XM - The Flawed Future of Radio
by Acidus
When people talk about XM radio, they tend to talk about things like its compression and encryption algorithms, its quality, its content, and how to get it all for free. But everyone is missing the big picture: XM isn't important because of its technology or the exploitation thereof. XM is important because it is the dominant player in a brand new industry. Only two companies have licenses for satellite radio, and both use approximately the same infrastructure. This means the dominant company's architecture will be the platform for future services transmitted to cars. While taking advantage of existing flaws to save $10 a month is trivial now, the insecurities inherit in the platform could cause some serious problems down the road. Streaming pay-per-view movies to video systems, local traffic reports with GPS, email and limited web browsing, and Voice over IP (VoIP) are all coming to cars in the next decade. The flaws in XM's infrastructure need to be addressed and fixed now before security is sacrificed later on for profits and backwards compatibility.
XM Overview
There are a lot of myths about XM, so let's clear them up. XM radios are exactly like normal radios in that they receive electromagnetic waves and translate them into information. XM receives its signal from two satellites and, in heavily populated areas, ground-based broadcasters. Normal radio simply have ground-based broadcasters. The info in a normal radio signal is analog and encoded using AM or FM. The info in XM is in digital form, compressed to allow better quality in less space, and the signal is encoded using a proprietary encryption scheme. Just like normal radios, XM has an antenna, which receives the signal. You must have an antenna capable of receiving the signal to even get it. You tune to different frequencies to here different stations on normal radio; all of the XM channels are on one range of frequencies. Think of XM as simply one radio station, with lots of programs. Your XM radio then takes the entire stream of channels and extracts the one channel you want to listen and decoded/decompresses it.
Signal Transmission
XM is broadcasted from two Boeing satellites, apply named "Rock" and "Roll." From 22,000 miles up they pump out 70 megawatts of signal, painting nearly all of North America. While it is only offered in the U.S. (due to licensing), the signal can be received in most of Canada, Mexico, the Caribbean, and even parts of Alaska. There is no way for the radios to transmit any data to either the satellites or the ground repeaters. This one-way approach offers several fundamental problems with the system.
1.) All XM signals are received by all XM radios. There are currently no means of "spot beaming" signals to only local areas (as DirecTV does to offer local channels). This means there can be no generic activation signal, etc. It must be personalized to your radio ID (on the bottom of the radio). This eats up more bandwidth.
2.) Since all radios receive the same signal, all radios use the same decryption keys. From the other end, you could say that based on the limited bandwidth XM has (which we will discuss later), they can't transmit the same channel at the same time with two different encryption keys. Thus there is only one encrypted signal sent, and all radios must decode it.
3.) Since none of the radios can transmit, control over them can only be one way. They have no way of knowing if the activation signal, deactivation signal, or decryption keys have been received by your unit. The only way XM will know of any problems if you call them.
The Signal
This is the bottleneck for XM. The FCC licensed only 12.5 MHz to XM, from 2332.5 MHz to 2345.0 MHz. They have 100 channels (well, 101, which I'll get to later), which means that they only have 125 kHz of bandwidth for each channel. In contrast, FM radio stations have 200 kHz. XM advertises that they have "near CD quality sound." While I don't want to get into how that's an impossible statement, it does mean that they need to take an audio signal of significantly higher quality than a FM radio signal and make it fit in to 125 kHz. In fact when you count in the artist/song name/album info displayed for every channel, and control signals being sent from the satellite, each channel has even less bandwidth.
The signal contains two types of information, which I call "broadcast info" and "personalized info." Broadcast info is a signal that all radios are supposed to get and act on (such as the channels). Personalized info is information that the intended for only one radio, and thus all personalized info is tagged with your Radio ID. Examples are activation signals and deactivation signals. Don't get confused by this. All radios receive the entire signal, and the radios use the broadcast in any personalized info if it's tagged with that radio's ID. If not, the data is ignored, just like IP packets on a network. If/when the type of content is expanded, this could be a way to packet sniff XM, though it would require lots of knowledge of the hardware. If someone attempts to implement a software decoder, this could be easy.
The signal is incredibly redundant. Error checking between the two signals from the two satellites is done to try and determine what is noise (ground-based repeaters signals are also analyzed if present). The signal itself uses dual Reed-Solomon codes and Viterbi codes. These are powerful error-checking systems commonly used in satellite transmissions. They both only work on blocks of data, which seems to imply that the encryption algorithm is block-based instead of stream-based.
According to a XM engineer, due to the overhead caused by encryption, the signal is sometimes compressed after it is encrypted. ST Microelectronics makes the chipsets for XM radios. The STA400 Channel Decoder handles all the nastiness of converting the satellite signal into digital form, checking it for errors, and decrypting it. The STA450 Source Decoder decompresses the audio and handles volume and tone control. The fact that the decryption circuits are in the chip that receives the signal first, seems to imply that at the signal is almost always encrypted after is has been compressed.
Compression
The number of theories of the compression schemes that XM uses is around the number of Grassy Knoll theories. MP2, MP3, AMBE, AAC, the list goes on-and-on. A few things are known. XM radio had a contract with Digital Voice Systems, Inc. to use their Advanced Multi-Band Excitation (AMBE) speech compression algorithm. The XM Radio Customer Agreement states that the AMBE technology in their product is copyrighted and licensed for their use. That makes it safe to say that AMBE is used, at least in part, to compress the speech-only channels. Since the STA450 has a built-in EPAC decoder, it is safe to assume that at least a bulk of the music is encoded with this algorithm. This conforms to a claim made by a XM engineer that their compression technology is similar to MPEG-4.
