Cyber-security emerged as an important theme at ANGA COM 2019 with a rallying cry to network operators and content providers to audit their workflows and devices, train staff to spot attempts to infiltrate their IT systems, and continuously monitor against threats. Eric Rutken, Managing Director of Cyber Security at Eurofins, which launched a cybersecurity division last autumn that will identify connected home, smart home and IoT device vulnerabilities, pointed to content-related ransom demands as a good example of the dangers the television industry faces.
The production workflow can be hacked, unfinished TV episodes can be stolen and a ransom demanded from media owners with a threat that if a payment is not made, the content will be released to the world. HBO and Sony have both been the victims of hackers, the former being threatened with the release of internal data and unseen episodes of shows if they did not pay a ransom. Sony data was famously stolen – and linked by some to its release of the controversial movie ‘The Interview’.
Emphasising why cybersecurity is something TV executives need to focus on, Rutkens identified a number of trends that are increasing security risks. These include the growing number of collaborators in the post-production phase, combined with moving video workflows and content to the cloud. But it is the vulnerabilities of end-devices that Eurofins Cyber Security division is addressing.
Rutkens said it is accepted within the software development world that a good software coder will make ten mistakes per thousand lines of code. “A smart TV has 2 million lines of code, so that is a lot of mistakes.” These errors can become security vulnerabilities, he told a Cologne audience during this week’s ANGA COM conference session titled ‘Cyber Security & Safety: Prepare your Network and protect your Customer’.
“We recently tested security for a high-end smart TV and it contained over 30 vulnerabilities, five of which were critical or high risk. The television did not comply with GDPR requirements, either. When it comes to device security, the maturity of devices is still very low,” he claimed.
According to Eurofins Cyber Security, more platforms and devices, and more mobile consumption adds up to a bigger ‘surface of attack’ for hackers, while open source platforms – where many devices are using the same core technology stack – increase the potential damage.
The company has just announced a new Security Test Lab in Groningen, Netherlands (operated by Qbit, the digital security testing, compliance, advisory and training specialist that Rutkens founded, and which is now part of the Eurofins group) to test and examine the security of IoT devices for both service providers and manufacturers. The remit for the lab also covers classic TV consumption devices including STBs, connected TV clients, PCs, tablets and mobiles. The testing covers hardware and software and can include virtual testing of devices that are remotely connected to the lab.
Happily, smart TV manufacturers have been among the first to make use of the laboratory – said to be proactively investing in their security. Set-top boxes and connected medical devices are also in the list of most tested devices.
SCTE-ISBE is another organisation trying to convince service providers to become more proactive in combatting cybersecurity risks. This is the technical and science body dedicated to the cable telecommunications industry, which provides resources and training programmes across a range of specialities.
Steve Harris, Executive Director for Education and Learning & Development Sales at SCTE-ISBE, told the ANGA COM conference: “It is not a question of if we are going to be attacked but when. This is a real threat, and we have to pay attention to it.”
The SCTE-ISBE has a ‘cybersecurity essentials’ educational course that considers the case of a ‘kid’ who tried to go through an IP-connected thermostat in order to hack a network. That illustrates how the arrival of smart devices – included those not provided by the cable operator or telco – is creating vulnerabilities.
Harris outlined popular points of attack for hackers, based on 2018 figures from a tier-one European cable operator. These show that 46% of cyber-attacks were aimed at the application layer, encompassing DDoS, DoS, zero day attacks, bots, botnets, SQL injections and scripting, among other things.
Another 23% of attacks tried to exploit a data breach, while 7% related to malware, 7% were focused on the network layer, and 5% were attributed to an ‘insider threat’. Four per cent of cyber-attacks were associated with ransomware and 4% linked to phishing.
“This is a trillion dollar problem and it is only going to get worse,” Harris declared, citing the transition to 10 Gbps cable networks (which was another big them at ANGA COM), increased OTT services and industrial IoT as opportunities for hackers. “Think about how many devices there are going to be. We need to close down vulnerabilities. You have to think about the headend to the customer premise equipment and make it difficult for the cyber-hackers to work.”
Harris talked of ‘adversarial engineering’ – in other words, directing engineering resources into battle against the cyber-challengers. “Everyone needs to conduct a threat analysis. We cannot identify every threat in the network, but we can identify the ones that cost us the most customers or take out the largest part of the network.”
NAGRA, one of the ANGA COM exhibitors, made an early move into cybersecurity, building on its content security heritage in the Pay TV industry, and provides a mixture of consulting, managed security services and security training and education – all things the SCTE-ISBE wants to see more of. It also offers cyber staffing as an option.
The NAGRA cybersecurity division can help protect IT infrastructure, network operations and the business in general, and it encompasses entertainment industry requirements and IoT. NAGRA can audit a cybersecurity programme for resilience, and help shape the strategic direction of a cyber programme. The company also offers an incident management and response service to help identify, contain and mitigate the effect of security breaches.
The NAGRA offer illustrates the holistic nature of cyber-protection. For the media and entertainment industry, we are moving from an age when content and networks were the target to one where every corner of the enterprise is threatened – right down to the accounting department.
In the customer premise, the content and service protection that was designed to prevent content piracy will increasingly be complemented by smart home/IoT protection that counters hacking and other attacks upon devices like security cameras, baby-cams and voice assistants. This protection is a natural extension of the service provider role, even where they are not providing smart home services themselves.
Tel Aviv based cybersecurity specialist SAM is convinced that telcos can monetise a role as the cyber-guardian. The company used ANGA COM to discuss how it offers cybersecurity as a managed service to telcos and cable operators who can then ‘retail’ this to consumers.
