IPTV's growing security shield
When it comes to security, IPTV providers have built layers of protection they hope will deter the most determined of thieves.
In their efforts to prevent theft of service and to protect the content they have licensed, IPTV providers are deploying many different tactics, some of which are copied from existing video services and some that are unique to IPTV. They also are looking forward to standardized interfaces, conditional access systems and more tools such as digital watermarking that will enable the entire industry to better track down content pirates.
But for the near term, IPTV service providers are satisfied — and wary.
Many in the security industry believe it is still early for IPTV security because deployment is low enough that it is not yet on the radar screen of major content pirates. As deployments grow, however, they believe that will change.
“There is a bit of complacency,” said Meir Lehrer, vice president of U.S. technical sales and partnership programs for NDS. “Hackers never really go after a system until it reaches a certain subscriber base. IPTV is too nascent for them to have attracted attention yet. It's something we need to be cognizant of and prepared for.”
Paul Whitehead, executive director of advanced access technology for AT&T, believes, however, that the multilayered approach taken by his company and other IPTV providers represents a smarter option that is enhanced by IPTV's two-way capabilities.
“You always have to continue to work on security and we will be, and I would agree that there are some very sophisticated [theft] rings out there,” he said. “What I'm not sure I want to totally agree with is the connotation that you are always going to be hacked and fighting a running battle.
“I think that we're a modern switched digital video system, and we would do significantly better than what has been done in the past,” Whitehead added. “I'm not sure the history of the last 15 years in video protection, which is not that great, is the history of the next 15 years in video protection. We'll be better, and so will our competitors.”
In an IP-based system, it can be easy to spoof messages, said Mike Coward, chief technology officer for Continuous Computer, a security software firm. “The message looks like it is coming from your neighbor, who paid for HBO, and it asks for the content to be delivered to your set-top box,” he said.
AT&T is combating that kind of service theft by tracking the origin of messages, something that is only doable because IPTV enables service providers to know where messages are coming from.
“In our tree-and-branch-type copper network, when packets come back, we know what port they come from, so we can know what port you are hooked up to,” Whitehead said. “Your packets and your neighbors' packets come back on different wires. Even if you were to try to spoof your neighbor's address, it wouldn't work.”
The two-way network also can detect when a set-top box is improperly deployed, he said. “In our network, we actually do some checks.”
That kind of more sophisticated snooping is only one of the layers of protection, however. It starts with secure facilities, said Carl Murray, strategic technologies director for SureWest, which pioneered IPTV deployment in 2003.
“When we started out, it was wide open; we knew it was going to be important but we didn't know what to do,” Murray recalled.
SureWest started with physically secure facilities from the headend through the network and remote terminals to the customer's home, with card-key access and video cameras for security.
The next security layer is conditional access, which restricts access to content to those who have paid for that content. “It is a bit of a gray area, whether you do this in middleware or through encryption,” Murray said. “We only transmit to each subscriber the package they have subscribed to.” Conditional access that uses encryption often is based on secure keys that must be passed to a receiver [set-top box] to allow scrambled content to be unscrambled for legitimate subscribers.
Verizon, which delivers a hybrid service using standard radio frequency technology for cable channels and IPTV for video-on-demand (VOD) and interactive services, uses conditional access for its VOD content, said Dan O'Callahan, principal member of technical staff/video architect for Verizon and chair of the IPTV Interoperability Forum.
SureWest also layers on parental controls, which are customizable, and can use multiple passwords and multiple accounts. “They create channel exclusions. They actually remove the channel so [kids] can't see it; it doesn't just block it,” Murray said. On top of that layer, SureWest uses the Advanced Encryption Standard (AES) for its VOD service and broadcast channels.
Another layer in the IPTV security stack is digital rights management (DRM), which controls a customer's right to use the content once there is access.
In AT&T's case, the security layers include encryption via industry-standard DRM that is incorporated into the Microsoft IPTV middleware.
“There is some confusion about this,” Whitehead said. “There has been discussion by people who are not familiar with our system and jump to the conclusion that the Microsoft DRM that is on PCs is the same for IPTV, and that's not true. There is a Microsoft IPTV DRM that is similar, but it has longer keys and rotating keys, which are things that are not standard in Microsoft DRM. The additional things on Microsoft IPTV DRM make it carrier class.”
In addition, to securely get the first key across to the set-top box, the first key is burned into the hardware instead of being passed across the network, he added.
AT&T also is using deep packet inspection — in which individual packets are examined to determine the type of content — as one of its security layers, but Whitehead declined to go into detail about how DPI is being used.
DPI vendors have suggested it's possible to use the technology to detect pirated content.
“DPI is a specific technology that has evolved to represent a whole bunch of different techniques used to identify traffic and the relationships between users in the network,” said Tom Donnelly, executive vice president of marketing and sales for Sandvine, a DPI and IPTV security provider. “With regard to IPTV and its payload, these technologies definitely have an application. The problem is more a philosophical determination of what's legal and what's illegal and who gets to decide.”
