redefining content security whitepaper series beyond ... · redefining content security whitepaper...
TRANSCRIPT
REDEFINING CONTENT SECURITY WHITEPAPER SERIES
BEYOND PIRACY: WHY CONTENT PROTECTION IS NOT ENOUGHA look at hacking attacks on hybrid STBs, and how operators can prevent these
conax.com
CONTENTS
Content is protected, but what about the rest? ..................................................................................................... 2
Hybrid STBs - the weakest security link .................................................................................................................. 4
Hacking - so easy that anyone can do it ...................................................................................................................... 6
Don`t be the next target! ........................................................................................................................................... 8
Closing the security gaps with separation ................................................................................................ 8
Hardened separation of hybrid STBs .......................................................................................................... 8
Preventive measures – a checklist ............................................................................................................. 9
Consult security experts .............................................................................................................................. 9
About Conax .............................................................................................................................................................. 10
EXECUTIVE SUMMARY
Most pay-TV operators take measures to protect their content from various forms of piracy, such as stealth and
redistribution of content. They know very well that pirates now increasingly look for and exploit vulnerabilities
outside the traditional conditional access security domain. But they do not always realize that pirates often have
other goals for hacking than getting hold of content, and that these other attacks can be just as devastating to
pay-TV operations as content piracy, if not more so.
This paper explores the damage that can be done to pay-TV operations by hacking hybrid STBs, and what operators
can do to prevent such attacks.
Page 2
CONTENT IS PROTECTED, BUT WHAT ABOUT THE REST?
Content piracy is and always will be a concern in the pay-TV world. But with so much focus on content
piracy, it is easy to overlook the other ways hacking can harm pay-TV operations. After all, if there is no
intention to steal and illegally redistribute content, why do operators need to be concerned about the
other forms of hacking attacks?
The following sections describe these other forms of hacking attacks and their potential consequences.
The main overall challenge is that the threats posed by these other forms of hacking attacks are generally
less intuitive. That is, it is difficult for operators to see the big picture of how an attack can affect their
operations. Furthermore, while some high-profile incidents of connected device hacking – including hybrid
STBs - have taken place, the incidents of attacks on operators are generally unknown or underreported and
thus not a widespread enough issue in the pay-TV world to cause concern among operators.
DDoS attacks
DDoS (Distributed Denial of Service) attacks are
attacks where multiple compromised connected
devices – including hybrid STBs – are used to target
a single, specific system by flooding the system
with an overwhelming amount of incoming traffic,
rendering that system inaccessible for a period of
time.
According to a report by Arbor Networks, all types
of organizations face disruptive DDoS attacks to
their businesses. In a survey of 287 organizations
covering the period from November 2013 to
November 2014, nearly half of these organizations
were hit with DDoS attacks during the survey
period, with more than one third having firewall
or IPS devices experience a failure or contribute to
an outage. In addition, the number of attacks has
risen, from around 25% of organizations surveyed
experiencing more than 21 attacks per month in
2013, to 38% in 2014.1
Coreo Network Security has found that hackers
have also found ways to make DDoS attacks
more effective, with more frequent attacks using
less bandwidth and a reduced attack timespan,
making the attacks more difficult to detect.2
One very well-known DDoS attack in recent times
is the Christmas Day, 2014 attacks on Microsoft’s
Xbox Live and Sony’s PSN servers.3 These gaming
services were left with intermittent outages
and limited service for several days, angering
subscribers.
It may be easy to think that attacks on gaming
servers have little to do with hybrid pay-TV
operations. However, hackers can exploit potential
vulnerabilities in hybrid STBs to install malware to
create botnets 4 for launching these DDoS attacks.
This means that attacks can be launched from an
operator’s subscribers’ infected hybrid STBs and
target, for example, business competitors. This
can ultimately result in very serious damage to
the operator’s brand and reputation. In the Arbor
Networks survey, 37% of the respondents cited
reputation damage as the top business impact.5
It can also lead to serious commercial, financial,
and operational consequences.
