Operators should put the cyber into security – engage ethical hackers

Convergence between general cybersecurity and the more specific revenue protection that has long been employed by pay TV operators, has risen up the agenda over the last two years and featured prominently at the recent IBC 2019. Of course, video service providers are susceptible to just the same cybersecurity threats as any enterprise, but until recently this has been a separate domain from the CAS (Conditional Access Systems) and DRM (Digital Rights Management) designed to prevent theft of signal and unauthorized access to content without paying. It has been confined to internal data centers largely managing other aspects of the business.

But as video service provision has migrated towards IT and becoming increasingly data driven it has become itself a department of IT, with the result that the distinction between cybersecurity and content protection has blurred and faded. Increasingly cybersecurity threats, such as theft of data, Distributed Denial of Service (DDoS) attacks and intrusion of malware, also threaten service provision. Increasing reliance on customer data means that regulations such as GDPR must be adhered to and privacy upheld. DDoS can make streaming services unavailable with consequent brand damage and loss of revenue. Malware can infect subscribers’ connected devices and again disable service provision. IBM’s The Weather Channel was unable to deliver its morning show in April 2019 as the result of a malware attack on its network.

This convergence between cybersecurity and content protection has been recognized by the traditional CAS players, leading for example to Inside Secure’s acquisition of Verimatrix and more synergy between the respective departments at Kudelski’s Nagra. It has led to broadcasters’ organizations such as the EBU (European Broadcasting Union) developing recommendations, raising consciousness and conducting tests. At IBC, the EBU could be found talking about a cybersecurity vulnerability test event staged with the help of broadcasters during August 2019, run by the JTNM (Joint Task Force on Networked Media), a group set up to help manage IP transition.

This involved batteries of laptops running the open source vulnerability assessment tool OpenVAS to probe broadcast networks and found 387 vulnerabilities under five main categories: encryption mismanagement (33.4%), unnecessary features (26.5%), use of default credentials that are easy to find or guess (13.2%), web interface weaknesses (13%) and absence of encryption (8.5%). Most of the issues were minor but some, such as absence of encryption, could be potentially very damaging.

Perhaps worse, the testing found that cybersecurity was not yet inherent in the design of most broadcast networks, perhaps because it was not in the past so critical. It also found that such vulnerability testing gives true positives but also false negatives – there may be unknown vulnerabilities not picked up. The only solution to this is to conduct ongoing ethical hacking on a significant scale, the EBU concluded. Incidentally, cybersecurity vulnerability is defined by ENISA (European Union Agency for Cybersecurity) as the existence of a weakness, design, or implementation error that can lead to an unexpected, undesirable event compromising the security of the computer system, network, application, or protocol involved.

The EBU paper on the study noted that since cybersecurity is an arms race, service providers need constantly to review and improve traditional defenses, noting the comment by Michael Wise, CTO Universal Studios, that “What keeps me up at night, is to have $5 billion worth of film stores somewhere on the cloud and how to make sure it is not leaked a week before the official release.” That threat has been ever present for years but has not gone away.

At the same time, proliferation of streaming has shifted the ground for revenue protection such as to bring it closer to cybersecurity and has also increased the potential scale for illicit live OTT distribution of major events. In June 2019, 13 million people illegally streamed the heavyweight boxing title fight where the UK’s Anthony Joshua lost to Mexico’s Andy Ruiz Junior.

Combating such large-scale illicit content redistribution requires a number of techniques, including forensic watermarking, which can be regarded as an extension of traditional revenue protection, and network forensics, which comes more under the ambit of cybersecurity.

The EBU in 2018 published a guide called Minimum Security Tests for Networked Media Equipment, which it recommends broadcasters and service providers incorporating. Among other things, it urges service providers to pay close attention to their firmware, both its fundamental architecture and to ascertain that the latest security updates have been downloaded. It recommends running tests using tools such as firmware IDA Debugger to check if the firmware itself is insecure, which although unlikely would constitute a major vulnerability if it was. Essentially the aim here is to check that the firmware does not execute undesired actions that breach security thresholds and also identify any hostile code that has infiltrated.

Those recommendations also highlight the risk of fuzzing, which we have discussed before in Faultline as a threat that could also permeate services from IoT devices in the home. Fuzzing is firing large amounts of different data at a system, attempting to induce a crash and then observe how it responds to identify any security loopholes. It can be used for security testing but also by hackers for locating vulnerabilities they can exploit. This again is terrain for ethical hacking, in that service providers should seek to identify the vulnerabilities before attackers do.