security impacts of next generation set-top boxes · 2010. 6. 14. · draft security impacts of...

DRAF

T

Security Impacts of Next-Generation Set-Top Boxes

White Paper

2www.cloakware.com

Security impactS of next-generation Set-top boxeS WHite paper

table of contentS

1 Executive Summary ................................................... 2

2 Introduction .............................................................. 2

3 Set-Top Box Security Drivers ....................................... 33.1 Content Distribution Requirements .............................. 33.2 Input and Output Types .............................................. 33.3 Open Platforms ......................................................... 33.4 Lifecyle Protection ..................................................... 3

4 Set-Top Box Security Trends ....................................... 44.1 Hybrid Set-Top Boxes ................................................. 44.2 Separable Conditional Access ..................................... 54.3 Digital Home Networks ............................................... 54.4 DRM Standards and Working Groups ........................... 6

5 The Security Challenge............................................... 75.1 Initial Attack Resistance............................................. 75.2 Diversity ................................................................... 95.3 Renewability ............................................................. 95.4 Breach Response ....................................................... 9

6 Conclusion ................................................................ 9

7 Set-Top Box Security Solutions from Cloakware .......... 10

Intended AudienceThis paper is intended for product and business managers, se-curity architects, development managers and other technical staff who are directly involved in the specification, design and development of advanced set-top boxes. This paper describes the market and technology trends that are influencing set-top box designs and explains how advanced features are creating new content security challenges for set-top box manufactur-ers.

1 Executive SummaryConsumer demand for media-rich home entertainment services is driving innovation and new revenue opportunities in the set-top box (STB) industry. Next-generation STBs will integrate video content from multiple signal sources such as broadcast television, premium video-on-demand and Internet-based ser-vices, provide value-added capabilities like time-shifting, and allow content to be distributed to a variety of viewing devices including multi-room TV networks, personal computers, por-table media players and other mobile devices.

However, this level of source variety and content portabil-ity is inherently more susceptible to piracy, and increases the complexity of security requirements. Set-top boxes and their associated conditional access (CA) systems and digital rights management (DRM) technologies are under constant threat from device tampering, software security breaches and hacker attacks that can significantly impact the reputation and bottom line for both STB manufacturers and operators.

OEMs can overcome these security challenges by designing in protection mechanism that address the entire STB security lifecycle, including strong initial attack resistance, protection against automated attacks, easy in-field security updating and cost-effective breach response capability. STB OEMs who fully understand their security vulnerabilities, develop a sound security strategy and build in effective protection mechanisms will significantly lower the risks to their products and to their overall business.

2 IntroductionDigital television is undergoing a major transition. For con-sumers, the passive consumption of real-time premium video has evolved to include time-shifted and on-demand services accessible from personal/digital video recorders (PVRs/DVRs), personal computers, and portable media players. The penetra-tion of these devices and services demonstrates the value con-sumers see in having a high level of freedom and control over their content viewing experience.(1) The “genie is out of the bottle” and consumers are demanding content from multiple signal sources viewed on a broader range of devices. Advances in networking and compression technologies are enabling an ex-ploding number of alternative content providers to target such consumers with advanced “over the top” services and products to compete with traditional cable and satellite operators.(2)

Incumbent operators are not standing still against the threat from OTT service providers and are deploying new services in response. The traditional digital set-top box that receives digital television broadcasts via cable and satellite sources is evolving to become a hybrid set-top box (see section 4.1), supporting alternative sources of premium content including OTT video services.(3) Set-top boxes are also becoming content servers themselves, acting as a video source for other devices in the digital home (see section 4.3) including other set-top boxes, digital televi-sions, personal computers and other consumer electronics de-vices.(4)

Over-the-top (OTT) video describes video services delivered to the consumer over broadband, where the video service provider is independent from the broadband connection provider. Examples of OTT services include Joost, Babelgum and Hulu.

3www.cloakware.com

The operators and set-top box OEMs are heavily influenced by standards groups and regulatory bodies. For example, to pro-mote retail set-top box competition and consumer electronics interoperability, standards such as CableLabs CableCARD in North America and DVB-CI+ in Europe are enabling third-party set-top boxes and digital-ready televisions to become part of the operator ecosystem(5) (see section 4.2).

