The TV Box Working Group, created by Anatel to study the pirated IPTV boxes for sale in the Brazilian market, already has results on some models. With the help of ABTA, an association that represents pay TV operators, it found malicious software on the HTV, a device that is the best seller according to the autarchy – as it is the most apprehended – and which is found in online stores for around R$1,000.

THE Tele.Synthesis spoke with Wilson Wellisch, superintendent of inspection at Anatel. He gave more details of the investigations. The agency, he said, called on ABTA engineers and experts to contribute to the reverse engineering, after finding limits to the experiments.

To check all the functionality, including the reproduction of pirated content, the servers would have to sign the HTV packages, which is not allowed to carry out the investigation. With that, an apparatus was built to carry out simulations of the real use of the device.

“We had difficulties because we need the equipment working. The disconnected equipment is not enough. We partnered with ABTA to test live equipment. And from there, we check the vulnerabilities”, he said.

This delayed the work. The expectation was that the first report would be ready in August, but it has not yet been finalized. The work of GT TV Box will continue even after the first report, with the addition of more products, said the superintendent.

door to the unknown

So far, the agency has identified that, when turned on for the first time, the pirated TV Box looks for a port to connect, without the user’s consent, to an unknown server. Embedded malware receives updates of new ports that can be used if current ones are discovered.

The agency also detected that user data is captured and sent to servers, without approval. And it concluded what was already expected, that HTV illegally retransmits pay TV content, captured in Brazil without a license, at a charge to the user. This content is captured in the country, transmitted in a masked form to servers abroad, and then returned to local customers, all through the user’s IP connection, via applications that simulate pay TV or video streaming OTTs.

Anatel discovered that the content is captured both in the sending of the programmers to the distributors, as well as the distributors themselves (the pay TV operators responsible for the subscribers, for example, Sky or Claro).

It only gets worse: Botnet

The malware identified by Anatel’s servers is capable of taking control of the TV Box, although it does not. In practice, it acts behind the scenes, without the user noticing, using processing power beyond what is necessary to carry out illegal acts.

The program, says Wellisch, connects to a malicious botnet that would have the ability, on a command, to carry out coordinated denial-of-service attacks – known as DDoS.

“We looked into the possibility, through a command and control server, for the botnet to take control of the TV Box and carry out DDoS attacks. As there is a lot of this equipment distributed, they can be used to take down sites, including those of public services”, he says.

What about cryptocurrencies?

In the middle of the year, Wellisch said there was a strong suspicion that the crates were used to mine cryptocurrencies without the user’s knowledge. According to him, Anatel has not yet carried out tests on this, however.

“For the time being, we are focused on cybersecurity, but I still believe that mining is possible because these TV Boxes do not use all the available capacity”, he reiterated.

With a better understanding of how the box works, Anatel intends to improve piracy combating strategies, going beyond the apprehension of non-approved equipment.

The GT’s conclusions will still be sent to GT-Ciber, Anatel’s Cybersecurity group. The proposal is to unveil whether there is work that can be performed together, since the problems identified went far beyond intellectual property theft and lack of hardware approval.

