Broadcasters Fail To Address Common Cybersecurity Vulnerabilities

Broadcasters are falling prey to common cybersecurity vulnerabilities as some struggle to adjust to the migration away from traditional dedicated systems to generic infrastructures based on the IP protocol, more like enterprises in other sectors.

That conclusion has been reached by the EBU (European Broadcasting Union) in a report just published by its Joint Task Force on Networked Media (JT-NM), based on tests conducted in August 2019 at Wuppertal in Germany.

The tests indicated that broadcasters were now exposed to general cybersecurity vulnerabilities that had long been known about and in many cases addressed within general enterprise data centers, in addition to traditional media threats such as revenue theft and video piracy. A key sentence in the report came lower down in the text with the assertion, “Gone are the days when broadcast equipment consisted of custom software running on dedicated hardware.” It seemed too many broadcasters were insufficiently aware of the exposures resulting from this development, but the EBU in describing this as a logical evolution also implicitly criticized infrastructure vendors for doing too little to protect their customers from the threats. It called on vendors to adopt best practices from the IT industry, especially on cybersecurity, even if this required specialized training for product teams.

The report makes depressing reading in the sense that broadcasters are exposed unnecessarily to vulnerabilities long known about, but the good news is that most can be readily fixed. There are also two vulnerability categories, namely unpatched software and unauthenticated remote access, where broadcasters seem to stand well. Of 385 vulnerabilities found across the tested devices, only 0.8%, or presumably three, were attributable to unpatched software and none at all to unauthenticated remote access. This probably reflects broadcasters having already had to deal with remote access as they deployed OTT and catch up portals, while also having grown accustomed to issuing regular software updates.

The most common vulnerability was encryption misconfiguration, accounting for one third (33.42%) of those identified, followed by unnecessary features at just over a quarter (26.53%). The vulnerability scanner reported many issues with encryption configuration or implementation, which weakened the protection, although the report conceded that, in most cases, it was still sufficient to thwart many potential attacks.

The inclusion in services of unnecessary features that users are highly unlikely to invoke in practice is a common problem and audience analytics software can help identify them. As the EBU noted, it needlessly increases the attack surface of the system, creating risks that can be eliminated.

Pie chart of common cybersecurity vulnerabilities for broadcasters.

Pie chart of common cybersecurity vulnerabilities for broadcasters.

Failure to change default credentials came next on the list of vulnerabilities identified by the EBU, accounting for 13.26% of the total. This again is an exposure that dates back to the early days of computing when system manufacturers or administrators would have passwords enabling them to access systems, sometimes as a last resort. In this case, the testing was unable to define whether the initial installation procedure compelled users to change the default password, but clearly that is a good habit. The problem is that default passwords can be readily obtained from documentation or online databases, so that they can offer open back doors into services. Such passwords can also be disclosed by employees, either accidentally or out of malice.

Web interface weaknesses came next on the list of vulnerabilities, accounting for 13.0% of the total. These are similar to the defects exposed when connecting devices under the IoT (Internet of Things) banner such as video surveillance cameras, which are increasingly web connected and so potentially vulnerable to remote access or attack. Such attacks are also of concern for broadcasters because many of their systems provide a web interface for monitoring or configuration, even if they do not otherwise access the internet.

This means vendors of such systems should follow best practices for web applications, but again as the EBU has discovered, several of those under test contained vulnerabilities in the interface. Some of these could expose any file on the system via the web interface, which could in turn let attackers in to steal clear passwords or scrambled “hashed” versions in such files.

Even without such web interfaces, the EBU report observed that broadcast equipment rarely operated without any connection to the outside world at all. Even without direct internet access, broadcast networks almost invariably have some sort of link with the internal business network. This is partly because remote operation and troubleshooting are themselves reasons why many systems are selected, with the promise of costs reductions and improved availability. By the same token, vendors increasingly need remote access to broadcast systems over the internet to meet their support obligations. It should therefore be vendors’ responsibility to ensure their systems are protected against exploitation of these links, with critical components isolated.

The EBU makes the general point that broadcast systems have been subject to a fast growing number of cyber-attacks over the last few years. This is partly on the “Everest” principle that they are there, being now just internet-connected computers like any others in the firing line of attacks such as DDoS (Distributed Denial of Service). Secondly, the systems themselves are increasingly visible, both to pressure groups who might object to messages being broadcast, and to pirates intent on more traditional content theft. Therefore broadcast systems need protecting as much as any other, or even more so.

Finally, the EBU report refers to its own recommendation R161 relating to disclosure of vulnerabilities. This provides cybersecurity guidance for media companies and their suppliers on how to disclose vulnerabilities effectively. The hope is that the security research community will then be encouraged to investigate and disclose issues preemptively before they can be exploited.

You might also like...

Video Piracy Declines In EU

Media content piracy declined by an average 15% across Europe during 2018 according to the European Union (EU) Intellectual Property Office (EUIPO), contradicting the popular notion that the problem is getting out of hand in the streaming era.

Users Resist Tighter Pay TV Security

Video consumers are still reluctant to embrace more secure authentication methods than traditional passwords despite mounting fears over identity theft and intrusion into privacy.

The Proven Essentials to Ensure an Effective UI

Innovation in the media and entertainment industry is at an all-time high with devices, backend technologies, operating systems and consumer behaviors constantly evolving. A key element of this evolution is how viewers see, experience, navigate and consume the content they…

Verimatrix Looks for Content Security Converts on Back of AWS API Integration

Verimatrix is seeking to win major customers in broadcasting and pay TV on the back of API integration of its MultiRights OTT multi-DRM with Amazon Web Services (AWS). As AWS continues its strong advance into video services by claiming some…

DPP - The Live Explosion

Away from traditional broadcasting a revolution is happening. Live internet streaming is taking the world by storm with unprecedented viewing figures and improved accessibility for brands looking to reach better targeted audiences. The Live Explosion, hosted by the DPP in…