Talking about DVB security can sound almost quaint in a world where connected devices and streaming services are growing exponentially. The conversation becomes much more interesting when you consider the different paths one-way network operators can take to cost-efficiently evolve their infrastructure to keep up with new technologies, delivery models, and consumer demands.
I had the pleasure of participating in our recent webinar, Security Upgrades for the Connected Future, along with ABS-CBN (the Philippines' largest entertainment and media conglomerate) and Telecentro (the first company in Argentina to offer “triple play” services).
Though we have enjoyed long-term partnerships with these operators, I still learned new details and gained additional insights during the panel discussion about how upgrading their security platforms helped them become dominant in their markets.
Combatting New Piracy Threats for Broadcast Networks
Sherry Ann Supelana from ABS-CBN discussed the important role cardless security played during the broadcaster’s recent dual crises when its franchise was not renewed by the government and COVID-19 shut down production. They had to quickly pivot to deliver content over the internet directly to consumer-owned devices rather than their traditional B2B delivery model to the TV.
She shared how this pivot has raised new piracy concerns, including hackers’ attempts to attack ABS-CBN apps to gain access to personal and credit card information. Supelana also addressed how the broadcaster is combatting new security threats. In fact, Steve Hawley (who moderated the panel) recently reported on Piracy Monitor that ABS-CBN has been aggressively filing piracy suits in the U.S, which underscores the value of Filipino content to expatriates.
Fernando Herrera of Telecentro discussed the company’s response to the rise of black market devices that included their video services app, Telecentro Play. As Telecentro bundled more third-party content with their mobile app – Netflix, Amazon Prime, Fox, etc. – these devices became more valuable on the black market. So they had to ensure they could quickly shut down the service once a subscriber stops paying. Our Multi-DRM solution helps Telecentro identify unauthorized streams so they can turn them off and protect revenue.
Herrera also emphasized Telecentro’s focus on finding the best path to accelerate the integration with multiple devices, especially as new devices and operating systems constantly flood the market. A timely – and cost-effective – integration path would help them compete, and cooperate, with other OTT services.
Q&A Highlights: Understanding Broadcast Security Challenges
During the live Q&A chat with the audience, participants raised poignant questions about the path to upgrading and adapting to new infrastructure and technology. Here are a few highlights from the session:
Q. What are the main challenges of Simulcrypting with a legacy CA system?
A: There are a few things to keep in mind:
- Integrating SMS and CRM systems need to be completely separated as channels, services, packages, entitlements, etc. may be managed differently.
- Head-end multiplexer components are defined by the Simulcrypt protocol, yet CA interoperability should not be taken for granted. Configurations should support separate multiplexer-specific characteristics, such as control words and Entitlement Control Message (ECM) management.
- Simulcrypt implementations add bandwidth overhead, yet new cardless CA systems are bandwidth efficient by prioritizing deployment of keys, entitlements and software updates.
Bottom line, it’s best to work with a strategic security partner with a process to guide you through the migration.
Q. Isn't cardless security weaker than card security?
A: No, because modern cardless systems process all cryptographic operations inside a secure hardware environment (TEE – Trusted Execution Environment), whereas card-based security requires a communications channel between the smartcard and SoC. The communications channel is an additional attack surface and often the weakest point.
Q: Since DRM is not foolproof to combat piracy, what other security methods should be used?
A: Piracy is a complex problem with no single solution or magic bullet, so we recommend planning your security strategy around the 3 main pillars: prevention, monitoring and traceability. Prevention includes proven CA and DRM solutions to prevent leakage of content to unauthorized users. Monitoring paired with machine learning can provide early warnings of attacks and evolving methods of piracy. Traceability is essential in the era of content redistribution to track illicit streams back to their source so that actions, such as takedown, can be invoked.
Q. Do I still need a CA system when all STBs are connected anyway?
A: Live broadcast is still one of the most prominent business models to deliver video services. Accessing the content is easy ("zapping") and free of any obstacles. Also, especially for content like news and sports, it is still the most efficient distribution channel. Not requiring IP connectivity ensures provision with basic content supplies in any use case, even if the IP connection is temporarily interrupted or generally unavailable.
Q. I want to offer multiple different set-top boxes. How does cardless security help with that?
A: Today's SoCs typically come with all the necessary security hardware to easily support a modern one-way CA system. In fact, Verimatrix has worked with the top SoC manufacturers to standardize TEE (Trusted Execution Environment) as the core module for cryptographic operations of one-way systems. The result is a broad selection of pre-integrated SoCs that are available today, from lowest-cost systems enabling set-tops for less than $10 per device, up to tablet-grade, advanced chipsets that enable a powerful application framework, including multi-tuner setups for DVR use cases.
Q. Are you seeing cases of your apps being modded or hacked? Any thoughts around protecting those apps?
A. ABS-CBN has found replicas of its app on the web. Such hacking can lead to a loss of revenue. Technology, such as code protection, can ensure the security of the application code and its running state. It’s important to protect your app because it compromises the user’s data, not just your product.
Q. User IDs and passwords are one of the weaknesses that contribute to piracy (credential sharing). Are you considering implementing some version of passwordless authentication (such as biometrics on devices that support it)?
A: Telecentro is thinking of using 2FA. We analyzed voice biometrics, but this seems too complex for an end user who simply wants to watch content. ABS-CBN definitely requires another layer to protect registrations or login processes due to threats like bad BOTs and credential stuffing that we found hitting our websites all the time.
A combination of ways to block the BOTs and a method to validate the user's login is needed. Friendly multi-factor authentication can provide additional security. Users won't be accepting of a solution that makes them jump through hoops. Combinations of trusted applications on a user’s cellphone, along with visual codes can make the user interface simple. Push notifications make the security friendly but limits the desire of a user to share.
Q. How is cardless security more bandwidth efficient?
A: More advanced cardless solutions allow operators to entitle packages to a large audience, as well as individual a-la-carte program choices for very large populations through a highly efficient Entitlement Management Message (EMM) process. Data is only delivered where it is really needed for better bandwidth efficiency.
Resources for the Migrating Network
You can watch the webinar on-demand to gain further insights from these leading operators, and even submit your own questions. Learn more about how to navigate the decision to upgrade your broadcast security with the ebook: Dispelling 5 Myths about Broadcast Security. If you're looking for a trusted partner to help with your broadcast security journey, please get in touch.