It is well understood that premium television and video services are popular targets for piracy.(6) For a set-top box manufacturer seeking to innovate in this environment, protecting their de-vices and the content that passes through them is critical. The technologies and trends described above introduce a number of new and unique security challenges for device manufacturers. This paper provides further detail on STB trends and technolo-gies, describes the corresponding security challenges placed on device manufacturers and finally describes the choices available to STB OEMs in addressing these challenges.

3 Set-Top Box Security Drivers

3.1 content DiStribution requirementSContent owners, including movie and television studios, de-mand protection against the piracy of their intellectual prop-erty and require that content licensees (such as cable or satellite TV operators) take steps to prevent security breaches and to mitigate against damage should a breach occur. Studios often mandate the preventative steps that must be taken to secure content as part of their distribution agreements. These security requirements include steps to ensure the protection of crypto-graphic operations and the prevention of application and ser-vice hacking. The operator or service provider, in turn, trans-lates these into security requirements that must be met by their set-top box suppliers.

3.2 input anD output typeSMany operators are offering advanced content services to in-crease their subscriber revenues. These services often require the ability to receive content from multiple signal sources and send the content to a range of devices in the digital home. The set-top box architecture is becoming more sophisticated through the integration of functions and content protection systems which are required to support these service models (see figure 1). It is imperative that these content protection systems securely work together without exposing content or sensitive assets.

As an example, most digital STBs today support a conditional access system which secures the content as it is delivered from the operator to the set-top box. It ensures that consumers can only play content to which they are entitled. Many STBs today include integrated PVR capabilities that enable the consumer

to time-shift their viewing by storing the content locally for later consumption, but not for further dissemination. If the system is expected to receive OTT video content, it will incor-porate DRM protection systems to securely receive and store that content. If the STB is expected to share the content with other devices, it will need additional DRM or link protection technologies. Many of the advanced use-cases will require con-tent to pass between two or more of these content protection systems, creating a security challenge for the STB manufac-turer.

3.3 open platformSTo compound the content security challenge, many set-top box OEMs are moving to the Linux operating system which is a widely available, widely understood open platform. The prevalence of skilled Linux “hackers” along with the large base of free software development and reverse engineering tools makes it critical that the set-top box manufacturers take best commercial efforts to protect their systems.

3.4 life cycle protectionThe goal of the device OEM is to raise the barriers (in terms of time or money) to a level where the hacker is not motivated to attack a device. This can only be accomplished by applying a combination of security mechanisms that address the entire set-top box life cycle.


PVRBridge

BridgeExport

Link ProtectionOutput Protection

Conditional Access Local DRM

Cable / Satellite Network

Carrier IP Network Internet

figure 1: each block shown is a content protection sub-system which has its own secrets, keys, algorithms, sensitive code and device certificates

4www.cloakware.com

Security life cycle requirements to break the hacker business model1) Provide a strong level of initial attack resistance2) Make it difficult to create automated attacks3) Use proactive updates to further frustrate hackers 4) Ensure the security architecture can be quickly patched in response to a hardware or software security breach.

Before exploring how these four items can be addressed (sec-tion 5), it is important to first review the trends that are affect-ing the STB security architecture.

4 Set-Top Box Security TrendsAs previously stated, set-top box architectures are becoming more sophisticated through the integration of new functions and content protection systems. In this section we will examine the key trends in this area and provide a deeper understanding of the security challenges created through the integration of these technologies.

4.1 HybriD Set-top boxeSThe STB industry is undergoing a rapid shift from supply-ing standalone cable and satellite STBs to hybrid STBs which incorporate IP-based, over-the-top video services. Traditional cable and satellite service providers are providing IP-based ser-vices, such as DirectTV-On-Demand, that are complimentary to their CA-delivered channels. Alternative business models with STBs targeted for retail sales to consumers are also emerg-ing, where the set-top box is not tied to a cable or satellite provider but instead provides access to OTT video services as an alternative to traditional video services.

figure 2: the hybrid Stb requires protection for both traditional and internet-based content

4.1.1 Drm requirementSIf the service provider supports DRM-protected content as part of IPTV or premium OTT video, the STB will need to integrate DRM functionality. This is typically accomplished through licensing a common DRM (such as WMDRM-PD(7), OMA DRM 2.0(8), Microsoft PlayReady(9), or Marlin(10)) and integrating the DRM client into the STB and media frame-work. Along with the effort in integrating the DRM into the STB player architecture, the OEM must also ensure that the DRM implementation meets the compliance and robustness (C&R) rules of the particular DRM.

