That conclusion has been reached by the EBU (European Broadcasting Union) in a report just published by its Joint Task Force on Networked Media (JT-NM), based on tests conducted in August 2019 at Wuppertal in Germany.

The tests indicated that broadcasters were now exposed to general cybersecurity vulnerabilities that had long been known about and in many cases addressed within general enterprise data centers, in addition to traditional media threats such as revenue theft and video piracy. A key sentence in the report came lower down in the text with the assertion, “Gone are the days when broadcast equipment consisted of custom software running on dedicated hardware.” It seemed too many broadcasters were insufficiently aware of the exposures resulting from this development, but the EBU in describing this as a logical evolution also implicitly criticized infrastructure vendors for doing too little to protect their customers from the threats. It called on vendors to adopt best practices from the IT industry, especially on cybersecurity, even if this required specialized training for product teams.

The report makes depressing reading in the sense that broadcasters are exposed unnecessarily to vulnerabilities long known about, but the good news is that most can be readily fixed. There are also two vulnerability categories, namely unpatched software and unauthenticated remote access, where broadcasters seem to stand well. Of 385 vulnerabilities found across the tested devices, only 0.8%, or presumably three, were attributable to unpatched software and none at all to unauthenticated remote access. This probably reflects broadcasters having already had to deal with remote access as they deployed OTT and catch up portals, while also having grown accustomed to issuing regular software updates.

The most common vulnerability was encryption misconfiguration, accounting for one third (33.42%) of those identified, followed by unnecessary features at just over a quarter (26.53%). The vulnerability scanner reported many issues with encryption configuration or implementation, which weakened the protection, although the report conceded that, in most cases, it was still sufficient to thwart many potential attacks.

The inclusion in services of unnecessary features that users are highly unlikely to invoke in practice is a common problem and audience analytics software can help identify them. As the EBU noted, it needlessly increases the attack surface of the system, creating risks that can be eliminated.

Failure to change default credentials came next on the list of vulnerabilities identified by the EBU, accounting for 13.26% of the total. This again is an exposure that dates back to the early days of computing when system manufacturers or administrators would have passwords enabling them to access systems, sometimes as a last resort. In this case, the testing was unable to define whether the initial installation procedure compelled users to change the default password, but clearly that is a good habit. The problem is that default passwords can be readily obtained from documentation or online databases, so that they can offer open back doors into services. Such passwords can also be disclosed by employees, either accidentally or out of malice.

Web interface weaknesses came next on the list of vulnerabilities, accounting for 13.0% of the total. These are similar to the defects exposed when connecting devices under the IoT (Internet of Things) banner such as video surveillance cameras, which are increasingly web connected and so potentially vulnerable to remote access or attack. Such attacks are also of concern for broadcasters because many of their systems provide a web interface for monitoring or configuration, even if they do not otherwise access the internet.

This means vendors of such systems should follow best practices for web applications, but again as the EBU has discovered, several of those under test contained vulnerabilities in the interface. Some of these could expose any file on the system via the web interface, which could in turn let attackers in to steal clear passwords or scrambled “hashed” versions in such files.

Even without such web interfaces, the EBU report observed that broadcast equipment rarely operated without any connection to the outside world at all. Even without direct internet access, broadcast networks almost invariably have some sort of link with the internal business network. This is partly because remote operation and troubleshooting are themselves reasons why many systems are selected, with the promise of costs reductions and improved availability. By the same token, vendors increasingly need remote access to broadcast systems over the internet to meet their support obligations. It should therefore be vendors’ responsibility to ensure their systems are protected against exploitation of these links, with critical components isolated.

The EBU makes the general point that broadcast systems have been subject to a fast growing number of cyber-attacks over the last few years. This is partly on the “Everest” principle that they are there, being now just internet-connected computers like any others in the firing line of attacks such as DDoS (Distributed Denial of Service). Secondly, the systems themselves are increasingly visible, both to pressure groups who might object to messages being broadcast, and to pirates intent on more traditional content theft. Therefore broadcast systems need protecting as much as any other, or even more so.

Finally, the EBU report refers to its own recommendation R161 relating to disclosure of vulnerabilities. This provides cybersecurity guidance for media companies and their suppliers on how to disclose vulnerabilities effectively. The hope is that the security research community will then be encouraged to investigate and disclose issues preemptively before they can be exploited.