IPTV Security: Content Is King
In contrast to the analog world, where tampering with the content meant using black-market hardware to unscramble a signal, IPTV encryption takes place on the software level. So hacking into a system is really just a matter of writing some malicious code. And that's got some carriers and content providers worried (see LR's TIC: Get Me Video).
Several kinds of IP-based attacks are possible on IPTV networks. In the IPTV world, for example, spoofing is possible, but there's no precedent yet, according to Jim Veres, VP of advanced engineering for Widevine Technologies Inc.
“Hackers can spoof an IPTV network by trying to pretend they are a headend and flowing content down to your set-top box that might not be appropriate,” Veras says. “The question is how does somebody make money doing that -- although I don’t understand why people do denial-of-service attacks either.”
The good news, sort of, is that because digital video content has saleable value, most IPTV security efforts to date have focused on theft prevention.
“Once one person has managed to pirate a piece of content, it can go from one user to a million users in a very short period of time,” says Brian Baker, Widevine's CEO. Pirated video content is often passed to other users over peer-to-peer networks such as Kazaa, he says.
Because of the piracy problems that have occurred since the digitization of video, content providers -- including everybody from CNN to the Hollywood studios -- naturally have a good deal of skepticism about distributing their content over end-to-end IP networks (see Video May Drive the IP Star).
Enter the IPTV conditional access (CA) and digital rights management (DRM) companies -- many of which are on hand here. Conditional access solutions encrypt video files or streams and assign "soft" decryption keys for use by the set-top box that's receiving the content. Digital rights management solutions set usage rules around the video content dictating how many times the file may be watched or copied, for example (see Comcast, Moto Playing Nice With Devices).
A few dominant players have emerged in the IPTV CA and DRM space, and that seems just fine with vendors here. “To be honest, I wish it were just one or two because it takes a lot of time and a lot of money to integrate this software into the set-top box,” says Federico Sanchez, Motorola Inc.'s (NYSE: MOT) product manager for IPTV set-top boxes.
“The top five telcos in the world have already made up their minds on which middleware and which DRM systems they want to use. I tend to see, in no specific order, Widevine, Microsoft, and Verimatrix requests when I see RFPs.”
Other content security players include NDS Inc., Nagravision SA, Conax AS, and Irdeto Access.
The bottom line is that service providers -- cable and telecom operators alike -- have to prove to content creators that the content will be secure on their networks, otherwise the creators withhold the content.
Even the DRM makers themselves sometimes aren't safe. A famous example: In 2001, hackers violated Microsoft’s own DRM solution to steal a closed-circuit, Microsoft company meeting broadcast wherein Steve Balmer danced and shouted in what is now called the “Monkey Boy” speech.
“There were incidents a few years ago where people were trying to hack in and shut them down, but third-party software got better, and routers got better, and you don’t hear as much about that now as you did three years ago,” Widevine's Veres says.
Veres, a former Microsoft employee, says he is unaware of any denial-of-service attacks having been perpetrated on an IPTV system to date, but he's not holding his breath. “On the Internet, anything is possible,” he says.
— Mark Sullivan, Reporter, Light Reading
CALLING ALL SECURITY APPLIANCE MANUFACTURERS: Make sure your company and products are listed free of charge in Light Reading's Security Appliances Directory, now in progress, by completing this questionnaire.
CALLING ALL SUPPLIERS OF IP SERVICE SOFTWARE: Make sure your company and products are listed free of charge in Light Reading's IP Services Software Directory, which already lists products from more than 100 companies, by completing this questionnaire.