EBU Warns Of Cybersecurity Threats From IT Technologies In Broadcast Domain

Broadcasters are becoming exposed to new cybersecurity threats as they move workflows increasingly into the IT domain, warns the EBU (European Broadcasting Union). Some of them may be unprepared and assume that their traditional content protection mechanisms based on Conditional Access and DRM technologies are still sufficient to cover their security needs.

While vendors of such legacy systems such as VerimatrixKudelski’s Nagra and Irdeto are themselves extending their portfolios to meet new cybersecurity threats such as malware and Distributed Denial of Service (DDoS) attacks, broadcasters need also to establish good practices and ensure that their defenses are regularly checked and upgraded when necessary. After all the threat landscape is constantly evolving and unless broadcasters outsource their security management entirely to a third-party monitoring service they cannot rely on existing products to be always up to date, even when patches are distributed automatically.

Accordingly, the EBU has published a guide called Minimum Security Tests for Networked Media Equipment to highlight new risks arising as workflows migrate to generic IP based IT systems. These are cybersecurity risks common to all enterprise systems and not directly associated with traditional content protection. One problem is that a number of traditional broadcast systems are not protected against such threats because they were not previously connected to the Internet so that these new risks did not exist.

The guidelines note for example how the LDAP (Lightweight Directory Access Protocol) protocol is widely used for authentication and other services, being convenient because it enables single logon where one user password is used for different services. LDAP authentication is used for communicating with a variety of directories, including Microsoft’s ubiquitous Active Directory in Windows environments.

LDAP on its own offers no security against attacks, whether these are active or passive. Active attack occurs when hackers attempt to make changes to data either in the target system or while in transmission to it and LDAP offers no protection against that so that the stream can be modified and unauthorized requests can be injected. Passive attacks occur when the network is being monitored or scanned for open ports and vulnerabilities which the hacker might then use for subsequent direct actions. Since LDAP transmits data unencrypted there is nothing to stop attackers eavesdropping on it.

The recommendation then is to implement Secure LDAP based on SSL (Secure Sockets Layer) and check that it is set up correctly to protect against attackers hijacking connections, eavesdropping data or trapping passwords.

The EBU paper also refers to firmware, both to check that the latest security updates have been downloaded to it and also to ensure that it is fundamentally secure itself. It recommends running security tests using tools such as firmware IDA Debugger (HEX-rays) to check if the firmware itself is secure, which may be unlikely but a major vulnerability if that was the case. This widely applied tool probes the firmware code and created maps of its execution pathways. This enables it to verify that the firmware does not execute illicit actions that breach security thresholds and identify any hostile code that has found its way there.

It also alludes to the subject of fuzzing, which could consume a whole paper in itself but in essence involves firing large amounts of different data at the system attempting to induce a crash and observing responses to see if security threats arise. In the hands of hackers, the aim is to discover a vulnerability that can be exploited, while for defenders it is about testing for bugs that should be fixed. Broadcasters should lean on their product suppliers and systems integrators to ensure that appropriate fuzz testing has been conducted and where relevant continues to be done periodically.

One interesting point not made in the EBU paper but identified by Faultline Online Reporter published weekly by Rethink Technology Research was that that many of these same vulnerabilities will have to be addressed for the Internet of Things. Faultline in turn referred to a paper The State of Fuzzing 2017 from California based design automation group Synopsys, showing that Industrial Control Systems, which form the basis of the IoT even for consumer services, have experienced a high incidence of failures as a result of such loopholes. These should be fixed now because many personal IoT components based on firmware may be hard to update after release.

You might also like...

HDR & WCG For Broadcast: Part 3 - Achieving Simultaneous HDR-SDR Workflows

Welcome to Part 3 of ‘HDR & WCG For Broadcast’ - a major 10 article exploration of the science and practical applications of all aspects of High Dynamic Range and Wide Color Gamut for broadcast production. Part 3 discusses the creative challenges of HDR…

IP Security For Broadcasters: Part 4 - MACsec Explained

IPsec and VPN provide much improved security over untrusted networks such as the internet. However, security may need to improve within a local area network, and to achieve this we have MACsec in our arsenal of security solutions.

Standards: Part 23 - Media Types Vs MIME Types

Media Types describe the container and content format when delivering media over a network. Historically they were described as MIME Types.

Six Considerations For Transitioning To Cloud Based Video Distribution

There are many reasons why companies are transitioning from legacy video distribution workflows to ones hosted entirely in the public cloud, but it’s not a simple process and takes an enormous amount of planning. Many potential pitfalls can be a…

IP Security For Broadcasters: Part 3 - IPsec Explained

One of the great advantages of the internet is that it relies on open standards that promote routing of IP packets between multiple networks. But this provides many challenges when considering security. The good news is that we have solutions…