Encryption
The only really complex part of XM is the encryption. Nothing is known about the encryption algorithm. It is supposedly proprietary, but even its key length isn't published. It is implemented in hardware and works on blocks instead of streams. The keys are dynamic, and new keys are sent to the radio through control signals from the satellites. Your radio must be on to receive any signal including the new keys (based on the fact that you must have your radio on and be able to hear the preview channel to activate your radio). Assuming flaw #2 is correct, XM needs to be damn sure everyone has the new keys before they switch the signal. They could be broadcasting the new keys for a long time before they implement them (perhaps even a month or two early). These could be sent as broadcast information, and all radios would store them. If you didn't have your radio on for several months, and reported the lost of signal to XM customer service, they could simply upload a request to the satellite to transmit personalized data to you containing the new key. Perhaps new keys are only broadcast once or twice a year, and an aging algorithm in the radio changes it at set intervals until the new codes are transmitted. Further testing with a XM radio would help solve these questions.
However the keys are transmitted, they are stored on what a XM engineer called a "SS Decoder" (Source Secure? Sound Secure? Something like that). He stated this was tamper-resistant RAM in the radio. It was not removable like a Flash card, which he said "Is where DirecTV screwed up." Supposedly, the SS Decoder will erase/destroy itself if someone attempts to remove it.
Activation
Lets step through the activation of a XM radio.
1.) You buy the radio, and turn it on. The radio checks itself and sees that it has not received an activation signal from the satellite, and thus only lets you listen to the preview channel (Channel 1).
2.) You call XM Customer Service (800-852-9696), or use their website and submit the Radio ID on the bottom of your XM radio. The XM system tells the two satellites (and perhaps even all the ground-based transmitters since they don't know what city you are in) to transmit an activation signal for your radio.
3.) Since the signal is going to be received by every XM radio in the U.S., it is personalized with your Radio ID. This activation signal is broadcast every 10 minutes for the next 60 hours.
4.) You turn on your radio and await the signal. Once it gets the signal, your radio can now receive all of XM's channels.
Examining the amount of bandwidth they have, and the amount of content they deliver, we can conclude that XM has very little left over to send commands to the radio (such as new decryption keys, control signals, etc.). Indeed, the fact that they only transmit the activation signal every once every 10 minutes for 60 hours supports this. If you never get this signal, you call XM and they will broadcast it again. So what happens when you cancel your service?
Exploitation
Well, basically the same thing. XM broadcasts a cancellation signal, which tells your radio to stop receiving the full XM content. Again this signal must be personalized to your Radio ID. But what if you radio never gets the cancellation signal? Bingo. While I have no XM radio to test this with, the shear overhead in having to transmit personalized cancellation signals for every radio that has canceled service on a regular basis is simply too great a task for the limited bandwidth they have. Granted, they probably transmit a cancellation signal less often over a longer number of hours (such as once an hour for 360 hours), but its simply too much overhead to keep it up for long. XM's security could be defeated by something as simple as turning the radio off for a month.
Further Strain
XM is now offering premium channels, currently only the Playboy Channel. It doesn't replace an existing channel. So now the limited bandwidth must be divided up even finer to allow for another station. This doesn't even include the added overhead of all the personalized signals telling radios all over the country to allow access to the premium channels. This will sadly lower quality on all the channels for all the users, even those who aren't paying for the additional channel. They can only push so much through the pipe they have. Now, XM doesn't have to allocate the same space to talk stations as music stations, and indeed an on-line debate rages of how XM assigns the bandwidth to channels: dynamic or static. Regardless of how it does, adding the Playboy Channel will cause much more overhead on this already strained system. This may force XM to reduce the length of time it will transmit control data. For customer service reasons, they won't cut the time activation signals are broadcast, so deactivation signals would be the first to go, making the system easier to exploit.
XM's Future
XM's stock is one-sixth its IPO. While it is meeting its customer goals (currently around 300,000 subscribers), it is still losing money. They have a big contract with GM, and several 2003 models come with XM standard or as an option. The Big Bad Wolf of the radio biz, Clear Channel, has a good deal invested in XM. Even if it tanks the expensive part, the infrastructure of the system is already in place. The system would be purchased for pennies on the dollar and the services restarted. Satellite delivered content for cars isn't going anyway.
If you want to use my article to cheat XM out of $10 a month, you missed the point. If you want to uses the info to try and open-source a decoder, that would be pretty cool graduate thesis (a XM antenna would be necessary, along with some interface equipment from the GNU Radio Project, and some spare time). XM needs to make sure the next generation of its services have some form of two-way communication. I envision using G3 cell phones for upstream and the satellite for downstream, just like satellite modems. XM's delivery system needs to change as more services are going to be delivered to cars, and chances are it will contain much more important information than Rick Dees and the Weekly Top 40.
Final Words
Thanks to all the folks who I got to hang out with and who listened to me talk at Interz0ne and Phreaknic, especially rockit, JohnnyX, Virgil, Strick, psyioded, James Dean, JaneLane, Optyx, specwhore, SD and Freqout.