Piracy of live TV channels is considered by rights holders to be one of the most serious threats to their business.
Subscription channels often end up in IPTV subscription packages, sold to the public at a fraction of the cost after pirates obtain them using both legal and illegal means. In some cases, the streams are pulled directly from the broadcasters' official feed servers, which is surprisingly common, and with the right tools, not particularly difficult either.
Earlier this week, TorrentFreak was contacted by an anonymous source who explained how, in his words, โone of the biggest broadcasters in Europe (and the world) completely ignores how people can watch all their channels live (on the UK, Germany and Italy) without even having an account.โ
Telegram groups selling TV NOW decryption keys
NOW TV is an OTT TV subscription service operated by Sky Group. Launched in the UK in 2012, NOW TV is also available elsewhere in Europe, including Italy and Germany. In January 2023, a researcher named 'Mark K' says he came across Telegram groups offering to sell decryption keys that grant free access to the NOW TV service.
This aroused the interest of the researcher since Microsoft PlayReady DRM protects NOW TV streams in Italy and Germany.
โ[T]I had no interest in buying the mentioned decryption keys just to test them, plus I didn't know if there was some kind of scam. But since I am a security enthusiast, I really wanted to know what was going on behind a possible PlayReady leak, so I decided to chat with the owner of the channel with the interest of obtaining technical detailsโ, explained the researcher.
โI tried to ask how the keys were grabbed, if PlayReady was proven to be broken. He did not want to give me any details regarding this matter, he just wanted to sell the decryption keys by making me some offers; that until, as a last chance, he provided me with a URL, a key identifier and a decryption key for an Italian channel: Sky Sport 24โ.
The investigator said he tested the key and it worked. Subsequent investigations led other vendors to offer decryption keys for Sky services not only in Italy, but also in Germany and the UK. โSo basically all available Sky OTT packages, for no more than $2000,โ the researcher added.
Investigator says he quickly warned Sky
'Mark K' claims to have taken a number of steps to warn Sky of the security breach. In the first instance, he says that he contacted a Sky developer on LinkedIn in January.
After not receiving an immediate response, the researcher began posting issues on the BSkyB GitHub repositories and, through a Twitter account, contacted the Sky developers. (edited for clarity/brevity)
โThe day after this, I finally got an answer. I was followed by an account called 'Sky Anti-Piracy Intel' (a newly created one), which then tweeted to me telling me to DM to talk. Since the account was recent, I was a bit skeptical giving this information randomly. But then they confirmed to be legitimately a division of Sky that deals with anti-piracy intelligence."
The researcher said Sky's immediate request was that he remove information he had posted on GitHub, information he claims he posted in order to attract Sky's attention. He says he complied immediately.
After removing the information in question, an email from Sky thanked 'Mark K' for responding and advised that the information should be forwarded to the appropriate departments. "Please bear with us and we'll get back to you shortly," he received an email from [emailย protected][dot]UK reads.
In a follow-up email dated January 27, the 'Sky Anti-Piracy Intel Team' said: โWe appreciate the removal of posts on the matter and hope you have a good weekend. See you soon."
More contact with the sky
In another email provided by the researcher, this time dated February 23, roughly a month after initial communications with Sky, 'Mark K' appears to have offered further information to the broadcaster.
โAll Sky Go platforms using Widevine are compromised, there are also freely accessible panels on the internet that set up streams. I would like to mention again that I am available for inquiries. I don't [receive any response] from you since my last report. So unless you are interested in being updated on the matter, I will not be sending you any further messages," the email reads. (edited for clarity/brevity)
"Thank you for your intelligence," says Sky's reply. "We are unable to engage you as a consultant at this time, however if circumstances change we will contact you."
'Mark K' says Sky misinterpreted his offer to work for Sky as a consultant; In an email dated March 14, he informed the company that he did not want to be hired or paid. He also informed Sky that when he carried out the checks on March 13, none of the exposed decryption keys had been modified.
Mark K seems to run out of patience
In a follow-up email dated March 27, sent to a new correspondence address following a request from Sky, 'Mark K' provided more information and expressed his frustrations.
โAs I warned you about 2 months ago, the situation is now completely out of control. It sounds like you don't care at all about solving your hacking problems. Both satellite and NOW streaming platform from all countries are broken and so far has not changed decryption keys, makes me wonder in what way is he fighting piracy while announcing,โ she wrote.
"This will be my last email, if in the future I see you wag a finger to fix the current issues, I may (if I have other information) update you."
This week, the data that Sky wanted to keep out of public view appeared very publicly on GitHub, along with clickable links that claimed to allow you to watch NOW TV channels without a subscription, using just Microsoft Edge and a third party website.
Within hours, the information was removed from GitHub. From what we can see, the removal was not done in response to a regular DMCA notice, but that may become more clear in the next few hours.
TorrentFreak contacted Sky's anti-piracy team and received a response from the company's communications team. Sky confirmed that the links and encryption keys had been removed from GitHub, but declined to comment further on the emails, the researcher, or the alleged security holes.
