Hacking It in Baja

I know this guy -- call him Dave -- who spent much of February and part of March searching San Diego stores for a set-top receiver compatible with the DirecTV system. He had no use for the receiver itself but wanted the card with the embedded microchip that came with it, called a smart card, so a Mexican hacker he knew could program it to illegally receive the popular satellite television service. Dave, a millionaire and retired to a gated beachfront community near Rosarito, believes that one inalienable benefit of living in Baja is being able to steal DirecTV's premium service. He's probably just one of thousands south of the border who do so. I know eight persons who pirate the signal -- mostly Americans but also some Mexican citizens -- and have heard of many others. I know of no one who now pays the company for the service, though five years ago I was acquainted with an American living in TJ who did subscribe to DirecTV, using a borrowed San Diego address and phone number. But soon he too joined the pirate crew.

On January 21, exactly one week before the Super Bowl, the El Segundo-based DirecTV company unleashed an electronic counterattack against the pirates, sending out computer code through the transmission lines intended to destroy the counterfeit smart cards. DirecTV had taken many other electronic countermeasures -- known as ECMs -- since it began service in 1994, but only in small doses that the technologically savvy hackers found a way around. These code changes are known to both the company and the hackers as "zapping" the card, but as it could be reprogrammed, they were little more than minor annoyances. This time, however, the attack was massive, effectuated over months, with the company transmitting to the receivers tiny bits of new code, until the day when DirecTV pulled the trigger to reconfigure the entire program built into the box. It didn't simply zap the cards temporarily, but rendered them incapable of ever being programmed to steal the signal.

"We fried a lot of counterfeit cards" is how Robert Mercer, an executive for the company, described it, adding that the January attack "was a different kind of countermeasure, more deadly than we ever launched before." It was, he said, "like a little neutron bomb," and acknowledged that its timing was no coincidence. "We wanted to get everyone's attention. We probably ruined a lot of Super Bowl parties." So confident was the company that they had inflicted serious damage on hacking operations that they embedded into the final piece of their destroying code the words GAME OVER.

Hacker websites and forums revealed the counterfeiters in a state of shock following what they now call Black Sunday. One wrote that the hackers had at last been bested by "a bunch of old nerds at a Satellite company." DirecTV farms their electronic security tasks out to News Digital Systems, an Israeli company owned by the Rupert Murdoch media empire (Murdoch is negotiating to buy DirecTV), but this ECM was so sophisticated that some speculated a top hacker, a Canadian facing jail time, had assisted the company. DirecTV spokesmen would say only that "There are people willing to make deals to lessen their sentences. We have made deals with some of these people who have been caught." The customers of the hackers were also in shock, suffering withdrawal symptoms from not being able to watch premium television service. While no one knows how many households pirate the DirecTV signal (the other major satellite TV company, Dish, also gets hacked but to a lesser degree), estimates run from 100,000 to double that number, in the U.S., Mexico, and Canada.

Prices for DirecTV's service range from $22 a month for basic to more than $80 for the premium service, but that's not counting the pay-per-view events, like wrestling, boxing, concerts, and recent movies, which will add to the bill. Mercer guessed that a pirate who watches the services that are normally pay-per-view could steal as much as $100,000 per year of value. The satellite that DirecTV uses for its customers in the U.S. also spills its signal a few hundred miles over the Canadian and Mexican border, using the standard small dish. (Subscribing to the American service is, in fact, prohibited by those countries.) Thus, an active hacking and marketing community has sprung up in the border areas of these two countries, and DirecTV's Signal Integrity Office, run by former FBI agents, has helped U.S. and Canadian police bring the culprits to justice. However, the company knows of no arrests for hacking ever made in Mexico. In fact, not until recently did Mexico have an anti-hacking law. A lot of the card counterfeiting is done in Canada, where the law is ambivalent: some hackers have been convicted, but at least one judge ruled that a defendant could not be found culpable of stealing a service that was not sold in the country. Many of the phony smart cards are smuggled from Canada into the U.S. and Mexico, though there is evidence of a growing community of accomplished hackers in Tijuana. One Baja customer of the hackers says that he knows of at least one American who regularly comes into Tijuana to pick up some cards, evidently for resale in the U.S. Hacked cards in the U.S. sell for around $250 to $400, and some have shown up on the eBay auction site. In Baja they're often much cheaper, sometimes going for $150 or less.

