The distribution of video over multicast-broadcast networks and content storage at by users with Windows PCs and PVRs has created a huge threat surface for digital content.
Typical to flawed security countermeasures, HDCP and AACS exacerbate and enlarge the threat surface rather than enhance revenues and reduce risk.
In this article we will show that Network PVR services may be an effective strategy for studios to mitigate the risk of content piracy.

Background

NetFlix, Vudu and Universal Studios Home Entertainment are skipping over HD-DVD/Blu-ray formats in favor of what some industry observers say is inevitable – download-only distribution.
Beginning November 23 2007, Vudu started giving new buyers “The Bourne Identity” and “The Bourne Supremacy” pre-loaded on their set-top boxes in HD. Buyers can purchase a downloaded copy of “The Bourne Ultimatum”, for $25 starting December 11, 2007.
The VUDU box and services sounded pretty cool to me when I first saw it – until I realized that the price of the “The Bourne Ultimatum HD” on Amazon is $27.99 with free Super Saver Shipping and the I don’t need to buy the Vudu and commit to their service. It’s two bucks less with Vudu but the VUDU STB sets you back $250 (reduced from $400). The Vudu business model does not seem extremely compelling. Although you have a hard disk – you cannot go back and view a movie if you ran out of time in a single sitting. The Netflix business model of having 3-5 movies for unlimited usage still seems a winner and in comparison, Vudu just doesn’t seem to have all the movies we’d want to see.
The price of SD (standard definition) DVDs is between USD2-5, depending on where you live and HD DVD seems to be going for about USD25-30, depending on the movie and season of the year. It’s cheaper and more convenient for a consumer to rent or buy a DVD from NetFlix or Blockbuster then to pay Vudu. if you want to see the latest episode ofDexter you can’t even get it on Vudu, and BitTorrent is more accessible not to mention, free.
While Vudu seem to have done some impressive engineering work on their STB, if they get any widespread traction, it may only be a matter of time until some irritated user cracks their box or bypassess the content protection.

What is HD (High Definition) video?

There is a good deal of confusion regarding exact definitions and consumer electronics product requirements for HD (high definition). HD refers to the quality of the picture (not to the means of digital content protection). Digital HDTV broadcast systems are defined by the number of lines in the vertical display resolution, the scanning system: (progressive (p) or interlaced (i) and the number of frames per second. The 720p60 format is 1280×720 pixels, with progressive encoding at 30 frames per second. The 1080i50 format is 1920×1080 pixels, with interlaced encoding at 25 frames per second. For commercial naming of the product, either the frame rate or the field rate is dropped, e.g. a “1080i television set” label indicates only the image resolution.

Is HD for digital TV only? (no)

If you have have an older TV set with an analog RCA interface, you’re in luck – the issues of digital HDTV are eliminated by connecting your TV set to a DVD player using the analog HD signal output with RCA connectors instead of HDMI. The analog outputs of most HD devices will replicate the resolutions of the digital outputs i.e. 720p and 1080i, so fidelity of the picture is maintained. Connectivity is via standard VGA HD15 connector or high-resolution component video output using 3 x RCA connectors. Analog HD signals can also be distributed over standard Cat5 cable up to a few hundred meters, which is pretty convenient if you have a large house or a small hotel.

What is HDCP?

High-bandwidth Digital Content Protection (HDCP) is a proprietary DRM scheme for protecting premium HD content. HDCP was developed by Intel Corporation to control digital audio and video content transmitted on DVI (digital video) and HDMI (high definition media) interfaces in consumer electronics devices such as DVD, STB, TV Sets. Compliance with HDCP requires a license from Digital Content Protection LLC, a subsidiary of Intel. In addition to paying fees, manufacturers agree to downgrade quality when interfacing to non-HDCP compliant devices. For example, HD video is downgraded to DVD quality on a non-HDCP compliant TV set. HDCP also incorporates a black-listing scheme of cracked devices using a key-revocation scheme where the black list is stored on the DVD media.

HD content protection – fundamentally flawed

The HDCP black-listing scheme defies the laws of physics and reason. For example, you may be a perfectly law-abiding citizen, but if someone in Timbuktu hacks your model XY500 DVD player, the device key is revoked, and you will never be able to play discs that came out after the date the device was compromised. If a hacker taps into the HDMI / HDCP signal copies a movie enroute to your model TV Set, the HDCP device key can be revoked and your 80 inch TV will never play high-definition again.

