Farncombe Technologies, a pay TV technology consultancy based in the UK, has just released a white paper called “The Future of Broadcast Cardless Security.” The white paper incorporates the results of a survey of pay TV operators, content owners, security vendors, and device makers on pay TV security concerns today and in the future.
Operators of pay TV (cable, satellite, and telco-TV) networks have put more money and effort into digital content security than any other type of media distributor, certainly more than any digital music or e-book sellers ever have. That’s because the economic incentives of pay TV operators are aligned with those of content owners such as movie studios and TV networks: operators don’t want their signals stolen, while content owners want to minimize unauthorized use of the content that travels over those signals.
For a long time, the technology used to thwart signal theft was the same as that used to guard against copyright infringement: conditional access (CA). Life was simple when cable companies operated closed networks to dedicated set-top boxes (STBs): the content went from head ends to STBs and nowhere else. In that situation, if you secure the network, you secure the content. But nowadays, two developments threaten this alignment of incentives and thus blow open the question of how pay TV operators will secure content.
First, the model of so-called piracy has changed. Historically, pay TV piracy has meant enabling people to receive operators’ services without paying for them, by doing such things as sharing control words (decryption keys in CA systems) or distributing unauthorized smartcards for STBs. But now, with higher broadband distribution and technologies such as BitTorrent, people can get content that flows over pay TV networks without touching the pay TV network at all.
Second, operators are offering “TV Everywhere” type services that let users view the content on Internet-conneted devices such as PCs, tablets, smartphones, and so on, in addition to through their STBs. They are doing this in response to competition from “over the top” (OTT) services that make video content available over the Internet. Operators have less direct incentive to protect content being distributed to third-party Internet-connected devices than they do to protect it within their own networks.
The Farncombe study predicts the likely effects of these developments (and others) on pay TV security in the years to come. According to the survey results, operators’ primary piracy concerns today are, in order of priority: control word sharing, rebroadcasting their content over the Internet (illegal streaming), and downloads of their content over the Internet (e.g. torrents); but in five years’ time the order of priority is expected to reverse. The threat of bogus smartcard distribution is expected to diminish.
The intent of this whitepaper is to motivate the use of pure software security technology for pay-TV networks, i.e., schemes that don’t use smartcards. So-called cardless security schemes are available from vendors such as Verimatrix, which sponsored the whitepaper. They are cheaper to implement, and they now use software techniques such as whitebox encryption and code diversity that are often considered to be as strong as hardware techniques (for more on this, see my 2011 whitepaper The New Technologies for Pay TV Content Security, available here).
However, the whitepaper also calls for the use of forensic Internet antipiracy techniques instead of — or in addition to — those that (like CA) secure operators’ networks. In other words, if piracy takes place mostly on the Internet instead of on operators’ networks, then antipiracy measures ought to be more cost-effective if they take place on the Internet as well.
The paper advocates the use of techniques such as watermarking, fingerprinting, and other types of Internet traffic monitoring to find pirate services and gather evidence to get them shut down. It calls such techniques “new” although video security companies such as NDS (now Cisco) and Nagravision have been offering them for years, and Irdeto acquired BayTSP a year ago in order to incorporate BayTSP’s well-established forensic techniques into its offerings. A handful of independent forensic antipiracy services exist as well.
This all begs the question: will pay TV operators will continue to put as much effort into content security as they have done until now? Much of pay TV networks’ offerings consist of programming licensed non-exclusively from others. The amount of programming that is licensed exclusively to operators in their geographic markets — such as live major-league sports — is decreasing over time as a proportion of total programming that operators offer.
The answer is, most likely, that operators will continue to want to secure their core networks, if only because such techniques are not mutually exclusive with forensic Internet monitoring or other techniques. Yet operators’ security strategies are likely to change in two ways. First, as the Farncombe whitepaper points out, operators will want security that is more cost-effective — which cardless solutions provide.
Second, network security technologies will have to integrate with DRM and stream encryption technologies used to secure content distributed over operators’ “TV Everywhere” services. The whitepaper doesn’t cover this aspect of it, but for example, Verimatrix can integrate its software CA technology with a couple of DRM systems (Microsoft’s PlayReady and Intertrust’s Marlin) used for Internet content distribution. Licensors of content, especially those that make exclusive deals with operators, will insist on this.
