyspace => security:

The mechanical ciphering machine invented by Alexander von Kryha in 1924 received the Prize of the Prussian Ministry of the Interior at the 1926 Police Fair and a Diploma from the famous postwar Chancellor of Germany, Konrad Adenauer, at the International Press Exhibition in Cologne two year later. Von Kryha was not only an inventor, but also an astute entrepreneur. To promote his commercial venture Internationale Kryha Machinen Gesellschaft of Hamburg, Kryha turned to the famous mathematician Georg Hamel for an endorsement. Hamel calculated the size of the key space to be 4.57*10^50 and concluded that only immortals could cryptanalyze Kryha ciphertext. Not withstanding Hamels estimate, a cryptanalysis of the Kryha machine by Friedman did not require as much time and is described in the ''2 Hours, 41 Minutes,'' a chapter in Machine Cryptography and Modern Cryptanalysis [Devoirs and Ruth, 1985].

from ''Computer Security and Cryptography'', Alan G. Konheim.

A good way to lose their business

[smartin]

I know that I'm probably not their target audience, but the one reason that I have two subscribed tivos is that I can hack them and disable the DRM and generally they've been pretty cool about it. But the day they lock me out of my one boxes is the day that I cancel my subscriptions and either continue with the hardware on my own or switch to MythTV.

Re:Man in the middle?

[CedgeS]

The claim in the patent is simply using one of many man-in-the-middle resistant challenge/response methods to avoid exactly this. A much more interesting attack is to emulate the environment of the host, and get it to unlock the disk for you, or to sniff the unencrypted actual data off the wire. This is more an obstacle of convenience than one of actual security. They don't want one person finding the key and using it to write computer software so you can toss your drive from the DVR right into the computer to rip video without special hardware.

Read the patent...

[guruevi]

It's basically just a DRM-machination with the cryptography on chip. Basically, the same that AACS has on HD-DVD, and the patent specifies that guessing the password woud take longer than the lifetime of a drive. Euhm, I guess even guessing 56-bits encryption would be enough.

The problem is still, the user has HIS content, he can do whatever he wants with it as long as he can see it. Unless you encrypt the lightwaves that reach our eyes and plant a DRM chip in our brain, we're going to be able to copy your precious content.

Re:Yet another reason not to get a Series3 TiVo

[daeg]

I've already canceled my TiVo service due to their rapidly-decaying "rights" issues. For the obscene price lately on TiVos, plus service, it's cheaper to buy a few components and build a MythTV or similar box.

Why It Does and Does Not Matter

[Midnight Warrior]

Quickly, before Cringely ruins it with bad math, I need to point out some very obvious weaknesses in making this work correctly:

• SHA-1 has been (somewhat) broken [schneier.com]. Not highly repeatable yet, but they're getting there.
• Encryption does not hide a message forever. Most of us picked up on that in one form or another. It just hides it long enough to make the information useless. If I can only break a single machine 6 years after it was written, the video isn't going to be very useful to me.
• Good encryption methods assume two things. One is the attacker does not have the key. Smart card attacks have shown [iacr.org] (PDF) that even though an attacker has to guess the key, a poor implementation may provide useful hints during the guessing phase.
• The second assumption is that the message is not highly predicatable. Disk drives are known for having highly-predicable components on them which makes finding the plaintext all that easier.
• These folks are so cocky about SHA-1's entropy space, they claim "there is no need to abort the authentication process from a specific host. For example, there is no need to abort the authentication process if a specific host generates three wrong passwords. " Zeroization [cerberussystems.com] is the only way to do this right. You can also vary this so that after three failures, an automatic delay is introduced to slow down the guessing.
• Reading the patent text indicates that new "commands" will be added. No mention of a bus protocol (ATA or SCSI) is mentioned. Presumably, they won't make the drives themselves, so it will need standardized. The hard drive community is open to using patents, but only if the terms are reasonable or a cross-licensing deal is in the works. If this is a forced attempt, it will fail miserably or cost so much that the drives will be considered custom, low-volume, high-cost components.
• The likelihood of them screwing the implementation up are so high, they should pursue FIPS 140-1 [cerberussystems.com] certification for every hard drive made. Then, the patent can apply outside the domain of Tivo.
• This scheme works better as a general hard drive protection measure than for a Tivo. People who own a Tivo might probe the memory chips for the crypographic module to sweep for the drive or system keys. AACS recent events ought to make it obvious that people are motivated to do this. The general case may prevent a lost hard drive from being very useful.
• It would appear that the cryptographic module does NOT actually encrypt data on the platters. It seems to only cover communication between the host and the disk controller. If an attacker were to replace the circuit board with one whose path was trusted, they could read the platters without issue. They do this all the time in the hard drive repair business; no clean room required.

Okay, you all can go back to your regularly scheduled cheap shots.

Re:Sure, uncrackable like every uncrackable code

[Anonymous Coward]

I have no idea how the process of reverse-engineering of a microchip works, but does it depend on inspection of features revealed only by light? I.e., is there a reason it can't theoretically be performed in a darkroom? Failing that, if some part of the process does depend on visual information, would a high-resolution camera with a high shutter speed be able to capture that information sufficiently well before the chip was destroyed?