Blu-Ray copy protection was broken in the beginning of this year (January 2007) (Courtesy of muslix64, the same fellow who cracked HD-DVD). Both HD DVD and Blu-ray use HDCP (High-Bandwidth Digital Content Protection) for authentication and content playing, and both use the AACS (Advanced Access Content System) for content encryption. (AACS is the content protection for the video on DVDs and HDCP is the content protection on the HDMI link between the DVD player and the TV). It appears that muslix64 took a snapshot in memory of a running process, then used selective keying – serially trying bytes 1-4, then 2-5, 3-6 etc as the keys until the MPEG frame decrypted. (much faster than a pure brute force attack). If the video player process stores the key in clear text in memory, this type of attack will always work. Like most flawed encryption schemes, AACS is vulnerable to threats to due a poor software implementation.

” The AACS design prevents legitimate purchasers from playing legitimately purchased content on legitimately purchased machines, and fails to prevent people from ripping the content and sharing it through bittorrent. The DRM people wanted something that could not be done, so unsurprisingly they winded up buying something that does not do it”
James Donald.

Now you understand why BitTorrent is so popular.
A popular TV series like Heroes is available for download on BitTorrents worldwide in AVI format within a few hours after airing with the commercials edited out. OK – Heroes is SD, not premium content like ” The Bourne Ultimatum” but so far I reckon the quality of the AVI download is not deterring users from watching Heroes off BitTorrent.
In world of download-only distribution, studios have an opportunity for expanding business using the Internet and a huge digital asset protection challenge. From the perspective of piracy (protecting intellectual property of the studio) and revenue assurance; being able to download HD content to a PC or PVR disk is an ugly threat, especially considering how easy it has been to crack or bypass AACS content protection in Blu-Ray and HD DVD until now. Once the content is stored on a hard disk on a Windows PC, you’ve lost control for ever.
The software and algorithms for Premium HD content protection are fundamentally flawed as Peter Gutmann shows in his article: A Cost Analysis of Windows Vista Content Protection

Alternatives for a download world.

As the consumer Internet moves towards a download-only distribution model, the motion picture industry needs to find answers to their digital asset protection challenge without biting the hand that feeds them.Network PVR may conceivably be the most effective method for protecting digital movie content from the perspective of both the studios and the consumer.
There is no such thing as a single silver-bullet, optimally-effective countermeasure to the vulnerabilities of flawed content protection schemes, flawed software implementations and vulnerable PC operating systems. That is the mistake of an over-reaching scheme like HDCP.
Gutmann’s analysis is outstanding in its breadth and depth but he doesn’t propose a system of countermeasures which would help the studios protect their intellectual property. In order to identify the most cost-effective set of countermeasures to the threat of piracy, we start off by examining risk profiles of different digital content distribution implementations.

Digital content distribution vulnerabilities

Fortunately, a threat analysis of digital content distribution (VOD and live content) is simplified by having one asset (the digital content) and one major threat; piracy (people who want to make unauthorized copies of the content and give it away for free). This means that we can focus on the vulnerabilities.
The below heat diagram provides a qualitative threat analysis of digital content distribution. The Y-axis is the channel – broadcast or Unicast (for the sake of classification, we call distribution of physical DVDs – ” Unicast ” since sale of a DVD is performed between only two parties – the seller and buyer). The X-axis classifies whether or not the subscriber stores the content on a hard disk.

Red is high risk, Orange is medium risk and Yellow is low risk.

 
As seen in the bottom left quadrant of the above heat diagram, network PVR has less vulnerabilties and lower risk. Note that the video servers are stored in the operator premises in a controlled and secure operating environment and are much less vulnerable than subscriber set-top boxes.

An introduction to Network PVR

Cablevision, the New York suburban cable provider, took an aggressive approach to Network PVR (NPVR) services that ran into strong resistance from the content industry. Cablevision uses an NPVR service where they record broadcast TV channels at the head-end and the subscriber can replay specific programs at a later time on a disk-less set top box (the NPVR). If the area of personal video recording is not familiar to the reader – see the Wikipedia article on Digital video recorders
Cablevision felt that it had the right to do this, but the TV networks disagreed. They sued, Cablevision lost and is now appealing that decision.
FastWeb in Italy is a service based on Cisco technology that provides 100MB/s to the home. FastWeb launched their NPVR service with a nuanced approach – the subscriber requests that a TV program be recorded. FastWeb records that program and allows only that viewer and any other viewers who requested recording the program to view it later. This was no worse that if the viewer owned a Tivo, so the TV broadcasters in Italy accepted it.
The Cablevision case is particularly relevant for IP network providers. Their IPTV networks are better suited than cable networks to support NPVR and other on demand services. NPVR can give the telcos a significant advantage over the cable companies.In addition, it keeps all the traffic in the network provider cloud and significantly removes the load on WAN connectivity to the Internet from all those home users downloading pirated copies of the Lord of the Rings movie and the latest episode of Heroes

A threat analysis of a Network PVR service

There are three main security concerns for a TCP/IP Unicast Network PVR system:

1. Digital content protection at the subscriber premise.
2. Digital content protection for content in motion and content at rest in video servers.
3. Authentication (identifying a valid subscriber with a STB and protecting the VOD provider from fraudulent usage)

In light of the Cablevision case, we constructed a scenario based on a Unicast NPVR service that provides VOD, and live-content recording of shows at subscriber-requests, and performed a threat analysis using the PTA (Practical Threat Analysis) methodology, Assuming that the operator installs diskless set-top Boxes (STB) at the subscriber premise and video servers in the network operation,we identified the following threats, vulnerabilities and countermeasures.
Threats are labelled TX, exploited vulnerabilities are labelled VX and countermeasures that mitigate the vulnerabilities are labelled CX.
T1 – The subscriber may steal plain-text content by tapping the STB ethernet link.

