IBC2018 Show Event Channel

Everything you need to know for the show and exhibitors.

Click here

EBU Warns Of Cybersecurity Threats From IT Technologies In Broadcast Domain

Broadcasters are becoming exposed to new cybersecurity threats as they move workflows increasingly into the IT domain, warns the EBU (European Broadcasting Union). Some of them may be unprepared and assume that their traditional content protection mechanisms based on Conditional Access and DRM technologies are still sufficient to cover their security needs.

While vendors of such legacy systems such as VerimatrixKudelski’s Nagra and Irdeto are themselves extending their portfolios to meet new cybersecurity threats such as malware and Distributed Denial of Service (DDoS) attacks, broadcasters need also to establish good practices and ensure that their defenses are regularly checked and upgraded when necessary. After all the threat landscape is constantly evolving and unless broadcasters outsource their security management entirely to a third-party monitoring service they cannot rely on existing products to be always up to date, even when patches are distributed automatically.

Accordingly, the EBU has published a guide called Minimum Security Tests for Networked Media Equipment to highlight new risks arising as workflows migrate to generic IP based IT systems. These are cybersecurity risks common to all enterprise systems and not directly associated with traditional content protection. One problem is that a number of traditional broadcast systems are not protected against such threats because they were not previously connected to the Internet so that these new risks did not exist.

The guidelines note for example how the LDAP (Lightweight Directory Access Protocol) protocol is widely used for authentication and other services, being convenient because it enables single logon where one user password is used for different services. LDAP authentication is used for communicating with a variety of directories, including Microsoft’s ubiquitous Active Directory in Windows environments.

LDAP on its own offers no security against attacks, whether these are active or passive. Active attack occurs when hackers attempt to make changes to data either in the target system or while in transmission to it and LDAP offers no protection against that so that the stream can be modified and unauthorized requests can be injected. Passive attacks occur when the network is being monitored or scanned for open ports and vulnerabilities which the hacker might then use for subsequent direct actions. Since LDAP transmits data unencrypted there is nothing to stop attackers eavesdropping on it.

The recommendation then is to implement Secure LDAP based on SSL (Secure Sockets Layer) and check that it is set up correctly to protect against attackers hijacking connections, eavesdropping data or trapping passwords.

The EBU paper also refers to firmware, both to check that the latest security updates have been downloaded to it and also to ensure that it is fundamentally secure itself. It recommends running security tests using tools such as firmware IDA Debugger (HEX-rays) to check if the firmware itself is secure, which may be unlikely but a major vulnerability if that was the case. This widely applied tool probes the firmware code and created maps of its execution pathways. This enables it to verify that the firmware does not execute illicit actions that breach security thresholds and identify any hostile code that has found its way there.

It also alludes to the subject of fuzzing, which could consume a whole paper in itself but in essence involves firing large amounts of different data at the system attempting to induce a crash and observing responses to see if security threats arise. In the hands of hackers, the aim is to discover a vulnerability that can be exploited, while for defenders it is about testing for bugs that should be fixed. Broadcasters should lean on their product suppliers and systems integrators to ensure that appropriate fuzz testing has been conducted and where relevant continues to be done periodically.

One interesting point not made in the EBU paper but identified by Faultline Online Reporter published weekly by Rethink Technology Research was that that many of these same vulnerabilities will have to be addressed for the Internet of Things. Faultline in turn referred to a paper The State of Fuzzing 2017 from California based design automation group Synopsys, showing that Industrial Control Systems, which form the basis of the IoT even for consumer services, have experienced a high incidence of failures as a result of such loopholes. These should be fixed now because many personal IoT components based on firmware may be hard to update after release.

Let us know what you think…

Log-in or Register for free to post comments…

You might also like...

The Proven Essentials to Ensure an Effective UI

Innovation in the media and entertainment industry is at an all-time high with devices, backend technologies, operating systems and consumer behaviors constantly evolving. A key element of this evolution is how viewers see, experience, navigate and consume the content they…

Verimatrix Looks for Content Security Converts on Back of AWS API Integration

Verimatrix is seeking to win major customers in broadcasting and pay TV on the back of API integration of its MultiRights OTT multi-DRM with Amazon Web Services (AWS). As AWS continues its strong advance into video services by claiming some…

DPP - The Live Explosion

Away from traditional broadcasting a revolution is happening. Live internet streaming is taking the world by storm with unprecedented viewing figures and improved accessibility for brands looking to reach better targeted audiences. The Live Explosion, hosted by the DPP in…

EBU Teams Up With Digital Production Partnership Over Mastering and Security

The EBU (European Broadcasting Union) has struck a partnership with the Digital Production Partnership Ltd (DPP), a UK based business change network, to promote open standards for interoperability between all components of the video cycle as the industry continues its…

Samsung Gains First Pay TV Customer for Smart TV Security Dongle

Samsung has announced Germany’s HD+ satellite service as the first customer for the TVkey security USB dongle developed in partnership with content protection technology vendor Nagra. The dongle works in conjunction with a chip in Samsung’s latest smart TVs…