The trouble is that such integrated security is more complex and costs more, not less, than traditional CA — and the costs and complexities will only go up as these services get more sophisticated and flexible. Operators may start to object to these growing costs and complexities when the content doesn’t flow over their networks. On the other hand, those same operators will become increasingly dependent on high-profile exclusive licensing deals to help them retain their audiences in the era of cord-cutting — meaning that content licensors will have a strong hand in dictating content security terms. It will be interesting to see how this dynamic affects video content security in the future as it emerges.
“The trouble is that such integrated security is more complex and costs more, not less, than traditional CA — and the costs and complexities will only go up as these services get more sophisticated and flexible.”
Sure, the complexity will grow over time when new DRM schemes etc. arise. But still I think the cost will go down while security is better than with CA.
The problem with CA is that it is a hardware solution and updating hardware is always expensive. So if there’s a bug in a settop box or in a smartcard which allows some kind of unauthorized access to the content, more secure replacements have to be developed and sent out to the subscribers. That costs money and takes at least two weeks (my estimation) during which an operators precious content is vulnerable to attacks. In addition to these logistics, they may have to simulcrypt the content with both the old and new security scheme for that period, in case it changed.
Even when the security of a system is not broken yet, an operator might want to roll out a different, more secure system. To save the cost of equipping all his customers with new hardware, he again has to simulcrypt the content, sometimes for years.
A software solution on the other side, however complex it may be, has only the cost of developing it. It can be updated for all subscribers within minutes over the air. No need to pay for hardware, shipping or simulcrypting and much better reaction time to security breaches.
By the way, this document describes an interesting approach taken in Germany: http://www.detecon-dmr.com/article_detail_pdf.php?unique_id=195832&lang=en
Basically what is done there is defining a standardized software container, which is kind of a virtual machine with defined interfaces to the firmware of a consumer electronics device. An operator can upload his CA or DRM “kernel”, which is the software equivalent of todays smartcards, into that virtual machine. The kernel itself is hardware independent, multiple different kernels can exist in parallel (e.g. for cable and VOD) and they can be updated in case of problems, even over traditional one-way cable networks.
Thanks for the comment. Is it really necessary for a security scheme to be hardware-based to call it “CA”? I’m not so sure. Some would call the cardless schemes of Verimatrix, Widevine, Motorola Encryptonite, and others “CA” as well. Many of these vendors use the term “CA/DRM” in their marketing.
That hardware security is always stronger than software is sort of an article of faith among security professionals, but some are now questioning it. Certainly this was true 10 years ago when STBs and other consumer devices had limited processing power and (especially) memory. Nowadays, software techniques such as whitebox encryption can take advantage of large amounts of memory and do things that at least raise enough deterrents against key discovery or reverse engineering to discourage hackers.
I don’t think we know enough from real-world experience to say whether software-based solutions are “as secure” as hardware-based ones; it’s more a question of content licensors’ comfort level with the technologies.
Comfort level, certainly, but also liability. The security vendor has to integrate his software somehow with the firmware of the settop box or TV set. So he uses the same CPU, the same memory banks etc. as all the other software on the system. When something goes wrong, who is responsible or, first of all, who will find out (which can be a significant amount of work) whom to blame for the security breach and thus to pay for the damage? The operator, and the studios in his back of course, doesn’t want to mess around with the software; he wants a single contact to solve the problem for him ASAP.
Since they offer these solutions, Verimatrix and the likes obviously found a way to guarantee that the firmware of the cheapest Asian STB manufacturer won’t have security holes as huge as a barn door allowing an attacker to get access to the control words. I really wonder how they do it, especially on the still very limited CPU power and memory those cheap boxes have. We’re talking about less than 1 GHz CPU power and often enough just 256 MB of memory here, for HD decoding, fancy OSD and web browsing.
[…] a US-based publication that exclusively covers digital rights technologies, has written a long and thoughtful piece about Farncombe’s new White Paper on the future of broadcast cardless […]