SECURITY AND SAVINGS: GOING DIGITAL AND GETTING BOTH

Alec Main Cloakware Corporation

Abstract satisfaction from digital services, the challenge for cable operators is switching Achieving cost savings while converting the over the installed base of analog users. Those analog television ecosystem to digital reluctant to switch – who could represent the continues to be a difficult problem. The next potential wave of adopters – complain revenue opportunities available through the about too few digital channels, while some conversion of the analog bandwidth to digital subscribers have no intention of switching. In are well identified, but with the continued the meantime, the base of subscribers who do prevalence of analog legacy systems, the path upgrade from analog to digital can experience to conversion is a significant challenge. How reduced quality on analog channels due can the industry leverage the potential excessive conversion (i.e., analog to digital to revenues of digital bandwidth, while analog). continuing to provide service to those who may not want or need the digital experience? Consider the following broad categories of cable subscribers: This paper examines a cost effective path to conversion which proposes developing a 1) Premium service subscribers using basic service set-top box (STB) that would digital services on a set-top box with a include replacing hardware-based security smart card and two-way modem. solutions with a lower cost tamper-resistant software solution. This change would allow 2) Potential new digital subscribers subsidized digital STB roll-out and electronic considering upgrading to a digital provisioning of basic services, while STB. enforcing the rights of content providers and 3) Basic service subscribers using analog owners. services, who may never switch to digital. INTRODUCTION Until all of the basic subscribers switch The move from analog to digital networks over to the digital service, the MSO must allows cable operators to offer more services continue to provide analog services as well as to more customers than ever before. With digital. The fastest way to accomplish the digital cable, multiple service operators digital conversion – and to reap the benefits – (MSOs) can offer a host of new services such is to entice subscribers to make the leap by as video-on-demand, interactive television lowering the price of the STB to such a point and commercial-free CD-quality music, that it is easy for consumers to switch – say, giving subscribers greater choice, quality and $35 – or at least, to a point where an MSO can control. economically subsidize the box.

Taking the network all-digital frees up In order to achieve a cost-effective box, we bandwidth to offer these new, exciting propose boxes without smart cards or services. While subscribers report good CableCARDs™ that are targeted at the basic service subscriber. Security will be handled adding of the STB to the subscriber’s by secure software which is lower cost premises should be very simple. compared to hardware. The set-top box would have a unidirectional cable modem, analog The next issue is whether to scramble basic TV output (converted from digital input) and services – the goal being electronic use a standard remote control. There would be provisioning and eliminating truck rolls to no hard drive or personal video recorder activate or deactivate subscribers. To answer (PVR) capabilities and no additional outputs this question, we need to consider existing for home networking. It would be compatible piracy and subsidy strategies. with existing TVs and VCRs. A certain level of subscription fraud is This paper presents the challenges and tolerated today. Many subscribers have a benefits of going digital using secure splitter in their basement and feed multiple software: TVs on one subscription.

• Dealing with currently accepted piracy Going all-digital – whether the basic levels during the transition service is scrambled or not – requires a STB • Reducing the manufacturing and on- per TV. If the low-cost STB is not available going support costs through retail channels, then the MSO needs to consider piracy in conjunction with their • Realizing additional benefits of a subsidy strategy. software approach including electronic provisioning The low-end STB has a one-way cable • Making the software secure modem and an analog output. It provides only • Dealing with legacy CAS systems basic services and the keys for delivering premium services are never downloaded to It concludes that a software-based solution the box. The threat against such a box is low. is cost effective, while continuing to prevent However, by not addressing existing piracy, a subscription fraud. market for grey market hacked devices will develop. A strategy is needed to consider subsidizing one or even two low-cost boxes GOING DIGITAL per home, plus providing additional boxes for

sale. Subscriptions can charge for multiple Analog services tie up a significant TVs at a reasonable price – but not so high as percentage of bandwidth. Once the analog to stimulate a grey market. Most subscribers services are no longer required, bandwidth is will want to stay legitimate given reasonable freed up for additional premium service options. offerings.