1, 5 Prince, Brian, “DDoS Attacks Boom as Hackers Increase Size, Frequence”, January 27, 2015. http://www.securityweek.com/ddos-attacks-boom-hackers-increase-size-frequency2 Ballard, Barclay, “DDoS attacks increase in frequency, use less bandwidth”, 2015.
http://betanews.com/2015/10/06/ddos-attacks-increase-in-frequency-use-less-bandwidth/3 “Xbox and PlayStation resuming service after attack”, BBC News, December 27, 2014. http://www.bbc.com/news/uk-306026094 For more details about botnets, see http://en.wikipedia.org/wiki/Botnet
For more information about the extent of DDoS
attacks, Norse Corp. provides an overview of DDoS
attacks around the world. This includes who the
attackers are and what they are after.6
Blackmail attacks and ransom attacks
Let’s say an operator is preparing to broadcast the
final match of a highly popular sports tournament.
The day before the big match, all of the STBs in the
operation suddenly stop working for five minutes.
As subscribers call to complain, the operator
receives a chilling message: pay us a million dollars
to restore your service or else we will black out
tomorrow’s match. The operator is now the victim
of a blackmail attack.
Related to blackmail attacks are ransom attacks.
Ransom attacks on pay-TV operations can
occur when hackers exploit unsecured or poorly
secured hybrid STBs to install software known as
ransomware. The software runs a program that, for
example, encrypts all the PVR files in a hybrid STB
population and deletes the local keys. The hacker
can then offer the PVR key to the operator for
money, often in the form of Bitcoins. CryptoLocker7
is probably the most well-known ransomware.
Figure 1 The message displayed when a user is infected with CryptoLocker ransomware
The situation boils down to a question of whether
the operator is willing to risk dealing with angry
subscribers who will want their money back or
who will unsubscribe, or to pay the hacker and,
for example, risk more attacks because the hacker
knows that operator will pay. Either way, it could
be a significant financial loss for any operator.
Ransoming has already affected some TV stations.
In Australia, the ABC was victim to a ransomware
attack, forcing ABC News 24 going off air for 30
minutes.8
Data hijacking
Hackers can take control of unsecured or poorly
secured hybrid STBs to steal private information
that is handled by the device, such as credit card
numbers, usernames and passwords, or user ID
data for the services subscribed and viewed via
the STBs. In addition, hackers can gain access to
data from third party services that subscribers use
to complement operators’ own services, such as
social media credentials.
While an obvious concern is that hijacked user
credentials could be used for illegal consumption of
your broadcast and broadband services, operators
could also face reputation damage if it became
public knowledge that hackers gained access to
subscribers’ personal data such as credit card
numbers via their hybrid STBs.
An example of hijacking user credentials is the
targeting of the highly popular streaming service
Netflix. Hackers are using malware disguised as
Netflix software to steal Netflix users’ passwords
and bank details.9 This information is sold over
the Internet. The level of sophistication of these
attacks suggests a fully-fledged business model
rather than the act of amateurs.10
Page 3
6 http://www.norse-corp.com/7 For more details about CryptoLocker, see https://en.wikipedia.org/wiki/CryptoLocker8 Ragan, Steve, “Ransomware attack knocks TV station off air”, October 7, 2014.
http://www.csoonline.com/article/2692614/malware-cybercrime/ransomware-attack-knocks-tv-station-off-air.html
9 Payet, Lionel. “Netflix malware and phishing campaigns help build emerging black market”, February 11, 2016.
http://www.symantec.com/connect/blogs/netflix-malware-and-phishing-campaigns-help-build-emerging-black-market10 Palmer, Danny. “Hackers are using malware and phishing scams to steal Netflix users’ passwords, bank details”, February 15, 2016.
http://www.zdnet.com/article/hackers-are-using-malware-and-phishing-scams-to-steal-netflix-users-passwords-bank-details/
STB modification
Unsecured or poorly secured hybrid STBs could
be modified to include functions, features, and
apps that the operator never intended. Hackers
could facilitate, for example, installing apps that
stream content from illegal streaming sites such
as Popcorn Time via your hybrid STBs. When such
apps are included among the legitimate apps that
you provide, unwitting subscribers will believe
that they are legal, and use them to watch pirated
video content.
In addition to the problems surrounding
consumption of pirated content, STB modification
has several other implications for operators.
