EBU Warns Of Cybersecurity Threats From IT Technologies In Broadcast Domain

Broadcasters are becoming exposed to new cybersecurity threats as they move workflows increasingly into the IT domain, warns the EBU (European Broadcasting Union). Some of them may be unprepared and assume that their traditional content protection mechanisms based on Conditional Access and DRM technologies are still sufficient to cover their security needs.

While vendors of such legacy systems such as VerimatrixKudelski’s Nagra and Irdeto are themselves extending their portfolios to meet new cybersecurity threats such as malware and Distributed Denial of Service (DDoS) attacks, broadcasters need also to establish good practices and ensure that their defenses are regularly checked and upgraded when necessary. After all the threat landscape is constantly evolving and unless broadcasters outsource their security management entirely to a third-party monitoring service they cannot rely on existing products to be always up to date, even when patches are distributed automatically.

Accordingly, the EBU has published a guide called Minimum Security Tests for Networked Media Equipment to highlight new risks arising as workflows migrate to generic IP based IT systems. These are cybersecurity risks common to all enterprise systems and not directly associated with traditional content protection. One problem is that a number of traditional broadcast systems are not protected against such threats because they were not previously connected to the Internet so that these new risks did not exist.

The guidelines note for example how the LDAP (Lightweight Directory Access Protocol) protocol is widely used for authentication and other services, being convenient because it enables single logon where one user password is used for different services. LDAP authentication is used for communicating with a variety of directories, including Microsoft’s ubiquitous Active Directory in Windows environments.

LDAP on its own offers no security against attacks, whether these are active or passive. Active attack occurs when hackers attempt to make changes to data either in the target system or while in transmission to it and LDAP offers no protection against that so that the stream can be modified and unauthorized requests can be injected. Passive attacks occur when the network is being monitored or scanned for open ports and vulnerabilities which the hacker might then use for subsequent direct actions. Since LDAP transmits data unencrypted there is nothing to stop attackers eavesdropping on it.

The recommendation then is to implement Secure LDAP based on SSL (Secure Sockets Layer) and check that it is set up correctly to protect against attackers hijacking connections, eavesdropping data or trapping passwords.

The EBU paper also refers to firmware, both to check that the latest security updates have been downloaded to it and also to ensure that it is fundamentally secure itself. It recommends running security tests using tools such as firmware IDA Debugger (HEX-rays) to check if the firmware itself is secure, which may be unlikely but a major vulnerability if that was the case. This widely applied tool probes the firmware code and created maps of its execution pathways. This enables it to verify that the firmware does not execute illicit actions that breach security thresholds and identify any hostile code that has found its way there.

It also alludes to the subject of fuzzing, which could consume a whole paper in itself but in essence involves firing large amounts of different data at the system attempting to induce a crash and observing responses to see if security threats arise. In the hands of hackers, the aim is to discover a vulnerability that can be exploited, while for defenders it is about testing for bugs that should be fixed. Broadcasters should lean on their product suppliers and systems integrators to ensure that appropriate fuzz testing has been conducted and where relevant continues to be done periodically.

One interesting point not made in the EBU paper but identified by Faultline Online Reporter published weekly by Rethink Technology Research was that that many of these same vulnerabilities will have to be addressed for the Internet of Things. Faultline in turn referred to a paper The State of Fuzzing 2017 from California based design automation group Synopsys, showing that Industrial Control Systems, which form the basis of the IoT even for consumer services, have experienced a high incidence of failures as a result of such loopholes. These should be fixed now because many personal IoT components based on firmware may be hard to update after release.

You might also like...

Preventing The Streaming Tsunami

Today, most broadcasters deliver less than 10% of their total viewing hours via OTT streaming services. As that shifts to streaming first delivery the Tsunami will be big… so what can be done about it?

Local TV In The U.S.A – 1967 Style

Our very own TV pioneer shares recollections of local TV in the US from his start in 1967.

Monitoring & Compliance In Broadcast: Monitoring Delivery In The Converged OTA – OTT Ecosystem

Convergence or coexistence between linear broadcast, IP based delivery and 5G mobile networks creates new challenges for monitoring of delivery paths, both technically and logistically.

Seeing The Streaming Tsunami Coming

Streaming video is on the cusp of becoming a major problem for broadband networks. We are about to see a huge Tsunami wave of demand emerge as broadcasters finally make a big shift towards streaming-first.

Monitoring & Compliance In Broadcast: Monitoring The Media Supply Chain

Why monitoring the multi-format delivery ecosystem starts with a holistic approach to the entire media supply chain.