Under this scenario, users would need to However, making the switch requires upgrade to another box for premium services. some planning. Many MSOs have already The basic STB could still support the Open moved some channels to digital, but the Cable Applications Platform (OCAP), but network infrastructure must be set to handle offer a limited set of capabilities (e.g. no all-digital. The switchover must be well interactive functions). The MSO may want to communicated and coordinated to ensure consider giving subscribers the option of the minimal disruption of service. The actual basic box, with a credit on a premium box There will, however, be additional costs when taking the network all-digital. for the CPU and memory, but it’s money better spent: this is the more practical place to Proper planning and a strategy to address add cost, since these processors support a existing piracy must be in place prior to wider variety of software and applications. making the transition to an all-digital network The CPU could also support Open Cable in order for subscribers to legitimately obtain Application Platform (OCAP) and this know- the services they want. how can be leveraged on premium boxes where more functionality is CPU intensive, such as DTCP-IP (Digital Transport Copy SAVINGS Protection mechanism for use on IP networks)

and PVR functions. Also, expect some How can we get the price down low additional cost for hardening the software enough to enable the transition to all-digital running on the box. input for the basic service subscriber? We propose cutting manufacturing costs by The last additional cost relates to the legacy replacing the security hardware with secure conditional access system (CAS) in place on software. Software can deliver identical the MSO’s network. This cost is discussed functionality to hardware with other added later in this paper. We believe that the savings benefits. will be greater by moving to a secure software

implementation, plus there are added benefits Cost savings are realized by eliminating to a secure software approach. the CableCARD, as well as the reader within the STB. A CableCARD is a PCMCIA-like card with a smart card slot or smart-card BENEFITS OF SOFTWARE SECURITY functionality embedded. While these prices are expected to drop, they are currently very In consumer electronics, cost reductions expensive. The cost of the card is covered by typically involve the replacement of soft parts the MSO, and may be recouped by a small with hard parts. Integration is usually the incremental monthly charge. If these cards are name of the game. hacked, which is likely if satellite TV is any indication, then they need to be replaced Security is an exception. periodically by the MSO. By eliminating these cards on a basic STB, the MSO saves Conditional access security is provided by initial and recurring costs, while minimizing an external component such as a smart card. the threat – it is very difficult for a basic The smart card is not integrated because it services box to be upgraded via hacks to full needs to be specific to an MSO, but also service. because it needs to be renewed periodically.

The additional major cost savings comes Software security can also be renewed, but from using a basic unidirectional cable at significantly lower cost. In addition, it is modem over a bidirectional DOCSIS® much harder to remove software from a modem. By running the secure software in a closed box, hack it and then insert it into other Linux® environment, there are no additional boxes. Smart cards arguably help create a operating system costs. pirate network because of the ease of removal and distribution.

Secure software – or more specifically a Do we even need to protect the box? secured software-oriented STB – has other Certainly the threat is not as severe as in a PC benefits: environment where the hostile user has complete control of the CPU and applications 1) New revenue opportunities – operators that are loaded. However, software protection can create new service bundles based steps are needed as the box will likely run a on the ability of subscribers to known operating system like Linux for cost download new technologies and savings. Regardless, tools exist to attack most features, even for low-end STB computer systems, so some level of protection owners. is prudent.