Compliance and robustness rules describe the level of protec-tion required for encryption keys, device certificates and other assets, as well as how to correctly use and protect the content. DRM licensors stipulate the compliance and robustness rules that must be met as part of their license agreements, with heavy penalties for failure to meet these standards. Penalties for non-conformance by licensees can include contractual li-abilities and license revocation, while breaches in the field often result in high costs and disruption from recalls and repairs, not to mention potentially damaging brand erosion to both STB manufacturers and operators.

4.1.2 attack VectorSBuilding a set-top box that meets or exceeds the compliance and robustness rules for a DRM standard can be a daunting challenge. Pirates use an evolving mix of hardware and software hacking techniques to attack the system including using emula-tor cards, leveraging side channel attacks on processors, attack-ing hardware/software interfaces, reverse engineering software, tampering with executables, stepping through code using de-bugging tools, and others techniques. History has shown, that given enough time and money, a hacker can compromise any system.

4.1.3 SerVice offeringSThe selection of a DRM has significant implications for the manufacturer because it may restrict the types of services that can be offered, such as rental or purchase, and whether the content can be exported or bridged to another DRM system. To support PVR/future playback capability, the DRM must al-low the content to be stored locally in the native DRM format or to be exported or bridged to another local DRM for local storage.

In summary, the hybrid STB model provides opportunities for the STB OEM to enable or offer innovative content services. Doing so requires careful attention to the choice of DRM tech-nologies and system level security required to protect the DRM and content assets.


Satellite

Set-Top Box

Digital TV

5www.cloakware.com

4.2 Separable Conditional Access Cable and satellite services have been closed networks with limited opportunity for devices such as PCs and consumer electronics devices to access content from these networks. Through specifications such as CableCARD from CableLabs and DVB-CI+, the conditional access system must be con-tained in a standalone “separable security device” instead of be-ing integrated within the set-top box. In North America, as of July 2007, set-top boxes cannot contain integrated conditional access and in the EU it is mandatory that all TVs contain a Conditional Access Module (CAM) slot.

From a security perspective, the fact that the conditional access is terminated on a PCMCIA card creates some unique security challenges. The CA smart card is responsible for removing the operator-based content protection and encrypting the content into a specified format for transmission over the PCMCIA bus to the host device, such as a STB, digital cable ready TV, or PVR. This transcription from conditional access to the in-terface DRM must be done securely and the security require-ments for this operation are specified in the compliance and robustness rules for each standard.

For CableCARD and tru2way™, the C&R rules are found in the Cable tru2way™ Device License Agreement(11), formerly CableCARD Host Interface License Agreement (CHILA). As with other DRM systems, meeting the compliance and robust-ness rules typically involves protecting device certificates, en-cryption keys and other secrets while protecting the security code itself from modification or tampering. Non-conformance or breaches in the security may lead to contractual liabilities, device revocation and service disruption.

While separable CA modules address some needs, there are additional market, cost and technical pressures pushing CA systems to a downloadable model where the CA system can be deployed and updated as required without requiring new hardware or a service call by the operator. When software CA is deployed, the CA client on the STB must be adequately pro-tected from software hacking as well.

