EBU Warns Of Cybersecurity Threats From IT Technologies In Broadcast Domain
The EBU (European Broadcasting Union) believes bringing IT technology into the broadcasting domain has brought new security threats.
Broadcasters are becoming exposed to new cybersecurity threats as they move workflows increasingly into the IT domain, warns the EBU (European Broadcasting Union). Some of them may be unprepared and assume that their traditional content protection mechanisms based on Conditional Access and DRM technologies are still sufficient to cover their security needs.
While vendors of such legacy systems such as Verimatrix, Kudelski’s Nagra and Irdeto are themselves extending their portfolios to meet new cybersecurity threats such as malware and Distributed Denial of Service (DDoS) attacks, broadcasters need also to establish good practices and ensure that their defenses are regularly checked and upgraded when necessary. After all the threat landscape is constantly evolving and unless broadcasters outsource their security management entirely to a third-party monitoring service they cannot rely on existing products to be always up to date, even when patches are distributed automatically.
Accordingly, the EBU has published a guide called Minimum Security Tests for Networked Media Equipment to highlight new risks arising as workflows migrate to generic IP based IT systems. These are cybersecurity risks common to all enterprise systems and not directly associated with traditional content protection. One problem is that a number of traditional broadcast systems are not protected against such threats because they were not previously connected to the Internet so that these new risks did not exist.
The guidelines note for example how the LDAP (Lightweight Directory Access Protocol) protocol is widely used for authentication and other services, being convenient because it enables single logon where one user password is used for different services. LDAP authentication is used for communicating with a variety of directories, including Microsoft’s ubiquitous Active Directory in Windows environments.
LDAP on its own offers no security against attacks, whether these are active or passive. Active attack occurs when hackers attempt to make changes to data either in the target system or while in transmission to it and LDAP offers no protection against that so that the stream can be modified and unauthorized requests can be injected. Passive attacks occur when the network is being monitored or scanned for open ports and vulnerabilities which the hacker might then use for subsequent direct actions. Since LDAP transmits data unencrypted there is nothing to stop attackers eavesdropping on it.
The recommendation then is to implement Secure LDAP based on SSL (Secure Sockets Layer) and check that it is set up correctly to protect against attackers hijacking connections, eavesdropping data or trapping passwords.
The EBU paper also refers to firmware, both to check that the latest security updates have been downloaded to it and also to ensure that it is fundamentally secure itself. It recommends running security tests using tools such as firmware IDA Debugger (HEX-rays) to check if the firmware itself is secure, which may be unlikely but a major vulnerability if that was the case. This widely applied tool probes the firmware code and created maps of its execution pathways. This enables it to verify that the firmware does not execute illicit actions that breach security thresholds and identify any hostile code that has found its way there.
It also alludes to the subject of fuzzing, which could consume a whole paper in itself but in essence involves firing large amounts of different data at the system attempting to induce a crash and observing responses to see if security threats arise. In the hands of hackers, the aim is to discover a vulnerability that can be exploited, while for defenders it is about testing for bugs that should be fixed. Broadcasters should lean on their product suppliers and systems integrators to ensure that appropriate fuzz testing has been conducted and where relevant continues to be done periodically.
One interesting point not made in the EBU paper but identified by Faultline Online Reporter published weekly by Rethink Technology Research was that that many of these same vulnerabilities will have to be addressed for the Internet of Things. Faultline in turn referred to a paper The State of Fuzzing 2017 from California based design automation group Synopsys, showing that Industrial Control Systems, which form the basis of the IoT even for consumer services, have experienced a high incidence of failures as a result of such loopholes. These should be fixed now because many personal IoT components based on firmware may be hard to update after release.
You might also like...
Designing IP Broadcast Systems - The Book
Designing IP Broadcast Systems is another massive body of research driven work - with over 27,000 words in 18 articles, in a free 84 page eBook. It provides extensive insight into the technology and engineering methodology required to create practical IP based broadcast…
Demands On Production With HDR & WCG
The adoption of HDR requires adjustments in workflow that place different requirements on both people and technology, especially when multiple formats are required simultaneously.
Standards: Part 21 - The MPEG, AES & Other Containers
Here we discuss how raw essence data needs to be serialized so it can be stored in media container files. We also describe the various media container file formats and their evolution.
Broadcasters Seek Deeper Integration Between Streaming And Linear
Many broadcasters have been revising their streaming strategies with some significant differences, especially between Europe with its stronger tilt towards the internet and North America where ATSC 3.0 is designed to sustain hybrid broadcast/broadband delivery.
Microphones: Part 2 - Design Principles
Successful microphones have been built working on a number of different principles. Those ideas will be looked at here.