2) Increased flexibility – operators can Can we just encrypt the data? Data meet different standards as they confidentiality is only one component of the emerge. solution. The software also needs protection. Content protection standards, such as DTCP- 3) Increased renewability – new security IP, CPRM (Content Protection for Renewable countermeasures can be deployed Media) and HDCP (High-bandwidth Digital quickly and as frequently as required to Content Protection), all recognize the need for the entire existing installed base faster, software robustness.1 The requirement for reducing subscription fraud and piracy. software protection is mandated by these Software can be renewed selectively, standards. proactively, or reactively. In this case, the primary goal is to prevent 4) Ability to upgrade – subscribers don’t subscription fraud. Since this box is for basic have to buy a new set-top box to services only, the simplest mechanism is to benefit from new technologies and new make sure the box does not have the content features that can be downloaded. descrambling keys or functionality required for premium services. We assume some All of these benefits can be achieved scrambling is performed on the content and without the use of smart cards and the added the goal is to decrypt only the appropriate costs of replacing them. channels.

SECURITY Secondly, the attacker can always convert the analog output to digital (known as the The rewards of the secure software- “analog hole”), whereas our security goal is to oriented STB extend well beyond reductions prevent siphoning-off of the digital content. in cost to the MSO, but what kind of new Again, a basic service box reduces this risk risks are introduced to the MSO and how are since premium content is never descrambled they best mitigated? Any discussion on or available on the internal busses in the clear. software security should include a description of the threat model. The STB scenario is Lastly, we want to prevent the box from called a “hostile user threat”, where the being used for other purposes – a form of subscription fraud common with high-end legitimate user of the system may want to 2 hack it for the purposes of subscription fraud, media devices such as Xbox® . Since this is a piracy or theft of services. basic service box with limited outputs, such threat of service is also low risk. Since we have control of the operating that can only be resolved at runtime. There are system installation and software upgrades, we specific decompilation and disassembly can consider numerous techniques to harden prevention techniques that target these tools. the system. First let’s look at how software is Note that while very powerful disassembly attacked. A software attack follows this tools exist, most low-level code written in C general framework: or C++ is very difficult to decompile with only a few tools available. Software 1) Analysis – Classic reverse engineering protection is about using multiple layers of and analysis of the software and protocols to defense and all these techniques should be identify vulnerabilities. This can be static considered. analysis when the code is not running, such as disassembly and decompilation, or dynamic Runtime analysis of a system can be tracing of the executing code using debuggers prevented or made very expensive by the use and emulators. There are some more advanced of anti-debugger and anti-emulation and powerful forms of analysis such as techniques. A range of techniques unto collaborative and differential analysis, which themselves, these can be effective on we will discuss later. platforms where the operating system and applications are known in advance – such as 2) Tampering – Modifying the code and/or with our basic STB. In this case, the code can data such that it performs according to the be tied to the platform via node locking and attacker’s objectives. loading of new applications controlled by secure code signing techniques. Advanced 3) Automation – The creation of scripts or just-in-time decryption (or self-modifying code to apply the tampering attack to multiple code) techniques also raise the bar against copies of the application. These are also dynamic analysis. Authentication of known as “class attacks” or “global breaks”. components on the machine and encryption of In some cases, the tampered application must communication channels with protocol not be distributed, which is less desirable from an subject to replay attacks also prevent analysis. attacker’s perspective as it is more detectable In addition, data transformation techniques and prosecutable under legal measures. can be used to hide and randomize data values even when operated on within main memory. 4) Distribution – Once the automated White-box cryptography refers to specific attack is created, it must be distributed in an cryptographic implementations designed to effective, confidential means. Often bulletin prevent key extraction even when the boards, Internet Relay Chat (IRC) and peer- operation can be viewed by an attacker. to-peer networks (P2P) are used for this purpose. Static tampering is prevented with binary encryption techniques, as well as by The first goal is to make analysis and introducing data dependencies in the code to tampering difficult, time-consuming and/or change an easy branch jamming attack into expensive. The obvious approach to prevent tampering – increasing the effort required and static analysis is to encrypt the binary. involving multiple changes to the code. An However, there are many techniques to extract important technique to prevent tampering is these decrypted executables from memory. code signing, but the code signing mechanism However, there are also techniques that itself will be subject to attack and so must prevent static analysis such as control flow also be suitably hardened. Integrity flattening which introduces pointer aliasing verification of applications should be done The disadvantage of Sony Passage is that statically (on-disk) as well as in-memory to the MSO must make changes to their head prevent dynamic tampering attacks. end. The Sony Passage system consumes 2% to 10% additional bandwidth, but this will be Prevention of automated attacks is best amply compensated for by going all-digital. achieved by deploying code and data diversity There are a number of new players5 providing such that a successful attack will only work software-based CAS that can work with Sony for a sub-set of users. Diversity of code is a Passage or independently. result of most software protection techniques outlined above. It is similar to having CONCLUSION different keys (diversity of data) for different users. Diversity of code recognizes that This paper has described a secure and cost attacks will be on the software in addition to effective path to migrate analog cable users to the data. Automated attacks are also mitigated digital services. by software renewability, which can be made low cost – if designed in upfront. Conversely For the basic service subscriber, we can with hardware based security, renewability is achieve a cost-effective box without smart a major cost. Software can be renewed cards or CableCARDs. The set-top box would selectively, proactively, or reactively – have a unidirectional cable modem, analog depending on the strategy and the attacks to TV output (converted from digital input), and the specific system. would be compatible with existing TVs and VCRs. Diversity is a prerequisite for successful renewability; otherwise attackers will perform Secure software can effectively address the differential analysis. This is a powerful attack challenges of going digital and provide used to quickly determine the changes made additional benefits. These challenges include to software upgrades and shorten the time to legacy conditional access systems, dealing successful hack. with piracy and reducing overall cost.