4.3 Digital Home NetworksHome networks, wireless access, and portable devices are push-ing content beyond the TV to a wide range of network-enabled devices including STBs, digital televisions, digital/personal video recorders, personal computers, portable media players, etc. As consumers demand seamless access to licensed content from any device, STB OEMs have the opportunity to differen-tiate their products with innovative customer-facing features. However, increased content portability leads to higher security risks as content is now susceptible to piracy on a broader range of devices.

figure 3: Digital home technologies extend content delivery to low-cost clients, but carry more security risks

4.3.1 multi-room pVrWhile hybrid set-top boxes support the delivery of content from the Internet to the home, digital home-enabled STBs extend this functionality to enable premium content to be distributed to other devices in the home. Set-top box manufacturers must include additional DRM functionality on the home network side of their equipment to support either in-home streaming or the transfer of content between devices. The traditional cable and satellite models have seen tremendous success with the PVR. With this success, consumers are demanding that the PVR content be accessible on all of their televisions.

To cost-effectively enable this multi-room PVR concept, some network operators prefer to distribute a number of small, low cost, “daughter” set-top boxes that can pull the recorded pro-gramming from the larger, more expensive “mother” PVR. If the content is streamed over the home network, the daughter

Security impactS of next-generation Set-top boxeSSecurity impactS of next-generation Set-top boxeS WHite paper

‘Broadband subscribers have reached 283 million worldwide subscribers in 2007, with broadband subscribers expected to reach 570 million in 2011.’ MultiMedia Intelligence

Digital TV

PVR

PC

Set-Top Box

Satellite

Digital Home Network

6www.cloakware.com

boxes do not need local content storage or a separate cable card interface and therefore have a significantly lower bill of materi-als cost. This model also creates new security challenges such that the transmission of the content between the devices must be protected by a “link protection” DRM. Both the mother and daughter set-top boxes need to have integrated DRM function-ality and the mother set-top box must be able to securely bridge the locally-protected content to the link protection DRM.

4.3.2 pc interoperabilityThe PC is often viewed as a security landmine for protected content. Unlike other “embedded” devices, which run on a relatively closed hardware platform, the PC is a completely open system where a user can freely install applications of their choosing, including hacking and debugging utilities.

This is the most difficult environment to secure because the user can easily use compilers, debuggers, memory scrapping utilities, etc. to tamper with or reverse engineer software on the PC. PC software manufacturers must use cutting-edge technologies and techniques to protect their applications from tampering. Many recent and highly publicized premium con-tent attacks such as ACCS(12) and FairUse4WM have occurred on the PC.

For PCs to be successfully integrated into the premium content ecosystem, they must include a player application that supports the DRM technology required to access the content from the STB or other content source. In some cases the operator may want a PC application to terminate and display CA-protected content. In this case the PC may be combined with an Open Cable Unidirectional Receiver (OCUR) or Bi-directional Open Cable Receiver (BOCR) device which is responsible for remov-ing the CA encryption and applying DRM protection to secure the content as it is transferred over to the PC. On the PC, the complete video processing pipeline must be secure, including decryption, demultiplexing, decoding and hand-off to secure drivers. Also, the content must never pass over a user-accessible bus in compressed form. In these scenarios, the PC application and OCUR/BOCR device will leverage DRM technologies. The OCUR/BOCR device also must be concerned with meet-ing the compliance and robustness rules with the CableCARD interface, as well as provide secure bridging between the ter-minated conditional access and the outgoing DRM over the Digital Receiver Interface.

If an operator or STB OEM chooses to include the PC in their digital home ecosystem, they must be aware of the security im-plications of doing so. If the operator or STB manufacturer de-signs the PC client themselves or leverages a third-party player, they must ensure that the necessary level of software protec-tion is applied. Not adequately protecting their PC application will make the PC an easy target for the hacker community.

4.3.3 otHer conSumer electronicS DeViceSConsumers also want to access content on a variety of CE de-vices. They want to take their premium content with them on their laptop, portable media player or mobile phone. These us-age scenarios require that the content remain protected and therefore the devices need to integrate DRM technologies. In some scenarios, the master set-top box will export the protect-ed content to another device using a DRM. If the target device is using the same DRM, the master STB may only need to securely create a new content license for the target device. In some cases the master device may need to provide functionality to transcode and transcript the content from the local DRM to the target DRM. These scenarios must all be done securely, ensuring that the content is not exposed and the content rights are protected against tampering.

