Index Home About Blog
Newsgroups: comp.risks
X-issue: 2.47
Date: Wed, 30 Apr 86 17:58:40 edt
From: karn@mouton.bellcore.com (Phil R. Karn)
To: risks@sri-csl.arpa
Subject: HBO hacking

Satellite transponders used by the cable TV industry to relay programs are
"bent pipes", that is, they simply repeat whatever they hear.  The M/A-Com
scrambler equipment is all on the ground. However, the descramblers will
switch to "pass through" mode if a nonscrambled signal is received.
Therefore, when Captain Midnite sent his unencoded signal, the descramblers
simply passed the signal straight through to the various cable systems.

The transmitter power available on a satellite is very limited (5-10 watts).
Even with a very large receiver dish, the raw carrier-to-noise ratio is far
too low for acceptable picture quality if a linear modulation scheme (such
as VSB AM, used for ordinary TV broadcasting) were used.  Therefore,
satellite TV transmissions are instead sent as wideband FM in a 40 MHz
bandwidth.  Since the baseband video signal is only 5 MHz wide, this results
in a fairly large "FM improvement ratio" and a pronounced "capture" effect.
Full receiver capture occurs at about a 10 dB S/N ratio, and this figure is
essentially the same whether the "noise" is in fact thermal noise or another
uplink signal.  So for the purposes of fully overriding another uplink your
signal must be about 10 dB stronger (10 times the power).

The latest transponders are much more sensitive than those on the earliest
C-band domestic satellites launched 12 years ago.  Most of the 6 Ghz High
Power Amplifiers (HPAs) in use at uplink stations are therefore capable of
several kilowatts of RF output, but are actually operated at only several
hundred watts.  So Captain Midnite could have easily captured the HBO uplink
if he had access to a "standard" uplink station (capable of several
kilowatts into a 10 meter dish) or equivalent.  

I happened to turn on HBO in my Dayton, Ohio hotel room at about 1AM, half
an hour after the incident occurred, and noticed lots of "sparklies" (FM
noise) in the picture. At the time I grumbled something about having to pay
$90/night for a hotel that couldn't even keep their dish pointed at the
satellite, but I now suspect that the pirate was still on the air but that
HBO had responded by cranking up the wick on their own transmitter.  Because
they were unable to run 10 dB above the pirate's power level, they were
unable to fully recapture the transponder, hence the sparklies.  (Can anyone
else confirm seeing this, proving that my hotel wasn't in fact at fault?)

Even though each transponder has a bandwidth of 40 MHz, it is separated by
only 20 MHz from its neighbors. Alternating RF polarization is used to
reduce "crosstalk" below the FM capture level. Polarization "diversity"
isn't perfect, though, so it is possible in such a "power war" that the
adjacent transponders could be interfered with, requiring *their* uplinks
to compensate, which would in turn require *their* neighbors to do the same,
and so on.  So Captain Midnite could cause quite a bit of trouble for
all the users of the satellite, not just HBO.

Captain Midnite could have been anywhere within the Continental US, Southern
Canada, Northern Mexico, the Gulf of Mexico, etc.  In the worst case, it
could be practically impossible to locate him.  If he is caught, it will be
either because he shoots off his mouth, arouses suspicion among his
neighbors (or fellow workers, if a commercial uplink station), or transmits
something (distinctive character generator fonts, etc) that gives him away.
Only the NSA spooksats would be capable of locating him from his
transmissions alone, and I suspect even they would require much on-air time
to pinpoint the location accurately enough to begin an aerial search.

Phil Karn


Index Home About Blog