Among others, network resources will be used
to view content that the operator is not making
money from, and streaming capacity and CDN costs
will be affected. Also, if users are able to install
unapproved apps in their hybrid STB, the risk of
hacking in general will increase because these
apps may contain malware.
There are a few known device modification attacks,
including a hack on an Android STB used in a pay-
TV operation in Malaysia where instructions had
been published in a blog and on facebook. This
hack allowed even people with little technical
skills to install apps from Play Store to change the
operator’s settings in the box; they just had to
follow a set of very simple instructions.
STB manipulation
Hackers can take control of unsecured or poorly
secured hybrid STBs to manipulate them to carry
out unauthorized actions.
One of the better known device manipulation
attacks is the rickrolling hack of Google
Chromecast.11 The rickrolling hack involves sending
a command that temporarily kicks Chromecast off
its Wi-Fi network. Once disconnected, Chromecast
reverts to setup mode and turns into a Wi-Fi
hotspot; this allows the rickmote controller to
connect to Chromecast and, for example, allow
the hacker to force YouTube to play Rick Astley’s
Never gonna give you up in an endless loop. It
is generally considered to be an annoying, but
“harmless” prank; nothing is being stolen. But is it
really so harmless? If hackers can take advantage
of a simple software bug in a connected device to
turn that device into a Wi-Fi hotspot that allow
anyone to hijack the device, it is, or at least should
be, natural to wonder what else they can do with
any connected device, such as hybrid STBs.
Page 4
11http://www.raspberrypi.org/rickmote-rickrolling-chromecast-users/
HYBRID STBs - THE WEAKEST SECURITY LINK
In general, the broadcast environment of most hybrid STBs is designed to take piracy prevention and
security, such as preventing control word sharing, into consideration. However, it is difficult to assess
whether the same security considerations are made for the IP/OTT environment of the box, where content
is delivered via the Internet.
The following explains the vulnerabilities stemming from the IP/OTT environment of hybrid STBs.
Hybrid STBs are like unsecured PCs
Advanced, networked hybrid STBs are close to or
the equivalent of fully-fledged media centers,
and in some cases their hardware can do the
same tasks as low-end PCs; this is because of all
the functions that hybrid STBs need to perform.
Hybrid STBs include a powerful CPU, RAM, and flash
memories, and hybrid STBs with PVR functionalities
even include sizable hard disks, where 500+
GB is not uncommon. This makes a hybrid STB
population highly attractive purely due to storage
capacity and computing power, in addition to the
network resources present.
Page 5
Attacks on hybrid STBs are based on the principles
of network attacks. Some browsers used in hybrid
STBs can be vulnerable to attacks due to
information about weaknesses and exploits
published on various online forums. In a basic
implementation, the browser process often
operates in root mode, the top privilege level in
Linux. Root mode gives users full access to and full
control of the system; the user can do anything
he or she wants with it. Hackers who successfully
attack the browser will also gain control of the
root user and hence the entire system. In such
cases, it is relatively easy to identify the browser
used in an STB, remotely attack it using publicly
known exploits, and take over the STB.
Despite this, hybrid STBs are not treated with
the same care as PCs when it comes to security.
In the PC world, users are generally aware of
hacking, and install security updates, malware
protection, and firewalls to secure their machines.
However, it is not natural for users of hybrid STBs
to think about security. Despite using hybrid
STBs to download apps and stream content, users
normally do not receive security updates for the
STB, nor do they install and keep updated malware
protection, firewalls, or sandbox or walled garden
technologies to keep out malicious code. This
leaves hybrid STBs open to hacking attacks if the
operator does not use proper security measures.
Hybrid STBs are homogeneous and always on
A Hybrid STB population is homogeneous. This
means that if vulnerability is found in one STB,
the same vulnerability exists in the rest of the
STB population in an operation. In other words,
if hackers can gain control of one STB, they
gain control of the whole STB population, and
a significant amount of damage can be done to
a large number of STBs and consequently the
operation itself. Among others, controlling a
whole homogenous STB population can lead to
more aggressive DDoS attacks as all the STBs can
be made to do the same thing.