Use of DPI has become a sensitive topic in the Internet realm because of fears that service providers will use it to block certain types of content, such as peer-to-peer traffic or competing services. In the IPTV world, it could be used specifically to detect pirated content, but also to prevent attacks that would disrupt service, making the case for the technology clearer.
To detect piracy, DPI could be used in conjunction with digital watermarking, a technology that allows a content provider to put a mark on content identifying the last legitimate owner or viewer, so that pirated content can be traced back to its source for potential law enforcement. The idea is to use digital watermarks as a deterrent to would-be thieves.
DPI also can be used “to see the signatures of known attacks, where messages are formatted strangely,” Coward said. “What if I program my set-top box to send a million channel changes a second? That's the simplest kind of attack but no other subscriber could change their channel. The DPI layer is the right place to look for unusual behavior because you can't do it at the server — it's not meant for wire speeds — and it doesn't bother the middleware layer to see one million channel changes per second.”
DPI could also detect other types of attacks, such as those launched by one subscriber on another, he said.
Digital watermarking requires more cooperation with content owners to deal with many issues, a process that is now under way, Verizon's O'Callahan said.
The IPTV Interoperability Forum, which is part of the Alliance for Telecommunications Industry Standards, has its own DRM task force looking at conditional access and other DRM issues in the hopes of creating some standard algorithms that extend the work of the Digital Video Broadcasting (DVB) standards to develop standardizing interfaces to conditional access systems.
The goal is for the security software to treat all vendors the same, he said. “You might do different things, but how you pass data in and out of it would be standardized,” he said. “That's a step more than what [DVB] standards did.”
One of the challenges to creating standardized DRM is getting cooperation from the content creators, O'Callahan said. While the Motion Picture Association of America will be at the IIF's October meeting in San Jose, there is no guarantee its members will follow the association's lead.
The IIF also must deal with another layer of security for IPTV service called trust certificates, which identify trusted parties for sending messages within the IPTV ecosystem, O'Callahan said.
“In the IPTV world, there are other things that need protection,” he said. “For example, we are required to support emergency alert notification services, and we don't want those to be generated by just anybody in the network. We want to make sure some clever kid from MIT can't convince your router to send out an emergency alert system notification. So one of the functions we have to address is authenticity or how you officially sign communication traffic for the purpose of operating the system reliably.”
The other major issue for IPTV is ensuring that content decrypted at a set-top box can't be sent over an IP connection to a PC, where it can be copied, O'Callahan said. Content creators are particularly concerned about high-definition television content “because it is too easy to burn disks — there are already announcements of Blu-ray disk burners,” he said.
Digital watermarks may play a more significant role in dealing with that kind of piracy.
“We have not gotten to that within the IIF yet, but it is a topic on the table to do,” O'Callahan said. “The real long-term answer is not technology that prevents you from pirating, but it's more technology that allows law enforcement to find the pirate. All of our efforts in the past have been to keep content under lock and key, to prevent you from doing business. The real value technology will be in digital fingerprinting and watermarking.”
SureWest is trying to make sure it has that capability through its own DRM vendor, Widevine, although it is not yet in use, Murray said. “We put it on the [requests for information]; we've made sure we had it moving forward.”
The company chose Widevine for DRM because it offered a software-based security system, versus the smart card systems widely used in cable television. The move to “virtual smart cards,” which can be renewed instantaneously if hacked, is another trend in IPTV security.
AT&T considers digital watermarks another layer of protection going forward, but doesn't think the technology is quite ready for implementation, Whitehead said.
LAYERS OF SECURITY
IPTV providers have a growing number of security options to prevent theft of service and to protect the content they have licensed.
- Authenticate network entities.
- Protect data integrity.
- Control facility access through card keys, video cameras.
- Encrypt signals.
- Conditional access: ensure only subscribers to a service see that service.
- Parental controls: make sure juveniles see only approved content.
- Spoof protection: detect improperly used end devices.
- Digital rights management: apply policies to how content can be used once accessed.
- Digital watermarking: embed watermark that can be used to identify source of theft.
- Deep packet inspection: examine individual packets to detect theft.
Listen to our podcast, “ATCA in the IPTV Market,” to learn more about Advanced Telecommunications Computing Architecture, a open industry standard that is playing an increasing role for IPTV service providers looking for scalability and sustainability. Associate News Editor Sarah Reedy speaks with Todd Etchieson of RadiSys. www.telephony.com/podcasts
Want to use this article? Click here for options!
© 2014 Penton Media Inc.
From the Blog
Join the Discussion
Get more out of Connected Planet by visiting our related resources below:
Connected Planet highlights the next generation of service providers, as well as how their customers use services in new ways.Subscribe Now