Dave, the wealthy retiree, was introduced to his hacker by a good friend, a Rosarito businessman who himself receives the illicit programming. He's had the cards for several years at a price of $150, which the hacker guarantees for six months. This means that if an ECM zaps the card within that time frame, the hacker will reprogram it gratis. Dave says that his card has gone unzapped for as long as ten months and for as short as two.

In early February, a few weeks after Black Sunday, Dave's hacker gave him a new card for only $60, advising him to take good care of it. The card worked fine, and a few days later one of Dave's neighbors borrowed it, supposedly for a pay-per-view movie he wanted to watch. Instead, the neighbor -- a former vice president of a major defense contractor -- took the card to an incompetent hacker who ruined it in a bungled attempt to make a copy. Dave was irate, and his skilled hacker in Rosarito was upset with him for lending out the card. The hacker told him to buy a receiver so he could try to program a fresh card.

Dave had heard that the Wal-Mart stores sold an RCA receiver, with card, for $50. When he and some friends went to pick them up they discovered they were not the only pirates looking for new cards in the wake of Black Sunday. From late January through at least part of March the Wal-Mart stores in the county would sell out of the cheap receivers within hours of receiving them, when they were able to get them in at all. At one point even their main warehouse had none in stock. The National City Wal-Mart had posted a sign limiting purchase to two per customer, and a salesperson there said the hot items "go out as fast as PlayStation 2." A clerk at one of the San Diego Wal-Marts explained the reason for the shortage: "Half the people are buying them legitimately, the other half are buying them to get the card so they can get free programming." (Wal-Mart also sells more expensive receivers, such as those made by Sony, but thrifty folk like Dave, who wanted only the card and not the box or the dish, were clamoring for the RCA product.)

Some retail outlets -- like Best Buy, Tweeter, and Circuit City -- will not sell the DirecTV hardware unless the buyer also signs up for the service, for which the stores receive a percentage. They require that a customer also use a credit card. Dave sent a friend to a Tweeter store in the South Bay to purchase two boxes (one for his neighbor), but the salesman declined to sell without activation and pointedly asked if the products were going to be taken to Mexico. A week later a manager at the same store told me that "anyone buying the receiving box without activation is just looking to pirate the signal. There's no legitimate purpose to it. And a store that sells the system without requiring activation knows what's going on. If they continue to do that the problem will never end." He said his stores wanted to retain good relations with DirecTV.

A Wal-Mart spokeswoman said from company headquarters in Arkansas that they saw no problem in selling the stand-alone system and that their store left it up to their customers to enroll. She also pointed out that the new boxes had a different card, not the old ones that could be altered by criminals. DirecTV likewise had no problem with Wal-Mart selling the hardware without activation; they said they assumed the buyers would call them to enroll in the service.

The "old cards" that the Wal-Mart spokeswoman referred to were, when they first appeared around 1997, produced in a Tijuana maquiladora, or border factory, according to a Tijuana businessman who also enjoys the illicit U.S. signal. Massive in-house theft of the valuable cards prompted a relocation, and the new generation of access cards are now produced in Israel. Most of the hacked cards, he believes, are smuggled in from Canada.

People knowledgeable about the business say that the cards that were burned on Black Sunday are what DirecTV calls H cards. These were on the market for a few years in the late '90s, but a flaw that made them easy to hack forced the company to replace them with HU cards, which are supposed to be impervious to hacking.

Elias Levy is the chief technology officer for SecurityFocus.com, a San Mateo company providing electronic-intelligence services. He follows the battles between the corporations and the hackers. "What I found so interesting is that the media went on and on about what a great job DirecTV did stopping the hackers and taking down all those cards. But they all quickly lost interest in the story and forgot to check after the fact. I think it's really just as interesting how the hackers got around the DirecTV measures and are now back in business. It's an endless war: DirecTV comes up with something and then the hackers come up with something else."

Levy points out that even the burned cards can be reprogrammed to some degree and are protected by using an old PC to take any future ECM hits. But more important, he's heard rumors in the hacker underground that the new HU cards, which carry the image of a football player, have finally been hacked.