V1- Transmission of clear-text content enables interception using off-the-shelf network tap devices that cost less than USD 500 The breakeven point on a network tap is about 20-25 movies which makes it worthwhile to buy a tap for a semi-serious hacker.
Call Netoptics Network Taps for a quote.

C1 – Encrypt content on video servers, decrypt content on STB
C2 – Encrypt keys on video servers or don’t store keys
C3 – Place physical safeguards on key access
 

T2 – The subscriber may capture an output signal from STB to home TV set and distribute by a Bit Torrent

V2 – The DVI/HDMI cable from STB to TV set can be tapped.

C4 – Let subscribers use an analog cable (so-called ” analog-hole “)
According to FCC fair-use rulings, free over-the-air broadcast signals may be copied freely, and may not be reduced in resolution (” down-res’d” ) when output from unprotected high-definition analog ports.
C5 – Protect content with an economic ” dis-incentives”
It’s easier and cheaper to buy the HD DVD movie for USD 25-30 at Amazon than to hack the technology. If the IPTV operator provides a rich collection of SD, HD and Television series content for an attractive price, without changing the way a subscriber runs her life, the economic incentive for piracy becomes minimal.

 
T3- A subscriber may redirect a video stream to other NPVR users who did not pay for the content

V4 – The STB vendor may sell boxes to competitors
V5 – STB Middleware commands can be manipulated
V6 – Unauthorized users may engineer STB clones to access the NPVR service

C7 – Restrict redirection of content in the STB middleware to the IP address of the STB that made the command request.
C8 – Require subscriber authentication by the video server for each NPVR content request.

 
T4 – Malicious attackers may mount a denial-of-service attack and overload video servers.

V7 – VOD servers may be accessible from the public Internet

C9 – Segregate the VOD network from the public Internet with firewall and VLAN.

 
T5 – A trusted insider in the IPTV operation may steal clear-text content.

V3 – Employee with who work for the network provider may have physical access to content before source-encryption

C10 – Vet employees, have them work in pairs; don’t employ students or temporary contractors.
C11 – Check bags leaving the building for removable media
C12 – Detect unauthorized network transfer of clear text content using extrusion detection techniques in network core.

 

Conclusions

 

• It’s a lot easier to protect content on IPTV video servers in a controlled environment of a Telecom service provider than on a Windows PC in someone’s home.
• An attack could be mounted on the STB/NPVR network in order to steal master keys and decrypt encrypted content. The cost of mounting such an attack is far greater than the economic alternative of buying HD DVD media on the open market and producing pirated copies or ripping the media and putting it on a Torrent.
• Since BitTorrent is both a strong competitor and sucks up a lot of ISP bandwidth (over 20 percent last time I looked), operators and studios have an opportunity to use an” if you can’t beat them join them”strategy. Considering FCC fair-usage rulings on free-to-air content, the studios and operators are better off using NPVR to serve up shows like Dexter and Heroes and tack a bit extra on the monthly charge. Unicast NPVR serves video on demand without loading the entire network with multicast traffic, subscribers get faster response times (by not having to go out to the public Internet) and the studios gain residual revenue on the shows.
• NPVR security countermeasures use open standards for encryption and network security and have no dependencies on what a third party vendor or subscriber may or may not do. There are no side effects on the entire system if an individual subscriber hacks her IPTV set-top box

It’s interesting to compare the TV / movies market with the PC / Internet market. The TV world is groping towards 1080p and the PC industry long since moved beyond it. The TV world is floundering in shallow waters with an ill-conceved, and poorly implemented scheme of HD content protection written by one of the major vendors (Intel) whereas the the PC / Internet market is overtaking all competition having adopted vendor-neutral standards such as HTTP over 20 years ago.
As seen from the above threat analysis, Unicast network PVR provides the smallest threat surface of current content distribution schemes lowest risk profile and some additional revenue opportunities. It uses standard security measures with no massive side effects like HDCP and plays well with the market economics of providers, studios and subscribers.
Unicast NPVR may just be the most effective way for both the studios and the network service providers to distribute and monetize content with the widest audience and at the lowest cost.