In addition, hybrid STBs are almost always on and
connected at all times. This means that they are
exposed to potential attacks from the Internet 24
hours a day, seven days a week.
Security in connected devices is not a priority
Despite the vulnerabilities from the poor security
mechanisms and the resulting potential for
damage caused by hacking attacks, many
connected device manufacturers, including
hybrid STB manufacturers, do not prioritize
strong security in their devices. Even the major
manufacturers are not interested in strong
security in their devices. Their primary interest
is in supplying STBs that give consumers what
they want, for example to easily connect to the
Internet to stream OTT video content.
Many device manufacturers do know about the
various vulnerabilities in their devices. However,
they are reluctant to fix these, as these fixes would
make the devices less user-friendly, defeating
the easy-access-to-streaming-content concept.12
This sentiment is almost universally accepted,
and devices end up being left unsecured. And
if one of the bigger players such as Chromecast
can be hacked with a rickrolling attack, operators
have to think about what level of security – or
lack thereof – is found in much cheaper devices,
such as low-cost hybrid STBs produced by smaller
vendors.
So even if hybrid STB manufacturers provide
software updates, it is highly likely they will still
stop doing so after a certain amount of time,
often to force consumers to buy newer STBs.
However, many consumers will still use their old
devices because they are still in good condition
and usable, or because they cannot justify a new
expensive purchase. Operators may not always
make use of the newest hybrid STBs due to
cost and practicality issues. But in the end, use
of outdated versions of software increases the
vulnerability to hacking attacks.
12Greenberg, Andy, “Rickroll innocent televisions with this Google Chromecast attack”, July 16, 2014.
http://www.wired.com/2014/07/rickroll-innocent-televisions-with-this-google-chromecast-hack/
Hybrid STBs and the Android CDD
Android OS and Android TV have their own
significant security issues, and Android-based
hybrid STBs can be affected by these.
In order to put the Android logo on hybrid STBs
running Android, the STB design must fulfill
the requirements put forth in the Android CDD
(Compatibility Definition Document). A great
concern is that the Android CDD can come in
conflict with the security requirements for access
to and consumption of content using hybrid STBs
as set forth by content owners. As opposed to a
standard operations scenario where everything
that is not necessary for the function of the STB
is locked down, these features and functionalities
are required to remain open, increasing the
attack surface. Not handling these conflicting
requirements can lead to security breaches that
pose serious threats to operations.
For further discussion about security for Android
in pay-TV operations, see the Conax white paper
Securing Android in pay-TV operations.12
Page 6
HACKING - SO EASY THAT ANYONE CAN DO IT
Pirating content has traditionally been expensive and demanding due to the competence and the equipment
required to break the strong content protection mechanisms used in broadcast operations. It is so expensive
and resource draining that the gains must greatly exceed the efforts if the attack will be carried out at all.
Hacking connected devices such as hybrid STBs, on the other hand, is easy and inexpensive – if not free – to
carry out. Hackers do not need and often do not have great knowledge about hybrid STBs. So unlike with
pirating content, most of the other forms of hacking attacks can be done by unskilled people. Hacking kits
and malware created by advanced hackers are sold to “just anyone” who can follow a set of instructions.
Other types of easy-to-follow “how to” tutorials about vulnerabilities and exploits of hybrid STBs, typically
information on how to hack the browser or operating system, exist and are freely available on hacker forums.
In addition, the equipment needed to carry out many of these hacking attacks is inexpensive. For example,
the rickmote device for launching the rickroll device manipulation referred to earlier in this paper costs
around $100, if not less, and carrying out the attack takes only a few minutes. Blackout and blackmail
attacks and ransom attacks can be done without any investments in equipment or infrastructure; all the
hacker needs to do is gain CPU/runtime control of the hybrid STB.
Because hacking attacks relating to network and hybrid STB vulnerabilities are relatively easy and affordable,
and don’t require much hacker competence, the number and frequency of these types of hacking attempts
will be high. There is nothing to lose if the hacking attempt is not successful. Hybrid pay-TV operations will
be more vulnerable to these types of hacking attacks, than to traditional content piracy.
12Conax white paper “Securing Android in pay-TV operations”
DON´T BE THE NEXT TARGET!
