EBU Warns Of Cybersecurity Threats From IT Technologies In Broadcast Domain

Broadcasters are becoming exposed to new cybersecurity threats as they move workflows increasingly into the IT domain, warns the EBU (European Broadcasting Union). Some of them may be unprepared and assume that their traditional content protection mechanisms based on Conditional Access and DRM technologies are still sufficient to cover their security needs.

While vendors of such legacy systems such as VerimatrixKudelski’s Nagra and Irdeto are themselves extending their portfolios to meet new cybersecurity threats such as malware and Distributed Denial of Service (DDoS) attacks, broadcasters need also to establish good practices and ensure that their defenses are regularly checked and upgraded when necessary. After all the threat landscape is constantly evolving and unless broadcasters outsource their security management entirely to a third-party monitoring service they cannot rely on existing products to be always up to date, even when patches are distributed automatically.

Accordingly, the EBU has published a guide called Minimum Security Tests for Networked Media Equipment to highlight new risks arising as workflows migrate to generic IP based IT systems. These are cybersecurity risks common to all enterprise systems and not directly associated with traditional content protection. One problem is that a number of traditional broadcast systems are not protected against such threats because they were not previously connected to the Internet so that these new risks did not exist.

The guidelines note for example how the LDAP (Lightweight Directory Access Protocol) protocol is widely used for authentication and other services, being convenient because it enables single logon where one user password is used for different services. LDAP authentication is used for communicating with a variety of directories, including Microsoft’s ubiquitous Active Directory in Windows environments.

LDAP on its own offers no security against attacks, whether these are active or passive. Active attack occurs when hackers attempt to make changes to data either in the target system or while in transmission to it and LDAP offers no protection against that so that the stream can be modified and unauthorized requests can be injected. Passive attacks occur when the network is being monitored or scanned for open ports and vulnerabilities which the hacker might then use for subsequent direct actions. Since LDAP transmits data unencrypted there is nothing to stop attackers eavesdropping on it.

The recommendation then is to implement Secure LDAP based on SSL (Secure Sockets Layer) and check that it is set up correctly to protect against attackers hijacking connections, eavesdropping data or trapping passwords.

The EBU paper also refers to firmware, both to check that the latest security updates have been downloaded to it and also to ensure that it is fundamentally secure itself. It recommends running security tests using tools such as firmware IDA Debugger (HEX-rays) to check if the firmware itself is secure, which may be unlikely but a major vulnerability if that was the case. This widely applied tool probes the firmware code and created maps of its execution pathways. This enables it to verify that the firmware does not execute illicit actions that breach security thresholds and identify any hostile code that has found its way there.

It also alludes to the subject of fuzzing, which could consume a whole paper in itself but in essence involves firing large amounts of different data at the system attempting to induce a crash and observing responses to see if security threats arise. In the hands of hackers, the aim is to discover a vulnerability that can be exploited, while for defenders it is about testing for bugs that should be fixed. Broadcasters should lean on their product suppliers and systems integrators to ensure that appropriate fuzz testing has been conducted and where relevant continues to be done periodically.

One interesting point not made in the EBU paper but identified by Faultline Online Reporter published weekly by Rethink Technology Research was that that many of these same vulnerabilities will have to be addressed for the Internet of Things. Faultline in turn referred to a paper The State of Fuzzing 2017 from California based design automation group Synopsys, showing that Industrial Control Systems, which form the basis of the IoT even for consumer services, have experienced a high incidence of failures as a result of such loopholes. These should be fixed now because many personal IoT components based on firmware may be hard to update after release.

You might also like...

KVM & Multiviewer Systems At NAB 2024

We take a look at what to expect in the world of KVM & Multiviewer systems at the 2024 NAB Show. Expect plenty of innovation in KVM over IP and systems that facilitate remote production, distributed teams and cloud integration.

Wi-Fi Gets Wider With Wi-Fi 7

The last 56k dialup modem I bought in 1998 cost more than double the price of a 28k modem, and the double bandwidth was worth the extra money. New Wi-Fi 7 devices are similarly premium-priced because early adaptation of leading-edge new technology…

NAB Show 2024 BEIT Sessions Part 2: New Broadcast Technologies

The most tightly focused and fresh technical information for TV engineers at the NAB Show will be analyzed, discussed, and explained during the four days of BEIT sessions. It’s the best opportunity on Earth to learn from and question i…

Standards: Part 6 - About The ISO 14496 – MPEG-4 Standard

This article describes the various parts of the MPEG-4 standard and discusses how it is much more than a video codec. MPEG-4 describes a sophisticated interactive multimedia platform for deployment on digital TV and the Internet.

The Big Guide To OTT: Part 9 - Quality Of Experience (QoE)

Part 9 of The Big Guide To OTT features a pair of in-depth articles which discuss how a data driven understanding of the consumer experience is vital and how poor quality streaming loses viewers.