STBs: Assuring content security in next-gen boxes
Next-generation set-top boxes are inherently more susceptible to content piracy.
Next-generation set-tops are evolving to become hybrid devices that integrate video content from multiple sources and share that content over home media networks. Accommodating the demand for content sharing and portability makes the STB inherently more complex, complicating security and increasing the concern regarding content piracy.
STBs and their associated conditional access systems and digital rights management technologies are under constant threat from device tampering, software security breaches and hacker attacks that can significantly impact the reputation and bottom line for both STB manufacturers and operators.
The evolution of premium content distribution and consumption models is driving new requirements for STB security in order to address stakeholder concerns, technology changes and piracy risks. Some of the key issues driving new requirements include:
- Content protection: Content owners demand protection of their intellectual property and require that licensees take steps to prevent piracy, and to mitigate damage should a breach occur.
- Heterogeneous networks: New service models combining broadcast, IP and Internet-based video, PVR capabilities and content sharing on home networks necessitate a STB security architecture capable of integrating CA, DRM and link protection mechanisms.
- Open platforms: The prevalence of skilled Linux “hackers” with access to free reverse engineering tools increases the risk for manufacturers migrating to open-source operating systems.
- Life cycle protection: Defending against repeated attacks from the hacker community and reacting to breaches is a costly, ongoing battle for STB makers and operators.
As STB ecosystems evolve to accommodate new services, the STB architecture becomes more complex in three areas.
The first is the development of the hybrid STB. A new generation of hybrid STBs enables operators to deliver IP-based, over-the-top video services to complement traditional CA-delivered content. Emerging retail distribution of operator-independent OTT set-tops are an alternative to traditional provider services. When designing next-generation products to meet these requirements, OEMs should consider the following security issues.
- If the service will support premium IPTV or OTT content, a DRM client must be integrated into the media framework, and must adhere to applicable DRM compliance and robustness rules governing protection of encryption keys, device certificates and other sensitive assets.
- DRM clients must be able to withstand diverse attack scenarios, including: side channel attacks on processors, software reverse engineering and tampering, use of emulator cards or software debugging tools, and various other sophisticated hacking techniques.
- DRM selection should not restrict future service offerings or business models. Rent versus buy distribution, local storage, content exporting and device bridging all have unique requirements, which impact DRM selection and implementation.
Figure 1: Each content protection subsystem contains its own secrets,
keys, algorithms and sensitive assets.
Another factor to weigh is the requirement for separable conditional access. Cable and satellite services have been closed networks with limited opportunity for PCs and CE devices to access content from these networks. Through specifications such as the CableCard and DVB-CI+, the CA system must be contained in a standalone “separable security device” instead of being integrated within the set-top box. In advanced STBs, secure bridging is also required to enable content and entitlements to securely pass from the CA system to the local DRM and link protection systems.
From a security perspective, terminating conditional access on a PCMCIA card creates unique security challenges. The CA smart card is responsible for removing content protection and encrypting the content into a specified format for transmission over the PCMCIA bus to the host device, such as a STB, digital cable-ready TV or PVR. This transcription from CA to the interface DRM must be done securely and conform to the compliance and robustness rules for each standard.
An alternative to separable CA is the downloadable CA model, where the CA system can be deployed and updated as required without the need for new hardware or a service call by the operator. However, when software CA is deployed, the CA client on the STB must be adequately protected from software hacking, as well.
The third complicating factor is the deployment of home media networks. Home media networks allow content to be shared with a wide range of network-enabled devices, including STBs, digital televisions, digital/personal video recorders, personal computers and portable media players. As consumers demand seamless access to licensed content from any device, STB OEMs have the opportunity to differentiate their products with innovative features. However, increased content portability leads to higher security risks.
Following on the success of the PVR, consumers are now demanding that stored content be accessible on all of their televisions. One approach is to offer low-cost “daughter” STBs that can pull the recorded programming from a single, more expensive “mother” PVR. While cost-effective from a hardware perspective, this model presents additional security risks, requiring DRM link protection and bridging capability to protect locally stored content.
Meanwhile, unlike other “embedded” devices that run on a relatively closed hardware platform, the PC is a completely open system where a user can freely install hacking tools such as debugging utilities, compilers, memory scraping utilities, etc., to tamper with or reverse engineer software control systems. For PCs to be effectively integrated into the premium content ecosystem, the entire video processing pipeline must be secured, including decryption, demultiplexing, decoding and hand-off to secure drivers.
