Skip to main content

Not enough on OTT security at IBC

With the related themes of OTT, connected TV and TV Anywhere attracting top billing at the IBC conference, it is perhaps surprising that there is not much airtime seemingly devoted to the associated content security issues. This does not reflect lack of activity by the traditional pay TV security vendors, most of which are only too eager to peddle OTT versions of their products. But it does reflect concern among content owners, broadcasters and pay TV operators that deployment is rushing ahead of the security, and that any serious breach could set back OTT by putting off some of the big content houses.

The challenge is simple enough to state, being to replicate the level of access control and protection against piracy that currently exists in walled garden pay TV deployments where the end devices are managed and often owned by the operator. The network itself may be a managed IP or cable TV network, or satellite, with protection against content theft during transmission resting on encryption. Then at the CPE there is usually reliance on some hardware device such as a smart card to verify the identity of the subscriber. But at this point, within the STB, the content is decrypted and so some other security scheme is required for the final hop to the TV or other connected device for viewing. On such scheme that is widely deployed is HDCP, used for example over the HDMI, comprising a combination of authentication to prevent unlicensed devices from receiving content, encryption to prevent eavesdropping over the link, and key revocation to prevent devices that have been compromised and cloned from receiving data. Such schemes require the involvement of the display hardware, and it is possible in theory for this to be replicated in OTT or TV Anywhere.

But relying on hardware protection, whether via a dedicated external device or embedded in a system on a chip, would restrict the reach of an OTT service. One possibility would be so called "two-factor" security of the kind used by some banks for online access to accounts, requiring the user to know a passkey or PIN and possess a separate device. The user enters the PIN into the device, which generates a one-off passkey using an algorithm that is synchronised with the central security server. In this way, a shared secret is generated that immediately becomes extinct once it is used to set up a session or even just for an individual transaction such as making a payment, so avoiding any risk of theft of the key. Such a system of course imposes the inconvenience for the customer of having to carry and use this separate device, but it could be reserved just for controlling access to the most valuable premium content such as a blockbuster movie that has just come into the OTT release window or a major sporting event. In a similar way, some banking services requite the user to generate a one-off passkey only when making payments to new people.

Such systems may not be evident at IBC, but there will be plenty of interest in ways of deterring theft of content over OTT services, exploiting digital watermarking for example, which is encouraging early release. For example, digital watermarking is being used on a per VOD basis to mark content downloaded via the Home Premiere service involving Time Warner's Warner Bros, Sony, Comcast Corp.'s Universal Pictures, and News Corp.'s Twentieth Century Fox. This makes movies available at $30-$60 days after release, at present via DirecTV's service. However, watermarking vendor Civolution from the Netherlands, whose Nexguard prerelease forensic watermarking technology is used by Home Premiere, will be promoting this at IBC for OTT-based VOD services. The idea is that an imperceptible watermark in the video acts as a deterrent against content theft and provides movie studios with the assurance they need for now to deliver premium HD content on an early-release window.

But it remains to be seen whether digital watermarking or other measures will indeed prove to be secure enough in the longer term for premium content. This debate will create plenty of interest at IBC, with a number of the other vendors, such as Conax from Norway, announcing new versions of their content security technologies specifically for OTT.