Security is a moving target, and the search for vulnerabilities will always be a continuous effort. Operators
cannot rely on hybrid STB manufacturers to take care of security issues for them. It is therefore necessary
for operators to always be on top of the challenge and stay ahead of the hackers. There are several ways
to take charge and deal with the threats. While no hybrid STB can be 100% secure, it is possible to greatly
increase the level of security if there is a focus on and prioritization of security.
CLOSING THE SECURITY GAPS WITH SEPARATIONThe downloading of malicious apps from the
Internet is not an uncommon problem in general,
and damage to pay-TV operations can be severe if
this malware were to affect the broadcast part of
the operation. Keeping the broadcast environment
and the OTT environment separate is a standard
method of securing the sensitive parts of the
operation.
Separation technologies can help secure hybrid
STBs by preventing malicious apps and malicious
software from attacking the security core of the
STB. Common separation technologies include
sandboxes and Linux containers, proprietary
separation solutions such as ARM TrustZone,
firewalled network communications between
containers, and separate and dedicated security
processors.
Sandboxes and Linux containers allow different
processes to run simultaneously in such a way
that these processes cannot affect one another;
this ensures that software applications and
processes are contained within specific areas in
the STB. This is to protect the STB from unknown
or malicious apps and malware, and can be used as
a “safe zone” to do security evaluations on apps
and other software, including updates. Network
communication between these containers is
regulated by unique firewall rules.
ARM TrustZone and similar proprietary solutions
can ensure some degree of separation between
the broadcast and OTT environments in a hybrid
STB. The disadvantage of these solutions is that
they are software-based security solutions that
can be breached. Software-based security solutions
should not be considered in serious pay-TV
operations, because they they do not provide the
same high level of security as a hardware-based
solution.
HARDENED SEPARATION OF HYBRID STBs Current software-based separation technologies
can not be regarded adequate, because they can
be compromised. Therefore, the separation needs
to be made stronger than what software-based
solutions offer.
Conax can help operators strengthen the separation
in their hybrid STBs. Conax offers a unique
hardware-based separation of environments that
is stronger than the standard separation solutions
that are available today.
A modern, well-specified STB chipset is separated
into the REE (Rich Execution Environment) and
the TEE (Trusted Execution Environment). The
TEE is a secure, integrity-protected processing
environment inside the main processor (SoC),
where both security-sensitive operations are run,
and sensitive data is kept separate from the REE
that is connected to the Internet. Conax offers a
unique solution in which STBs provided by Conax
include a chipset with two separate environments
in the hardware. All CA/DRM functionality is placed
inside the TEE, and the CA solution is smart card-
based. Apps can access functionality inside the TEE
only via APIs. The APIs decide whether or not a given
app is allowed to make use of the functionality
inside the TEE, and responds appropriately. This
prevents malware from circumventing the APIs.
Page 7
Page 8
TV-related apps such as Live-TV and PVR access
have a very “thin” API towards the CA libraries
in the TEE. The API calls are securely dedicated
for the TV-related apps. The calls will access the
library layer in Linux user space, and for the CA
functions they will simply be rerouted to the CA
libraries in the TEE.
The Secure Media Pipeline, a requirement from
MovieLabs for UHD/4K, aims to ensure that content
is protected at every stage of communication.
The Secure Media Pipeline further separates the
plaintext content from any CPU access. Not even
the TEE is able to touch the content itself.
PREVENTIVE MEASURES - A CHECKLISTIn addition to using a hardened separation
technology solution to protect the broadcast
environment of the STB from the IP/OTT
environment, the following checklist includes
further steps operators can take to prevent
hacking attacks in hybrid STBs.
• Start with secure hybrid STBs in the first
place. This is much easier than trying to fix
them later.
˚ Do security evaluations of the hybrid
STBs in the operation.
˚ Include security requirements in RFQs.
˚ Do not make use of new features and
functionalities in hybrid STBs until the
security risks have been identified and
minimized.
• Ensure that the hybrid STB can withstand
network attacks without having to rely on
frequent software updates to fix security issues.
• Control the software in your hybrid STBs,
including the updates.