In the past, content portability was difficult to achieve due to licensing restrictions of many DRM standards and device sup-port. Emerging DRM standards, such as PlayReady and Mar-lin, may improve the number of “target devices”. One way to improve interoperability is to leverage a DRM architecture that is agnostic to the specific DRM standard and which al-lows DRMs to be deployed “on demand” or as required by the service. This future-proofing strategy enables the business models and services to evolve without service calls or equip-ment replacement.

4.4 DRM Standards and Working GroupsA number of different approaches have been taken to facilitate DRM interoperability, with no clear winner or approach to date. There are a number of well known and emerging DRMs, such as OMA DRM2.0, WMDRM-PD, PlayReady and Mar-lin DRM, that facilitate content purchase and other business models. Additionally, there are several link protection DRMs, such as DTCP-IP and WMDRM-ND, that protect in-home streams. There are also framework technologies that promote in-home DRM interoperability such as Coral(13) and DVB-CPCM(14). The best choice of DRM will depend on the usage scenarios and type of ecosystem to be supported.

The Digital Living Network Alliance(15) (DLNA) aims to reduce this confusion. The DLNA is a consortium of industry-leading consumer electronics (CE) device manufacturers focused on creating guidelines that promote interoperability between de-vices in the digital home. The first mandate of the DLNA was to enable DLNA-compliant devices to be able to discover one another on the home network and be able to share personal (non-protected) content such as MP3s, home movies, etc. This work resulted in the DLNA Interoperability Guidelines v1.0. These guidelines were later expanded to include more home and mobile devices and also include link protection to enable the sharing of premium content within the home. The link-protection guidelines state that devices sharing copyright-pro-


7www.cloakware.com

tected commercial digital content must support DTCP-IP and may support WMDRM-ND. The Content Protection Sub-committee of the DLNA is now focused on developing DLNA Guidelines in the area of DRM interoperability.

With CableLabs’ approval(16) of DTCP-IP for protecting cable content and its acceptance by the DLNA and other standards organizations, many STB OEMs are actively integrating this technology into their products. While some manufacturers are using DTCP-IP as part of a proprietary solution to enable in-teroperability between their own devices, others are embrac-ing DLNA and building DLNA compliance directly into the STB. As the DRM Interoperability Guidelines solidify, many consumer electronics manufacturers hope to see adoption of the guidelines into a wide range of devices, enlarging the eco-system.

Integrating these DRM technologies into the end devices will require that the device manufacturers be aware of the security impacts and be diligent in providing or ensuring that the nec-essary level of security has been implemented in the products. As the number of content devices increases in the operator’s ecosystem, the operator must be increasingly diligent in en-suring that the devices have an adequate level of security. The strength of the ecosystem is limited to the strength of the weak-est device.

5 The Security ChallengeThe ultimate security goal of the device manufacturer is to raise the cost of hacking to a level where the hacker’s window of op-portunity to profit from piracy is diminished, if not entirely eliminated. The evolving STB and digital home devices present new security challenges which must be addressed by the man-ufacturer. To achieve sustainable device security in the STB ecosystem requires that the security solution addresses four key areas. This section will summarize these areas and describe what can be done by the manufacturer to achieve the neces-sary level of protection. Only by addressing all four areas can a manufacturer be prepared to safely carry high-value premium content on their devices.

5.1 initial attack reSiStanceThe security challenges that exist for a set-top box OEM ulti-mately depend on the services and features they wish to support. The discussion of trends earlier in this document has identified a number of separate security systems that may exist in prod-ucts. To provide an adequate level of initial attack resistance, each of these security systems must resist attempts to bypass them via reverse engineering or tampering. A vulnerability in any one area will result in the system being compromised.

5.1.1 Summary of Security SyStemS

1. Separable conditional access SystemSeparable conditional access systems may exist as either hard-ware or software modules. In both cases, the CA system and the interface between the CA system and the device must be protected. In many instances, such as with CableCARD and DVB-CI+, a DRM-like interface is defined between the mod-ule and host system resulting in the need to also meet compli-ance and robustness rules. Secure bridging is required if the content will be stored locally on the PVR or streamed over the home network via a link protection DRM.