Proper planning and a strategy to address LEGACY CONDITIONAL ACCESS existing piracy must both be in place prior to In North America, the vast majority of making the transition to an all-digital conditional access systems for cable are network. provided by Motorola or Scientific-Atlanta. In The other benefits of implementing a low order to integrate a software based low-end cost STB employing secure software include STB, there are three options: new revenue opportunities, increased

flexibility, increased renewability, and a 1) License the CAS system from cheaper upgrade path. Motorola or Scientific-Atlanta (e.g. 3 as done by Digeo and others) All of these benefits can be achieved

without the use of smart cards and the added 2) Utilize Sony Passage4 to run an additional costs of replacing them. CAS over top the legacy CAS. We conclude that a software-based 3) Roll-over to a new CAS during the solution is cost effective, while continuing to all-digital transition. prevent subscription fraud. TRADEMARKS REFERENCES

CableCARD is a trademark of Cable 1) Bar-Haim, Pam and Wald, Stephanie, Television Laboratories, Inc. NDS Ltd.; “The NDS Guide To Digital Set-Top Boxes: Third Edition”; 2002. DOCSIS (Data Over Cable Service See: http://www.broadcastpapers.com/ Interface Specification) is a registered data/NDSGuideSetTopBoxIndex.htm trademark of Cable Television Laboratories, Inc.

ABOUT THE AUTHOR Linux is a registered trademark of Linus

Torvalds. Alec Main ([email protected]) is

Cloakware’s Chief Technology Officer. Passage is a trademark of Sony

Corporation. He has spoken at key forums and

conferences including Copy Protection Xbox is a registered trademark of Technical Working Group (CPTWG), Media Microsoft Corporation. Summit, RSA, the Intel Developer Forum,

Information Highways, and Certicom – PKCS. END NOTES

1) See: Hitachi, Ltd., Intel Corporation, Matsushita Electric Industrial, Co., Ltd., Sony Corporation, Toshiba Corporation; “5C Digital Transmission Content Protection, White Paper”; July 14, 1998; http://www.dtcp.com/data/wp_spec.pdf

2) See: xbox hackz Website; http://www.xboxhackz.com/; 2002

3) See: Digeo Inc. Website ; http://www..digeo.com; 2004

4) See: Sony Passage Website; http://www.sonypassage.com; 2004

5) See: Latens Systems Ltd. Website; http://www.latens.co.uk/html/cable.html; 2004.