What I'm trying to ask is: does photosensitivity make it practically impossible to examine the guts of the chip, or does it merely make it harder?

what if i made some 1:1 s?

[hcmtnbiker]

FTA: According to the patent, they've invented a way to create password security that is so tough, it would take you longer than the life of a hard drive in order to figure it out.

So it's security is that a brute-force/birthday attack is just so improbable that the drive will wear out before i can test enough possibilities to have a measurable chance of getting it? Besides, twofish, blowfish, AES, any virtually any other standard encryption algorithm could boast the same thing. Tell me if I'm wrong, but couldn't i make a bunch of 1:1 copies of the disk and use those to crack it?

I'm no security expert...

[babyrat]

but I do know this nifty card trick:

Give your friend a deck of cards. Turn around and have them shuffle it, select a card at random, memorize the card and put it back in the deck. Have them shuffle it some more (without you looking at it). Take the deck from them and take a card from it and say 'this was your card'.

In the long run, you'll be right about 1 in 52 times. If you happen to be right the first time with a particular friend, and never do the trick again, they will be scratching their head for a long time trying to figure out how you did it.

So, the point I'm trying to make is that it could take longer than the life of a hard drive to crack the super secret code, or you get get it right on the first guess (or the second one, or the third one...). So it seems rather silly to claim that it is uncrackable.

Re:Yet another reason not to get a Series3 TiVo

[dgatwood]

There are a lot of reasons:

• It's old hardware with no warranty that could die tomorrow and I'd be screwed. Free old hardware is okay, but spending money on it doesn't make sense to me.
• An Xbox (unless you get one with the DVD kit) doesn't have IR remote control, so I'd have to add hardware to that, too. I've already done more hardware hacking in the past six weeks than in the five years previous. While it's fun to a point, I'd really like most of the rooms to be as turnkey as possible---either by being clones of my current front end or by being an off-the-shelf product like the AppleTV.
• The XBox doesn't have DVI output. The writing is on the wall for analog TV; it is only a matter of time before HDMI becomes the main connector on all TVs. I see no reason to spend money on hardware that doesn't provide any digital output these days. I still need the analog outputs for now, but that's temporary, and solvable with some relatively easy hardware hacking.
• The XBox processor can't realistically handle a MythTV front end with video of any quality. My Celeron M 1.4 GHz is just barely able to cut it unless I do the most lightweight deinterlacing. The Xbox is a P3 at half that clock speed. The AppleTV is a Pentium M that's 1GHz, but it has a much better GPU for offloading a lot of that work, and Apple has done the performance tuning for me to make sure it actually works....
• I'm seriously considering dropping DirectTV and going straight to downloaded content. I'm pretty sure that with the relatively small number of shows I watch, it will be cheaper that way. An AppleTV would still be useful in that environment. The Xbox would be a boat anchor.
• It will take all of an hour or two to get MythTV to transcode content for the AppleTV. It would take a lot longer than that to figure out how to set up a MythTV front end on yet another piece of hardware with different IR hardware, different OS installation, etc. Life's too short.

As for restrictions, the box itself doesn't do much of anything to restrict me as far as I've read. And, of course, for what I'd be using it for (a DAAP client), it's really an ideal solution (lack of S-Video and composite outputs notwithstanding). It's easy to use, can connect to a DAAP share on the MythTV backend box easily (it looks like an iTunes share), etc. Output formats fr older TVs notwithstanding, it's a plug-in-and-go solution that can easily integrate with the MythTV setup, but is still tweakable under the hood if I feel the need to do so at some point in the future.

That's what I look for in technology products---products that (as much as possible) just work when you plug them in, but are still sufficiently easy to mod to add features if/when I outgrow their functionality. The AppleTV gives me a lot more room to grow than an Xbox. That means that I'll be able to keep using an AppleTV long after I'd need to replace the Xbox with something else. That long-term viability is worth an extra hundred dollars to me.

Am I infringing on the patent?

[ancientt]

From TFA:

within a disk drive to be read and written to only by a specific host computer

When I read this I though "Okay, so you have to steal the box to get the content or do a lot of work to get the data off of the drive using the chip in the machine.. no big deal right?"

Then it occurred to me, maybe the host computer isn't the local Tivo box, maybe it is Tivo's system (remote) that they're calling the host. What does that mean? Now you can't get data off of the drive unless the Tivo calls home, swaps keys, and stores a decryption key/algorithm in RAM. This means that if Tivo says no, you can't get at data on the device you now own. So... well if you can hack the OS then you can just have the keys stored after/during exchange or you could read out of RAM, but maybe the OS is built off of a network boot scenario with the initial sending of the system happening only after the handshake. Tricky.

