All OTT streaming solutions are vulnerable to malicious attacks. The use of DRM is essential for protecting content, as it ensures that the content is not exposed in the clear and always requires a key to decrypt. DRM authorizes access in accordance with security and business rules within video-playing applications. However, DRM is not foolproof, and certain OTT end-to-end architectures have weak points that pirates can exploit outside of the video player.

A common and straightforward exploit is the capture of a valid user/device authorization token from a DRM license request. Reusing this token allows a simple web player to request a valid key to play the content. As long as the token remains valid, any number of players might request new DRM licenses, leading to the decryption of content.

Token extraction and creating a valid DRM license request are relatively easy on web players and smart TVs. Set-top boxes (STBs) are less vulnerable, but they are not entirely risk-free. Although this type of attack is simple and well-known to even novice pirates, and despite being detectable, it can be challenging to halt without updating the entire end-to-end solution.

To minimize piracy or render it impractical, several strategies—not mutually exclusive—can be implemented.

Usage of device enforcing mode

The Verimatrix Video Content Authority System (VCAS) offers an enforcing mode capability that limits the sharing of license request URLs and tokens by capping the number of devices a user can have. The Verimatrix solution monitors existing devices assigned to a user and blocks requests when the maximum device limit is exceeded. Device identification is linked such that if there’s a discrepancy between the DRM information and the device identifier, the license request is rejected, preventing sharing across devices.


Web browsers and some Android implementations may change identifiers upon reinstallation, updates, or cache clearance. This can result in false positives, mistakenly counting the change of identification as a new device while it is a user action. This would result in users reaching device limits unintentionally. To minimize or fully avoid consumer impact, there are different approaches to this implementation:

  • Disable private/incognito browsing when providing video services, as this can create a new device ID with each request. This is already in place for most large OTT stream providers worldwide.
  • Manage these types of device identifier updates through software logic to enable an acceptable range of changes. For example, Verimatrix VCAS can be configured to allow operators to set a maximum number of changes for web browsers in a given period.
  • Use anti-piracy services to detect and disable pirated tokens immediately, preventing distribution.

Short-lived tokens

Authentication tokens are widely used in various deployments for service access authorization. These tokens, signed by the operator using a private key, are validated across systems with a public key. This method effectively verifies that requests originate from legitimate users or devices. However, to minimize the load on token generation systems, devices are often permitted to reuse tokens for extended periods. This practice can lead to pirates acquiring and using these tokens on unauthorized devices for content access. Reducing the lifespan of these tokens can significantly hinder mass piracy efforts.


When using shorter token lifespans, the system generating such tokens must be prepared to handle a much higher volume of requests per device. When designing such a solution, operators must consider the validity duration of the token, the device population, the devices and application performance, and the acceptable traffic of requests.

Sophisticated pirates can still devise ways to continuously regenerate tokens and distribute them. Having mechanisms such as anti-piracy services or anomaly detections to identify and avoid such behavior is recommended.

Increasing application robustness and enforcement capabilities

Pirates typically target the most vulnerable entry points, which are often found in applications or browsers. To prevent modifications, cloning, identification, or debugging, and to enhance the operator’s control over the application, implementing a solution such as Counterspy by Verimatrix is essential, as it provides mechanisms to deter piracy effectively at the highest level while also collecting reliable device information that aids in the management of application access.


Although this solution may not be entirely sufficient on its own, it serves as an excellent complement to other mechanisms like device enforcing mode and short-lived tokens. Incorporating enforcement capabilities and enhancing application robustness could allow for more lenient authentication token lifespans or relaxed device rules. This approach not only enhances the user experience but also potentially reduces overall request traffic and improves application performance.


Much like in our everyday lives, where enhanced security better protects our valuables but also brings necessary constraints, the same principle applies in the realm of video content. Operators must carefully balance the potential for revenue loss against the implementation of various security measures. Once users find easy, free access to content, persuading them to pay for it becomes a significant challenge. Therefore, Verimatrix advises employing multiple layers of security, such as device enforcing mode, short-lived tokens, and robust application enforcement tools, to preserve the value of the video streams offered to consumers.

With the ongoing nature of security, merely locking one door does not guarantee overall safety. Operators should continuously evaluate vulnerabilities, monitor for unusual user behavior, and assess operational performance. This proactive approach enables the deployment of effective mechanisms to mitigate revenue losses due to piracy.