2. pVr/DVr SystemA PVR/DVR-capable STB must securely store recorded con-tent locally in the device. The PVR sub-system often encrypts content with AES and may store and enforce usage rights as-sociated with the content. Since the PVR is acting as a local, proprietary DRM, it must be secured in ways similar to what is outlined in DRM compliance and robustness rules. Se-cure bridging is required if the PVR content is streamed over Link Protection or exported via DRM to other devices in the home.3. over-the-top Video Drm SystemIf the set-top box supports premium OTT video services, it will integrate a DRM system that must meet the compliance and robustness rules associated with the DRM standard. Se-cure bridging is required in situations where OTT content is streamed over link protection or exported via DRM to other devices in the home.

4. link protection SystemIf the STB supports content streaming over the home network via link protection, it will integrate a DRM system such as DTCP-IP or WMDRM-ND and must therefore meet the as-sociated compliance and robustness rules.

5. Drm export SystemIf the set-top box supports content sharing over the home net-work via DRM export, it will integrate a DRM system and must therefore meet the associated compliance and robustness rules.

5.1.2 Security requirementS The security requirements of these set-top box systems can gen-erally fit into three categories: protecting conditional access systems, meeting compliance and robustness rules; and security bridging.

ca protectionThe STB OEM will typically integrate the CA system required by the specific operator for which they are designing the box. If the CA is supplied by a third party, protection of the CA system will be the responsibility of the CA provider. If it is a proprietary CA, the STB OEM must secure it themselves


www.cloakware.com 8

either through their hardware design and/or through software techniques. To protect a software-based (soft CA) client, or the software interfaces of a CA module, OEMs can leverage third-party software security tools to add the necessary tamper resis-tance to the design.

figure 4: System protection requirements matrix

compliance and robustness rules

STB OEMs can choose to meet the compliance and >robustness rules in one of three ways. The OEM can choose to develop technology and in-house software se-curity expertise to protect the STB software and sensi-tive assets. This is the most difficult and time-consuming option and requires that the OEM has a strong under-standing of the compliance and robustness rules, an ex-pert understanding of software hacking methodologies and the necessary development resources to implement the security countermeasures.

For cases where the OEM chooses to integrate a com- >mon DRM, the simplest solution is to use a pre-hardened DRM implementation which includes a DRM port-ing kit that has been analyzed and secured to meet the compliance and robustness rules. In such secure DRM implementations, DRM security experts have studied the compliance and robustness rules, modeled the at-tack tree of the code and platform, developed suitable countermeasures and applied (often patented) security techniques to ensure protection of the DRM system.

For cases where a standard porting kit is not available, >or where the OEM has their own software, they can use

specialized software security tools to protect the software and assets as required.

To help meet their security objectives, many OEMs use conformance and compliance testing services from DRM security consultants who can analyse the implementa-tion and provide an independent compliance confor-mance report. Engaging such independent experts dem-onstrates due diligence in meeting the C&R rules and improves confidence in the overall security design.

Secure bridging Security bridging is a common requirement that may exist for many set-top box applications. The movement of content be-tween any of the security systems will necessitate the need for secure bridging. This will include secure transcoding, transcrip-tion and usage rights mapping between security systems.

In some cases a protection system such as a DRM may have specific file-type requirements. Transcoding is required if con-tent is to be passed from one protection system to another that does not support the required file format. The source content, for example MPEG2, would be decoded and then reencoded into target file types such as WMV. Because this processing must be done on unencrypted content, the process must be secured to ensure that the content cannot be intercepted and stored or exported. The method by which content is encrypted may differ between content protection systems. In cases where content is moved between dissimilar systems, the encryption will have to be changed, this is called transcription. Transcryption involves decrypting the content using one content protection system, such as DTCP-IP, and re-encrypting the content using a differ-ent content protection system such as WMDRM. Because this process exposes clear content, it must be secured to prevent the interception of unencrypted content.

