Downloadable Trusted Apps Missing Piece for Connected Devices
Security consists of many components and layers. These include robustness attributes of chipsets, device identity and certificates, secure protocols, etc. But one fundamental component is often neglected: secure download of trusted applications and the ability to upgrade them quickly and on demand.
With set-top boxes (STBs), security can be integrated during manufacture, given that these are designated for specific pay-TV operators at that stage. By contrast, tablets and smartphones have no pre-installed security because they are intended for general consumption and can end up accessing services from just about any operator in the world.
However the first steps towards making these devices secure and upgradeable have now been taken. The foundation has been laid over the last several years by creating a designated secure area within the system-on-chips (SoCs) of these devices as a core technology for secure downloadable software, i.e. ARM’s TrustZone and GlobalPlatform’s Trusted Execution Environment (TEE). This is now established as the de facto standard for the software component of overall video security, along with two critical extensions, as I cover in more detail in an earlier blog.
One of the extensions is the secure video path (a.k.a. protected media path), which extends the benefit of the TEE from the protection of the core DRM to the whole video flow inside the device. The other extension is an API enabling the TEE to control the video watermarking functionality so that unauthorized redistributed movies or streams can be identified and traced back to their source.
But this still leaves one vital piece of the security puzzle to be solved, which is how to get these trusted apps including the DRM safely over the network into the TEE. If that can be accomplished we would be able to turn any media playback device with TEE capability into a device that can play premium content sourced by any service provider and be resistant to piracy, tampering and theft of revenue. In fact, it will have a significant advantage over a traditional card-based conditional (CA) security, because it will be fully upgradeable and without dependencies on the device manufacturer.
There are additional benefits besides the ability to install and provision a DRM trusted application or a complete trusted player. Trusted apps can be further personalized by provisioning them with unique individual keys or certificates further extending the hardware root of trust provided by the device and the TEE.
Moreover, not all trusted apps have to be identical. Via the ability to individually download trusted apps to any device, they could be divided into groups with slightly different configuration, code or crypto algorithms creating software diversity.
Limitations of pre-installed DRMs
Currently, many mobile devices do come with a pre-installed DRM, but crucially they cannot be upgraded in the field independently of the firmware that is under control of the device manufacturer. As a result, the security cannot keep pace with the fast-changing threat landscape so that pirates can always be one step ahead. Operators, content owners and even DRM providers like Microsoft, or for that matter Verimatrix, are beholden to the device makers such as Samsung or LG for firmware upgrades, which are only performed occasionally.
However, the first moves towards solving this problem emerged in 2012 with the foundation of Trustonic by ARM, G&D and Gemalto to establish a common security platform embedded in connected devices for use by app developers. This resulted in the Trustonic Secured Platform (TSP), which provides the TEE for mobile devices as the destination for trusted apps, and which the company claims has now been deployed in hundreds of millions of client devices. The latest version called the Kinibi TEE is the first to be offered to developers or service providers via an open API and is pitched at any service requiring security such as mobile banking, although premium video is, of course, our primary target.
We have been working with Trustonic to enable our ViewRight DRM to be downloaded to all these devices as a trusted application. Every Trustonic-capable device has unique keys embedded at a hardware level during manufacture—just like STBs—except that they are generic rather than specific to a service provider. These keys form the basis for a hardware root of trust that can be relied upon by manufacturers, network operators and service providers downstream. They allow Verimatrix to subsequently authenticate these devices by accessing Trustonic’s cloud-based Kinibi Key Provisioning Host (KPH) where the credentials are stored securely.
Having verified the device has a valid certificate and has not been revoked, we then download the trusted app. Once installed in the device’s TEE the ViewRight client can then operate normally just as it would in an STB. Crucially it can now operate in a highly secure mode, enabling the user or operator to provide premium content and create a consistent experience across several device types for their subscribers.
It is worth emphasizing that this all happens totally transparently to the user, who would merely have downloaded a normal app player associated with a service provider. That player would then recognize it is running on a device capable of installing these trusted apps and would then instigate the authentication process before commencing download of the relevant trusted app.
It is also important to note that while Verimatrix can currently only download trusted apps to devices running the Trustonic Kinibi, we are working on other TEE-based secure downloading platforms. Indeed the GlobalPlatform standards group is currently finalizing a protocol for provisioning trusted apps to any TEE and we will be supporting that.
The underlying message is that we are moving towards the idea of a trusted app store for mobile devices, which we believe will unleash their full potential for premium content consumption.
Stay tuned for more developments in this area.