If (big if) that is the case then the way to beat it will have to be capturing the data in RAM from a running system. It sounds tough but I suspect you could do it by setting up a virtual machine that intercepts the call coming from the box, and on return sends all output from the chip normally destined for real RAM into virtual RAM (which is really filesystem based, heck make it a ram drive so it is as fast as RAM but readable as a file.) Copy the virtual ram file, and you've got an unencrypted OS. Hack your unencrypted OS to store the keys, and now you have your drive decryption key, your "call home" key and a hackable OS. Want to do something Tivo doesn't like? Make your OS think the commands came from Tivo, not too difficult now. Maybe they have a changing algorithm where the chip uses a new key (in predicted order) for each call home, incrementing after each successful exchange. Maybe then you have to talk to the chip every time with your Virtual Machine, but it still accomplishes the goal of having complete access and control.

Okay, what I think they really have is a scheme to make sure that a chip and drive are tied together so you can't get at the drive without the chip, thus no Tivo drive swapping and they really don't care right now anyway and just wanted to get the patent because they think their method might be marketable some day. I wonder if I'm giving them ideas.. nah, they'll never read this post, right?

Re:So....

[cgenman]

Why not encrypt the HDD at the level of the drive electronics? That way a user would have to physically remove the platter to read any useful data. That process would cost more than most data one could recover from an average user's tivo.

On the other hand, yes, this does appear to be a simple patent on tying a hard drive to an electronics unit. Viable attack vectors are already obvious.

TV Sucks , Slightly Off-Topic

[Death_Aparatus]

I think you all should just stop watching T.V. I haven't watched T.V. regularly in over 5 years now and it feels great. Just think a moment about how obsurd cable T.V. is . . . you're paying money to be advertised to. It should be the other way around. THEY should pay YOU to watch thier crap.

Think about how much head space you will be saving yourself. Hell, I still have commercials floating around in my head from the late 80's. I certinatly don't need any more of that filth polluting my thoughts.

In conclusion, T.V. sucks. Stop watching T.V.

This patent sucks

[Tom Womack]

That is a dreadful patent, and it would be ridiculous to see it issued; hardware challenge-response dates back to at least the first IFF machines in the second world war, they're not even mentioning having a deliberately slow password-hashing algorithm, which is itself at least as old as UNIX, and the technique is vulnerable to bump-in-the-ATA-cable extraction of the data from the disc in the first place, and probably also to an attack where you swap the drive controller board for one from a drive of similar model without Special Tivo Sauce.

Re:So....

[vtcodger]

In general, you seem to be correct. You can patent just about anything. But there is an exception. Since 1911, the words "Perpetual Motion" have been the kiss of death for a patent application. In order to patent your perpetual motion machine, you have to obsfucate its nature -- for exmple by claiming it is an anti-gravity machine. No, I'm not making this up. Wish I were. See http://209.85.165.104/search?q=cache:SzVmVt9_BIwJ: news.nationalgeographic.com/news/2005/11/1111_0511 11_junk_patent.html+patent+perpetual+motion&hl=en& ct=clnk&cd=2&gl=us&ie=UTF-8 [209.85.165.104]

Re:longer than the life of a hard drive in order .

[Renfield Spiffioso]

Wait what? I have an enterprise WD drive installed in my home PC with a 5-year warranty. As far as reliability, In the aftermath of Hurricane Katrina, I was working at a college whose campus was across the street from the gulf of mexico. One of the professor's computers which was recovered had a WD Caviar Drive in it. Due to location the thing was under sea water for 10 hours. Circutiry on the underside was corroded, it shook salt when you tapped it, and smelled like dead fish. After a lot of sad grinding sounds, Symantec Ghost had made a working clone of it in 20 minutes. No file loss. In normal operation, many of our (past warranty) WD drives worked like a champ as well. I will also admit our newer seagates never had a single issue, but the older models were less reliable than the aptly named Quantum Fireballs.

Re:Does it matter?

[sumdumass]

The password might not be cracked. Well, at least not cracked in a meaningful or useful way. I can think of several ways this could be accomplished. Tying the drive to the mainboard with a kill switch that burns out the firmware controler could be one. This could mean all ads and all content is useless outside the tivo and the drive is borked if tried outside it too.

But if this patents is invalidated, it is meaningful in several ways. First is other devices might be forced into using it by the media companies or something and this will raise the costs of consumer electronics. The next thing is, suppose someone discovers this as a way to keep usable information out of anyone's hands who don't have permission to use it. There is another royalty that needs to be payed and it will come out of our pockets too. But most importantly, A patent takes an entire piece of software off the market for most. Imagine if the word processor was patented when it originally was developed. Whatever the first word processor was and anyone willing to pay the royalties to them are the only word processors we would have. Openoffice.org wouldn't be here, Microsoft could have bought the patent and stopped everyone from using it other then them, so on and so on.

So what happens when computers are fast enough that to be somewhat reasonable secure, you need this patent. If it is still valid, again, everyone pays TIVO to use it. But if it was copy written instead of patented, then many other players could attempt to do similar things and hopefully competition would make things better and all. But if we are stuck with this one implementation and it turns out not to work, any working implementations from other companies will have a payment to TIVO associated with any costs.