Bezeq, the Israeli telecoms provider, is the first operator customer for the SAM solution. It charges consumers the equivalent of US$3.50 a month for an offer that protects their home network and all the devices within it. According to Elion Lotem, Co-founder and CTO at SAM, the average number of connected devices per home is currently 16, although one home covered by SAM protection contains 60.
The managed security service comes with an app that gives the user visibility of their home network and enables network segmentation. The app supports consumer-friendly features like parental control, as well.
Lotem admits that, to some extent, an app is a way to show consumers something tangible – a front-end to a service that is otherwise largely hidden from view. “There is no value in protecting someone if they do not know they are protected,” he explains. “The app helps a service provider show the value of what they are paying for.”
What consumers do not see is the intense behind-the-scenes efforts to keep Bezeq homes safe. The managed cybersecurity service is underpinned by ongoing threat intelligence and in February SAM was preventing, on a weekly basis, 67,000 DoS attacks, over 15,000 malware attacks, 18,000 spyware attacks and 2,500 router takeover hacks across the Bezeq customer base.
Bezeq spent most of 2018 installing the SAM cybersecurity software into its 1.5 million households – providing protection at a wide area network and enterprise level. As of February 2019, 35% of the telco’s customers had taken the premium subscription option to protect their local area network – whether residential or in small office networks.
Niv Brekner, Head of Products and Innovation at Bezeq, summed up the concerns. “Our customers keep adding new IoT devices to their homes without being aware of the risks involved. With the SAM technology deployed they have gained a sense of control – and we have been able to prevent a wide range of attacks from their home networks.”
Lotem says there are two categories of vulnerability his company needs to protect against in the home – the devices themselves and also consumer behaviour. The latter refers to using weak passwords or the use of retail devices that are not security certified. In these instances, SAM provides recommendations to users, via the app.
“Maybe you set a weak password on your security camera or your firewall configuration is too weak. If you were infected with malware via public Wi-Fi when outdoors, we can notify the laptop that it has been compromised so someone can install anti-virus software.”
The smarter devices are, the more vulnerable they are to attack, Lotem reckons, since they have more functionality as well as more connectivity.
The $3.50 (equivalent) fee equates to 12% of the basic broadband price at Bezeq. Lotem reckons the sweet spot for service provider monthly charges for this type of service is 10-15% of basic broadband prices.
SAM has no intention of getting into the direct-to-consumer cyber-security market and is committed to providing its offer to service providers so they can retail it to customers. Lotem views cybersecurity as one of the new revenue streams, together with managed home Wi-Fi, that a network operator can exploit. No new hardware is needed to offer the SAM service: the service provider only has to download software to its routers.
Bezeq represents the largest deployment yet for the SAM solution but Lotem reveals that there will be multiple deployments in Europe this year, with at least one cable operator and one telco – both of whom will charge consumers a monthly premium for the cybersecurity feature.
ANGA COM featured other companies with a strong security story, including Syanamedia, which used the show to highlight the problem of password sharing for streaming video services. According to Orly Amsalem, Product Manager, Security, at Synamedia (the company that span out of Cisco last year), media owners have previously ignored credential sharing but have now concluded that it is a problem and needs to be addressed.
She showed a Facebook post where someone wrote ‘Sharing is caring’ and asked if anyone would share their Hulu account credentials with them. More than one person did. Amsalem took this as evidence that password sharing is becoming a social norm, at least among millennials and Generation Z.
Until recently, Amsalem suggested, executives were willing to use password sharing as a marketing tool on the assumption that younger viewers would love a service and eventually become paying customers, but “they didn’t grow up to become subscribers”.
Another development that is changing service provider attitudes is the online trade in hacked passwords. These can be used to work out the complete log-in details for accounts, at which point the accounts are sold as a fully-formed identity that will get the purchaser (who becomes a new, unauthorised user) access to a subscription streaming service.
The solution offered by Synamedia – called Synamedia Credentials Sharing Insight – uses AI, machine learning and behavioural analytics to figure out whether a service is being accessed by the original (and legitimate) paying user and authorised family members or not. This requires an understanding of normal behaviour that can be compared to current behaviour – noting the type of device being used and its location, for instance. Thus, unusual activity for any given day of the week can be identified.
The number of concurrent streams is an important metric when differentiating between legitimate and unacceptable usage. Amsalem told the ANGA COM conference that if the account is using the maximum number of permitted concurrent streams most of the time, you probably have unauthorised users.
Understanding when unauthorised credential sharing is happening is one part of the task for Synamedia, but the automation of this activity at vast scale, and the automation of the counter-measures that are adopted, is another crucial part of the solution. A service provider response could be to ask the viewer to upgrade to a family account that allows more concurrent streams, for example. Synamedia’s suggested approach is to try to monetise the unauthorised users rather than limit the number of concurrent streams that legitimate account holders are allowed.
Another ANGA COM exhibitor, Viaccess-Orca (VO), revealed a solution that will identify password sharing. The company was showcasing its anti-piracy services in general, which are offered as a managed service. These also include device assessment, watermarking and breach detection. “We can react to suspicious security events in seconds, identifying the source of piracy and taking counteractions in collaboration with the operator,” the company said.
Verimatrix, also at ANGA COM, offers its VCAS Ultra Anti-Piracy Monitoring and Response option, feature a centralised surveillance service that programmatically monitors for known security exploitation behaviours. This solution uses machine learning and pattern recognition to identify ambiguous and suspicious activity, which is flagged to the operator. Together, they work out what is doing on and how to mitigate the situation.