Rightsholders consider piracy of live TV channels as one of the most serious threats to their business.
Subscription channels often end up in IPTV subscription packages, sold to the public at a fraction of the cost after being obtained by pirates using both legal and illegal means. In some cases streams are obtained directly from broadcasters’ official source servers, something that is surprisingly common and, with the right tools, not especially difficult either.
Early this week, TorrentFreak was contacted by an anonymous source who explained how, in their words, “one of the biggest broadcasters in Europe (and in the world) completely ignores how people can watch all of its live channels (in the UK, Germany and Italy) without even having an account.”
Telegram Groups Selling NOW TV Decryption Keys
NOW TV is a subscription OTT TV service operated by Sky Group. Launched in the UK back in 2012, NOW TV is also available elsewhere in Europe, including Italy and Germany. In January 2023, a researcher by the name ‘Mark K’ says he came across Telegram groups offering to sell decryption keys granting free access to the NOW TV service.
This piqued the researcher’s interest since Microsoft’s PlayReady DRM protects NOW TV streams in Italy and Germany.
“[T]here was absolutely no interest for me in buying the mentioned decryption keys just to test them, plus I didn’t know if there was a sort of scam going on. But since I am a security enthusiast, I really wanted to know what happened behind a possible PlayReady leakage, so I decided to have a chat with the owner of the channel with the interest of getting technical details,” the researcher explained.
“I tried to question how the keys were getting grabbed – if PlayReady was proven to be broken. He didn’t want to tell me any detail regarding this matter, he just wanted to hard-sell the decryption keys making me a few offers; that until as a last chance, he provided me a URL, a key identifier, and a decryption key for an Italian channel: Sky Sport 24.”
The researcher said he tested the key, and it worked. Further research led to other sellers offering decryption keys for Sky services not only in Italy, but also Germany and the UK. “So basically all the Sky OTT packages available, for not more than $2000,” the researcher added.
Researcher Says He Quickly Warned Sky
‘Mark K’ claims to have taken a number of steps to warn Sky of the security breach. In the first instance, he says he reached out to a Sky developer on LinkedIn back in January.
After receiving no immediate response, the researcher began posting issues on BSkyB GitHub repos and, via a Twitter account, contacted Sky developers. (edited for clarity/brevity)
“The day after this, I finally got a response. I got followed by an account named ‘Sky Anti-Piracy Intel’ (a freshly made one), which then afterward tweeted me saying to get onto DM to have a talk. Since the account was fresh, I was kind of skeptical in giving this information to a random. But then they confirmed to legitly be a division of Sky taking care of intelligence information regarding anti-piracy.”
The researcher said that Sky’s immediate request was for him to remove the information he’d posted to GitHub, information he claims to have posted for the purposes of attracting Sky’s attention. He says he immediately complied.
After removing the information in question, an email from Sky thanked ‘Mark K’ for responding and advised that the information needed to be referred to the relevant departments. “Please be patient with us and we will get back to you shortly,” an email received from ContentProtection@sky[dot]uk reads.
In a follow-up email dated January 27, the ‘Sky Anti-Piracy Intel Team’ said, “We appreciate the removal Of the posts regarding the matter and hope you have a good weekend. We Will be in touch soon.”
More Contact With Sky
In another email supplied by the researcher, this time dated February 23, roughly a month after the initial communications with Sky, ‘Mark K’ appears to have offered more information to the broadcaster.
“All Sky Go platforms using Widevine are compromised, there are panels as well accessible for free around the internet setting up the streams. I’d like to mention again that I am available for consulting. I didn’t [receive any response] from you since my last report. So unless you guys are interested in getting updated on the matter, I won’t message you anymore,” the email reads. (edited for clarity/brevity)
“Thank you for your intelligence,” Sky’s response reads. “We’re unable to take you on as a consultant at this time however if the circumstances change, we will reach out to you.”
‘Mark K’ says that Sky misunderstood his offer to work for Sky as a consultant; in an email dated March 14, he informed the company that he didn’t want to be hired or get paid. He also informed Sky that when he carried out checks on March 13, none of the exposed decryption keys had been changed.
Mark K Appears to Run Out of Patience
In a follow-up email dated March 27, sent to a new correspondence address following a request from Sky, ‘Mark K’ provided more information and aired his frustrations.
“As I’ve warned you around 2 months ago, situation now is completely out of control. Looks like you’re not caring at all in solving your piracy issues. Both satellite and NOW streaming platform of every country are broken and so far you haven’t changed the decryption keys, makes me wonder in what way you’re fighting piracy as you advertise,” he wrote.
“This will be my last email, if in future I ever see you moving a finger to fix current issues then perhaps (if I have other information) I will update you.”
This week the data Sky wanted to keep out of the public eye appeared very publicly on GitHub, along with clickable links that claimed to allow NOW TV channels to be viewed without a subscription, using only Microsoft Edge and a third-party website.
Within hours the information was removed from GitHub. As far as we can see, the removal wasn’t actioned in response to a regular DMCA notice, but that may become more clear in the hours to come.
TorrentFreak contacted Sky’s anti-piracy team and received a response from the company’s communications team. Sky confirmed the links and encryption keys had been removed from GitHub but declined to comment any further on the emails, the researcher, or the alleged security holes.