Rights mapping, like content transcription, is required when content is transmitted between dissimilar content protection systems. Each content protection system typically has its own method of transmitting and specifying the user rights associ-ated with the content. When content is bridged between two systems, the appropriate level of rights and permissions must be maintained. For example, if the source content protection system has content marked as “copy never”, it would be a se-curity issue if the rights were changed to “copy freely” when moved to the destination content protection system. Because different systems have different rights fields or rights objects, the mapping that must take place may be complex and may be defined by the licensing authority of the source content protec-tion system. Since usage rights are being created or modified locally, the process must be secured to ensure that the rights are


Device / System

Separable H/W and S/W CA Modules

PVR system

Over the top video system

Link protection system

DRM export system

Depends on service

Depends on service

Protection Requirements

CA Protection Compliance

and RobustnessSecurity Bridging

9www.cloakware.com

mapped correctly.

To adequately secure content bridging systems requires strong expertise in software hacking methodologies and the necessary software skills to implement security countermeasures. OEMs can choose to secure their bridging systems on their own, or leverage third-party security tools that are specially designed to achieve the required results and reduce the development ef-fort.

5.2 DiVerSityWhile some set-top box security mechanisms provide initial resistance to attack, once broken the entire installed base is compromised if the STBs are homogeneous because the same attack will work on all systems.

A security approach that leverages software diversity can pre-vent BORE (Break Once Run Everywhere) attacks, reducing the impact of a successful breach. Software security diversity is a mechanism where the software instances are functionally equivalent but structurally different on different devices.

Using specially designed software development tools, STB OEMs can automate the creation of these diversified soft-ware instances to enable diversity to be applied per operator, per STB version, or even for every individual STB. If a hacker manages to successfully attack one device, diversity ensures the attack will be limited in scope, multiplying the effort a hacker needs to be financially successful. Diversity essentially breaks the hacker business model.

5.3 reneWabilitySoftware diversity can also be used to proactively prevent at-tacks by regularly updating the security on an operator’s in-stalled base of STBs, thus frustrating hacker attempts to crack the system. By occasionally replacing the security system with new diversified instances, attackers are forced to abandon the existing analysis.

5.4 breacH reSponSeIt can be argued that, given enough time and resources, any system can be hacked. Under this premise, STB manufacturers should formulate their security strategies with the assumption that the device will be compromised at some point after it has been deployed.

Once that assumption is made, the shortcomings of hardware-only security solutions become obvious. If a hardware-only security system is compromised, it usually necessitates a hard-ware field upgrade, which can be a very expensive and lengthy process. Even if a software-based fix for the STB can be found, the software update itself will need to be protected against tam-

pering and reverse engineering.

To allow for cost-effective field updates, STB manufacturers are advised to implement security systems that leverage hard-ware security (if available) combined with a layer of software security. This strategy, with the benefits of diversity, provides a very high level of attack resistance and also enables the operator to respond quickly in the event of a breach.

6 ConclusionNew delivery and consumption models are driving the con-vergence of traditional video and Internet-based content onto a multitude of viewing platforms within the digital home. The technical and contractual requirements surrounding the protection of premium content on next-generation STBs is increasing the complexity, time, expense and risk to the de-sign and development of these devices. Trends such as hybrid set-top boxes, multi-room DVRs and separable access security multiply the choices, effort, and risks faced by STB research and development teams.

When developing next-generation STBs, OEMs should for-mulate and implement security strategies that address the chal-lenges of multi-source, multi-device networked environments. To do so, OEMs must understand the security issues and vul-nerabilities associated with managing both CA and DRM pro-tected content in hostile environments where hackers have ac-cess to sophisticated reverse engineering and tampering tools. To meet DRM compliance and robustness requirements, OEMs should seek an independent conformance assessment from qualified DRM security experts. Comprehensive STB security designs to prevent content theft should incorporate security mechanisms that provide a strong level of attack re-sistance, use diversity to prevent automated attacks, and offer efficient security update capabilities.


about cloakWare

Cloakware, an Irdeto company and part of the

Naspers group, provides innovative, secure, prov-

en software technology solutions that enable cus-

tomers to protect business and digital assets in

enterprise, consumer and government markets.