Figure 2 Broadband Content Providers ~ Digital Home Network
Consumers also want to access content on a variety of CE devices. For content to remain protected under these use cases, CE devices must use robust DRM technologies. However, content portability has been difficult to achieve due to licensing restrictions of many DRM standards. One way to improve interoperability is to leverage a downloadable DRM architecture that is agnostic to the specific standard, allowing DRMs to be deployed “on demand,” or as required by the service. This future-proofing strategy enables the business models and services to evolve without replacing equipment already deployed.
Yet another factor complicating the security environment is the lack of standards among the various DRM technologies available.
A number of different approaches have been taken to facilitate DRM interoperability, with no clear winner or approach to date. DRMs such as OMA DRM2.0, WMDRM-PD, PlayReady and Marlin facilitate content purchase and other business models, while link protection DRMs such as DTCP-IP and WMDRM-ND protect in-home content streams. New framework technologies such as Coral and DVB-CPCM promote in-home DRM interoperability. The best choice of DRM will depend on the usage scenarios and type of ecosystem that needs to be supported.
With CableLabs’ approval of DTCP-IP for protecting cable content, and its acceptance by the Digital Living Network Alliance (DLNA), many STB OEMs are actively integrating this technology into new products. Some manufacturers are using DTCP-IP as part of a solution to enable interoperability between their own devices, while others are building DLNA compliance directly into the STB, enabling a broad content-sharing ecosystem with consumer electronics.
It must be assumed that hacking will be attempted on any system carrying premium content. The attacks will come from hobbyists and hacking communities, which are primarily driven by recognition, as well as commercial hackers driven primarily by profit. Device manufactures must achieve sustainable device security in the face of both threats. To achieve sustainable security, the STB must first provide a high level of initial attack resistance, which will depend on the services and features supported. The following security systems must resist attempts to bypass them via reverse engineering or tampering. Vulnerability in any one area will result in the system being compromised.
- Separable conditional access system: May exist as either hardware or software modules. In both cases, the CA system and its interface to the device must be protected. Secure bridging is required if the content will be stored locally on the PVR or streamed over the home network via a link protection DRM.
- PVR system: A PVR-capable STB must securely store recorded content locally in the device. Since the PVR is acting as a local, proprietary DRM, it must adhere to compliance and robustness rules. Secure bridging is required if the PVR content is streamed over link protection or exported via DRM to other devices in the home.
- Over-the-top video DRM system: If the set-top box supports premium OTT video services, its DRM system must meet the compliance and robustness rules associated with the DRM standard. Secure bridging is required in situations where OTT content is streamed over link protection or exported via DRM to other devices in the home.
- Link protection system: If the STB supports content streaming over the home network, a robust link protection DRM system such as DTCP-IP or WMDRM-ND is required.
- DRM export system: If the set-top box supports content sharing over the home network via DRM export, it will integrate a DRM system, and must therefore meet the associated compliance and robustness rules.
Sustainable security may also be enhanced through proactive software renewability, which prevents attacks by regularly updating the security on an operator’s installed base of STBs, thus frustrating hacker attempts to crack the system. By occasionally replacing the security system with new, diversified instances, attackers are forced to abandon the existing analysis.
Even with measures such as this, history has shown that given enough time and resources, any system can likely be hacked; therefore, as part of the sustainable security strategy, it is important to utilize methods to reduce damage from a successful security breach. This can include mechanisms to quickly deploy security updates to minimize the time the system is exposed, and through the use of security diversity techniques to reduce the install base affected by the security breach.
Security software diversity enables developers to create functionally equivalent software instances that are structurally unique, enabling diversity to be applied by STB model, by geographic region or for every individual STB. If a hack manages to successfully attack one device, diversity ensures the attack will be limited in scope, multiplying the effort required for the hack to be viable across the install base. Diversity essentially breaks the hacker business model.
When developing next-generation set-top boxes to satisfy evolving content delivery and consumption models, OEMs should formulate and implement security strategies that address the challenges of multi-source, multi-device networked environments. To do so, OEMs must understand the security issues and vulnerabilities associated with managing both CA- and DRM-protected content in hostile environments where hackers have access to sophisticated reverse engineering and tampering tools. To meet DRM compliance and robustness requirements, OEMs should seek an independent conformance assessment from qualified DRM security experts.