Here we begin a new five-part series looking at the current security landscape for OTT and streaming services.
Other articles in this series:
Our IP Security For Broadcasters book delved deep into the implications of security in IP based production systems. This series of articles examines the various security issues associated with internet based content delivery. In this first article we outline the many threats faced by content providers, and will move on to exploring solutions in the rest of the series.
It was once just pay TV operators that faced significant threats given the incentives for bypassing authentication controls to access their content for free. This led to a rump of specialist vendors peddling what they called revenue protection to counter smart card cloning and control word sharing. Then as streaming began to feature for video distribution a new threat emerged under the guise of unauthorized content redistribution, where pirates who may have subscribed legitimately themselves then retransmitted the content to their own “paid clients”.
Forensic watermarking emerged as a counter by being able to trace single sources of illegitimate streams so that they could be shut down quickly. Such rapid action was essential to avoid significant business damage to owners of premium live sports content whose value tapers quickly after the event begins.
The other threat to revenue that has risen to prominence in the streaming era is unauthorized credentials sharing. This has been contentious because it is more of a grey area between legitimate access to a service among families, and strictly unauthorized sharing of credentials among friends in different households.
As The Broadcast Bridge reported in 2022, major subscription VoD companies such as Netflix were initially averse to the idea of tackling illegitimate credentials sharing, for fear this would annoy existing subscribers who might occasionally take the odd liberty but were otherwise honest. But this changed with the rising scale of credentials misuse, especially in Netflix’s case as global subscriber growth shuddered to a halt and started to be reversed in some markets.
All these threats are still present, especially the content redistribution and credentials sharing, as linear services are increasingly accessed over the internet, with the prospect of traditional over the air and satellite transmission ceasing altogether eventually. Meanwhile, broadcasters and video service providers have become increasingly subject to the same categories of cybersecurity threat as enterprises in other sectors, in fact more so for some forms of attack because of their public facing nature.
To this extent video service providers are like banks and online retailers in that attacks denying service are highly visible and damaging for reputation. Such attacks also lose money in some cases through loss of ability to trade, as in the case of pay as you go content. Even minor loss of service can gain unwelcome public attention, as in the case of an attempted hack on Virgin Media TV in February 2023, which forced some programming off air temporarily while the incident was addressed.
As well as cybercriminals intent on extorting money through ransomware attacks, broadcasters are now increasingly at risk from hostile governments and state actors seeking to distort public opinion. This happened during the ongoing Ukrainian war, with pro-Ukraine groups early on hijacking Russian TV channels to broadcast messages condemning the Kremlin’s actions. While in this case the messages may have been more accurate than the official line promulgated by the Kremlin on state TV channels, that case highlighted the attractiveness of popular broadcast channels for such actions.
Motives can vary among states, just as for cybercriminals and individual actors. For Russia it is about spreading disruption, while in the case of China it is about more subtle dissemination of false information, or espionage of various forms. For North Korea and possibly Iran motives can be similar to cybercriminals, to make money from ransomware, so the lines can blur in those cases between state and private action.
The privacy dimension has also come to the fore in recent years, both as a result of legislation such as the EU’s GDPR, and advances in CPE (Customer Premises Equipment). The latter includes voice driven UIs (User Interfaces) and smart TVs capable of capturing and uploading details of user behavior.
Indeed, as more and more TVs sold are indeed smart in the sense of being connected to the internet via broadband routers for interactive two-way communication, they have become windows into the household as well as for viewing content distributed from outside. This first came to prominence in a 2019 study by London’s Imperial College and Northeastern University claimed to have found that data gleaned by smart TVs, along with other connected devices, was being sent to Google and also in some cases to Netflix, even from those who subscribed to neither.
Video service providers then face all the same threats as other sectors with specific twists of their own. Malware is one of the biggest threat categories, in the form of malicious software performing various actions that target either subscribers directly or broadcast networks. The objective is often to disable a service or lock up data as part of a ransomware attack demanding payment for unlocking, often by cryptocurrency to evade subsequent investigation.
Such attacks can involve a degree of social engineering to lure users into unwise actions that allow the malware to penetrate a system or network. This may involve malspam, where emails are sent with a malicious attachment, perhaps a loaded PDF or Microsoft Word document, that when opened allows the malware in.
Maladvertising is another vehicle in, where users are lured inadvertently to malicious servers while engaged in web browsing, in this case without even having to click on an ad or be lured to open an attachment.
DDoS (distributed denial of service) attacks are also common and have been directed increasingly against broadcasters, with the BBC being an early victim in 2015. DDoS attacks can be used for ransomware, although malware is more common because of the potential for locking up data by encrypting it.
DDoS may be more often used to disrupt, for political, religious or cultural purposes. Sweden’s national TV broadcaster SVT was disrupted by a DDoS attack in February 2023 as part of what looked like a coordinated campaign against various publicly visible organizations, also including universities and hospitals. This came after the hacking group “Anonymous Sudan” had called for cyber-attacks against Swedish authorities and banks, in reprisal for burning the Quran in Stockholm.
Just as threats are increasingly common to all sectors, so are remedies. These include firewalls and intrusion detection/prevention systems designed to block access to protected parts of a network, as well as encryption for privacy and to exchange credentials securely. Also critical is continued vigilance and surveillance to identify new threats and at least isolate them to minimize damage, even if they cannot be immediately countered completely.
AI, or more specifically Machine Learning (ML), figures increasingly for surveillance and real time counteraction against previously unknown threats, aiming to obtain early warning of imminent attacks by detecting unusual activity. But ML is also being recruited by hackers for identifying points of weakness and obfuscating attacks as they develop, so to an extent it is just adding fuel to the arms race.
There are security issues more specific to video, such as the rising prevalence of Ultra HD content, both at high 4K resolution and HDR (High Dynamic Range). This increases the value of content and also makes it easier to redistribute assets illegitimately over the internet at an acceptable high quality.
Then there are threats associated with advanced compression methods that again are quite specific to the sector, albeit also applicable in video surveillance. These developments, how they impact cybersecurity, and measures to counteract associated threats, will be discussed in future articles of this series.
One other point is that the rising profile of cybersecurity among video service providers has been reflected in some innovations that have been emulated in other fields. A notable example is “user centric” security where users themselves are given responsibility for managing risks and recommending countermeasures.
This makes sense in so far that users are often at the front line of attacks and are also inconvenienced by heavy handed risk mitigation measures. They are often well placed to arbitrate over the correct balance between security and usability, if not necessarily cost. Netflix was early to implement user-centric security with its system called Stethoscope, which was released open source in 2017, and subsequently employed by enterprises and cybersecurity technology vendors in multiple sectors.
You might also like...
CDNs are much more than just high-speed links between Origins and ISP (Internet Service Provider) networks. Instead, they form a complete ecosystem of storage and processing, and they create new possibilities for highly efficient streaming at scale that will likely…
Pay TV operators have followed major video streamers to combat unauthorized credentials sharing among friends and family beyond the subscriber’s home. But they face a delicate balance between cracking down on the practice and avoiding annoying innocent customers.
We discuss the accelerating evolution of immersive media experiences & consumer technology, whether the mainstream media is keeping pace with the gamification of media consumption and the exponential growth in delivery capacity that will be required to support mass audience…
Part 7 of The Big Guide To OTT is a set of three articles which examine the pivotal role of CDN’s, how they are evolving and how Open Caching aims to support broadcast grade streaming.
The role of embedded security baked into hardware for video services has extended beyond the set top box to DRMs and mobile viewing devices such as smartphones, through Trusted Execution Environments.