Cloakware’s two main product lines include;

Cloakware Datacenter Solutions which help or-

ganizations meet governance, risk management

and compliance (GRC) objectives for privileged

password management while ensuring business

continuity and the security of mission-critical

data and IT infrastructure. Cloakware Consumer

Product Solutions protect software and content

on PCs, set-top boxes, mobile phones and media

players. Protecting over one billion deployed ap-

plications, Cloakware is the security cornerstone

of many of the world’s largest, most recognizable

and technologically advanced companies. Head-

quartered in Vienna, VA and Ottawa, Canada,

Cloakware has regional sales offices worldwide.

contact information

corporate Headquarters

Cloakware Inc.

8219 Leesburg Pike, Suite 350

Vienna, VA, USA 22182

Tel. +1.703.752.4830

canada

Cloakware Corporation

84 Hines Road, Suite 300

Ottawa, ON, Canada

K2K 3G3

Tel. +1.613.271.9446

emea

Cloakware Ltd.

33-35 Daws Lane

London NW7 4SD

United Kingdom

Tel: +44 (0)1628 531004

www.cloakware.com

7 Set-Top Box Security Solutions from Cloakware

As the leader in software security for content protection technologies and applications, Cloakware understands the challenges STB OEM’s face in meeting the demands of both content providers and consumers. Our advanced protection solutions provide an advantage to developers wanting to reduce time-to-market in a highly competitive market for next-generation STB devices.

Cloakware Security Suite is a set of automated tools that enable STB software de-velopers to secure content protection, DRM bridging and application code against reverse engineering, tampering and automated attacks.

Cloakware’s pre-packaged robust DRM solutions provide STB developers with many benefits, including accelerated product development, industry leading security, and confidence in the design.

To help STB makers define an effective security strategy, Cloakware also offers a range of consulting, training and development services to guide manufacturers through all phases of the security development life cycle, including:

Security requirements analysis to identify potential threats and weaknesses >

Solution design and implementation to accelerate time-to-market >

Conformance testing to fulfill DRM and other licensing obligations >

Breach mitigation and management to minimize impact and protect against >further attacks

Training to educate STB development teams on all aspects of software and >content protection

Many of the world’s most widely recognized hardware and software companies rely on Cloakware solutions to protect content, comply with licensing requirements and accelerate their time-to-security. Contact us to find out how we can help you gain a competitive edge in the set-top box market.

Sources:(1) www.leichtmanresearch.com/press/091508release.html(2) www.conference-board.org/economics/consumerBarometer.cfm(3) www.billingworld.com/articles/telecom-service-synication-oss-bss.html(4) www.cable-satellite.com/pdf/features/sep-oct_07/37-38-39ott.pdf(5) www.cable-satellite.com/pdf/features/sept-oct_08/22.pdf(6) www.ipi.org(7) www.microsoft.com/windows/windowsmedia/forpros/drm/default.mspx(8) www.openmobilealliance.org(9) www.microsoft.com/windows/windowsmedia/forpros/drm/default.mspx(10) www.marlin-community.com(11) www.opencable.com/downloads/tru2way_agreement.pdf(12) www.wikipedia.org/wiki/Advanced_Access_Content_System(13) www.coral-interop.org/(14) www.dvb.org(15) www.dlna.org(16) www.cablelabs.com/news/pr/2007/07_pr_dtla_082307.html

© Cloakware Inc., 2008. All rights reserved. This document is provided “as is” with no warranties, expressed or implied, including but not limited to any implied warranty of merchantability, fitness for a particular purpose, or freedom from infringement. Cloakware Corporation and/or Cloakware Inc. may have patents or pending patent applications, or other intellectual property rights that relate to the described subject matter. ‘Cloakware’ and its logo are registered trademarks of Cloakware Corporation, a subsidiary of Cloakware Inc. and are used under license. All other names herein are the trademarks or registered trademarks of their respective holders. The furnishing of this document does not provide any license, expressed or implied, by estoppels or otherwise, to any such patents, trademarks, copyrights, or other intellectual property rights. Cloakware Inc. assumes no responsibility for error or omissions in this document; nor does Cloakware Inc. make any commitment to update the information contained herein. This document is subject to change without notice. CW-STB-WP-USE-20081024


security impacts of next generation set-top boxes · 2010. 6. 14. · draft security impacts of...

Documents