˚ Do not allow hybrid STB vendors to
control the software in your STBs. This
means that the vendors must never
send software updates directly to the
hybrid STBs.
˚ Do not rely on hybrid STB vendors to have
an overview of bugs and other issues in
the software, and provide the necessary
updates to fix these. In other words, do
a security evaluation of the software
provided by the vendor before sending it
out to the hybrid STB population.
˚ Be actively up-to-date with regard to
updates and other changes.
• Do security evaluations of apps when using
operator controlled app stores. Open app
stores are not preferable from security’s point
of view.
• Take regular backups of all data and keep these
backups offline.
Figure 2. Hardware-based separation
Interested in becoming a Conax partner? Contact: [email protected]
Request a demo or visit from us? Contact: [email protected]
Need more information on Conax solutions ?
www.conax.com [email protected] T: +47 22405200
About ConaxA part of the Kudelski Group (SIX:KUD:S), Conax is a leading global specialist around the total service protection for digital TV services over broadcast, broadband and connected devices. Conax provides telcos, cable, satellite, IP, mobile and terrestrial and broadband operations with the innovative, flagship Conax Contego™ family of flexible and cost-efficient solutions to deliver premium content securely and enable operator’s easy access to the OTT multiscreen arena. Headquartered in Oslo, Norway, ISO 9001 & 27001 certified Conax technology enables secure content revenues for over 400 operators in 85 countries globally. For more information, please visit www.conax.com and follow us on Twitter and LinkedIn.
Page 9
• Hire someone who can follow security
developments and be up-to-date with these.
• Follow online forums dedicated to hacking, in
order to learn about what vulnerabilities in
hybrid STBs are being exploited, and how they
are being exploited.
CONSULT SECURITY EXPERTSMaintaining tight control over the security of the
hybrid STBs to mitigate the threats that come from
the Internet is not a task to be taken lightly. It is
highly important to make sure that the security
tasks for hybrid operations are being carried out
by security experts who understand the risks that
stem from unmanaged networks, who can stay on
top of the security needs of hybrid operations,
and who can always be one step ahead of the
hackers. But it may not always be possible to have
full-time security experts on staff. It is therefore
a good investment for operators to use security
consultants to handle all of these security needs.
Operators’ main focus is making their business
models work to earn revenues, gain new
subscribers, and reduce churn. This means that an
operator’s core competence will probably not be
security. Companies specializing in security, such
as Conax, can help ensure that all of the security
needs of any operation are being met, from
content piracy protection to securing hybrid STBs
against the attacks that come from unmanaged
networks. Conax can evaluate the hybrid STBs in
an operation upon request and anytime, to ensure
that they are safe from hacking attacks. The sooner
security is discussed when planning to implement
and deploy next generation pay-TV platforms, the
better. Modern piracy monitoring tools such as
watermarking do not work in tracking any of the STB
attack scenarios discussed in this paper. Therefore
it is important that the security strategy involving
hybrid STBs is concentrated on preventing hacking.
Conax has been focusing on the security issues
of hybrid STBs since their introduction into pay-
TV operations, providing world class solutions
for securing these. As for standard broadcast
STBs, Conax can evaluate your hybrid STBs before
production run to determine their security level; at
the end of the evaluation Conax issues a certificate
stating the security level (0-9) of the hybrid STB.
If the security level isn’t determined to be high
enough, Conax will advise you to further security
harden the STB before being put into operation.
In addition, Conax can analyze the whole end-to-end
operation to make sure all security needs are being
met, report the potential risks in the operation,
and advise on how to mitigate these security
risks. Implementing Conax security processes and
protocols in the pay-TV operation will guarantee
a high-level of security that works efficiently
but invisibly in the background, securing operator
revenues, and sustaining the magic of content.
OTHER WHITEPAPERS IN THE
REDEFINING CONTENT SECURITY WHITE PAPER SERIES
Page 10
4KULTRA HD
THE REQUIREMENTS THAT WILL SHAPE CONTENT LICENSING POLICIES AND TECHNOLOGY CHOICES FOR 4K & BEYOND
REDEFINING CONTENT SECURITY
WHITE PAPER SERIES