Home Analysis Connected Home Content security vendors need to prevent babycam hacking nightmares

Content security vendors need to prevent babycam hacking nightmares

Share on

Irdeto-diagram.jpg
Some of the technology used to secure premium content today, using a software client that is hardened and fully field-renewable (diagram shows Cloaked CA from Irdeto).

Last November British newspapers reported the disturbing discovery that footage from security cameras in homes, gyms and offices was being streamed live on rogue websites. The Daily Mail reported that “Families are unwittingly broadcasting their everyday lives across the internet via hacked home security cameras…This allows anyone to spy on families in their own homes in real time.”

The paper reported how one Russian website shows scenes from hundreds of cameras in living rooms, bedrooms and gardens. There was footage of unsuspecting workers in offices. “Among the most shocking images are those from baby monitors which show children sleeping in their cots at home. Another shows an elderly woman sitting in her living room in Wakefield.”

The report warned that the site broadcasts from cameras showing women working out on a treadmill in a gym in Manchester. There were views of gardens and conservatories “in affluent properties across South East England.”

The story ticks off most of your privacy nightmares.  Worse followed in April this year. The same national newspaper (and others) reported how a three year-old boy in Washington, USA, started complaining to his parents that someone was talking to him at night. At first they dismissed it, then one night they heard a strange man’s voice on the monitor telling their son: ‘Wake up little boy, daddy’s looking for you.’ 

The report reads: “And the horrified parents, who do not want to be named for fear the unknown man could track them down, believe it is not just the audio monitor that has been hacked. They believe the stranger has also got into the camera on the device.”

Readers were warned in another newspaper that if you use webcams with weak passwords or without any password protection you will be vulnerable to hackers.

Earlier this year, Andrew Wajs, Chief Technology Officer at the content security specialist Irdeto pointed us towards the Russian website webcam story when discussing the potential role of Pay TV operators and television technology vendors in the Internet of Things. He pointed out that the root cause of privacy breaches can be mis-configuration of cameras (like weak passwords). And he warned that buying connected devices that are difficult to set up and easy to configure wrongly will be one of the security threats to homes using IoT applications and services.

So one role service providers can perform is helping people to ensure their equipment is set up properly but even if they are not installing it they can at least alert people to potential cyber intrusions.

As we report elsewhere, data security and the protection of our privacy will be one of the great IoT challenges. The Pay TV industry is well placed to tackle this issue, given the robust mechanisms that have been designed to secure expensive content against well organized and highly determined pirates. The Pay TV industry has experience of securing pure software (including through obfuscation) and harnessing built-in chips within customer premise devices to harden content security. 

Vendors in this industry have learned how to firewall video applications against operating systems and apps that may run elsewhere on a device, and which present a potential route in for hackers. They know how to integrate software into multiple devices, and manage multiple different protection mechanisms (CA and DRM) with unified rights management. They totally understand the concept of security as a service – as opposed to ‘secure today and forget’ (security is a never-ending race against hackers).

Speaking earlier this summer, Wajs raised the spectre of corporate level cyber attacks and blackmail as a further warning of what could go wrong with poorly secured Smart Home services. “Imagine the scenario where the operator gateways contain images that are being exploited by attackers for blackmail. The operator would suffer a massive loss of face and a loss of customers.”

So data and content security for the IoT means protection against corporate level cyber-attacks, and protection of the individual home and the services and devices within it. One of the weapons that a service provider can use is the insight they have into home networks across different customers, which gives them a high-level view of the kinds of threats and attacks that are developing.

Wajs says they can feed this knowledge back to the end-customer smart home networks, providing active maintenance or alerting people if something bad is happening.

He emphasizes how the content security industry has broadened its capabilities over the last ten years of protecting video. “If you go back a long time we were all focused on encryption of the video stream and key management, but for the last 5-10 years there has been a strong awareness of the different kinds of threats you have to deal with, including attacks on the customer premise device itself. So we have had to broaden our security. We have all looked at CPE security including software integration and threats from applications running on the same device.”

Compared to the many types of OTT service provider who do not own a network or install devices (whether they offer video, cloud storage or potentially Smart Home services), Pay TV and broadband providers have a relatively ‘heavy-touch’ with consumers involving truck rolls, device installation, maybe device subsidization, repair commitments, etc. Wajs thinks this will be a strategic advantage in the IoT market.

“Pay TV operators put hardware into the home in some shape or form, and I think that could be an asset when there are going to be lots of different devices in the home doing different things.” 

He thinks home security, monitoring and tele-health are good Smart Home use-cases today but notes that we are in the early stages of this market and it is hard to predict what the killer applications for IoT will be. Irdeto has an R&D programme focused on home network security issues beyond the gateway and a more comprehensive security solution that will have value to consumers as well as Pay TV operators. The company has had a number of engagements with prospective customers this year focused on IoT security issues. 


Share on