DirecTV has a sister company in Central and South America called DirecTV Latin America. It uses a different satellite than does the U.S. company; of course, the programming would also be somewhat different. Salvador Galvan owns the Baja dealership for DirecTV Latin America, and he says that the pirating of the American signal south of the border hurts his business. And he doesn't know why the U.S. company doesn't use the system employed in Mexico to foil hackers. Each prospective subscriber is carefully checked out, and the system is leased to them, never sold.

Two years ago, Galvin says, at the urging of the Baja satellite and cable companies, the Mexican attorney general's office, working with local police, raided a number of bars that were offering premium televised sporting events, mostly by pirating the U.S. company's signal. "We told them they had to pay for the rights and that they had to have Mexican equipment. More than 95 percent of them did it, after some people were arrested and some places were fined." As for those who continue to resist, "For the bars to get people to come they have to advertise. And as soon as they advertise, we go [to visit them]. The paper is my best salesman."

Galvin doesn't think the Latin American operation uses ECMs. Instead, a new program was started where subscribers will periodically receive by mail a new access card.

"We're not saying nobody [is hacking the signal]. We're just saying it's not logical that somebody would do it, since we rent the equipment. You can't buy it in Mexico. If a customer does not pay the monthly fee, we are told by DirecTV in Mexico City to go out and pick up all the equipment. And when we pick up the equipment, where is he going to insert his [hacked] card?"

Galvin doesn't think there are many hackers in Mexico, "because it's very sophisticated to do it." (But in ads that have been running recently in the Tijuana daily El Mexicano, someone using an e-mail address and cell-phone number is offering to program DirecTV cards as well as to purchase blank ones.) Galvin does have people coming to him wishing to purchase the American card. "And I always tell them, 'I'm going to pretend that I didn't hear you say that.' "

In a colonia a short distance from Galvin's office in the Zona Rio, at least two households on one block alone enjoy DirecTV Latin America (which has only several hundred thousand paying customers), including the premium channels and free pay-per-view. They do not pay the monthly fee and say they have never experienced any interruption of service in the several years they've had it. A resident states that the entire system -- dish and box -- is sold on the street for $450.

Ruben Romero is an American citizen and chief of corporate security for DirecTV Latin America. But he investigates hacking wherever it occurs, he says, "because the pirates have no borders." His 12-man security group consists of former agents of the U.S. Justice and Treasury Departments. Romero, who attended SDSU and was once a customs agent in San Diego, states that his team is much more proactive in combatting the hackers than is U.S. DirecTV. Recently, he says, his group worked with U.S. Customs in Texas to arrest a major Mexican hacker who had smuggled into the U.S. a large number of access cards for the Latin satellite service, for sale to Latinos living in the U.S. Just like the American service, the Latin system is vulnerable to counterfeiters.

"There are major rings operating in Mexico," he says, speaking from his office in Florida. "They are hacking both the American card and the Latin American card." Because a big enough dish can grab the U.S. signal even as far south as Mexico City, there are "a large number" of counterfeiters in Mexico. And yes, he admits, the new HU card has been hacked, not only by the Canadians but by their Mexican counterparts. His team, he says, has sent out ECMs in Latin America but not yet on the scale of Black Sunday. They also operate fake Spanish-language hacker websites to gather intelligence and advertise a toll-free number for people to call to turn in their pirating neighbors.

Romero acknowledges that no arrests for hacking have ever been made in Baja, but he says that will soon change. Using an anti-hacking law passed by the Mexican congress in November, he states that there is "a major criminal investigation" currently in progress. And that his group, working with agents of the Mexican attorney general and coordinated with U.S. Customs in San Diego, will put a large dent in the activities of the Baja hacking rings. "I feel confident that a lot of those cards and boxes will be going down very soon."

Meanwhile, Dave in Rosarito gave up trying to buy the RCA box at Wal-Mart. Instead, he had his Mexican friend intervene with the hacker, who again sold him a card at the bargain price of $60. And on the new card is an image of a football player.

Share / Tools

  • Facebook
  • Twitter
  • Google+
  • AddThis
  • Email

More from SDReader

Comments

Log in to comment

Skip Ad