Conax ensures Android TV is secure, ready for deployments

February 11, 2016 | Connected TV | John Moulding

Link to article

Conax, the content security specialist, is convinced we will see more Pay TV operators – notably Tier 2 and Tier 3 providers – using Android TV as the ‘middleware’ for their set-top boxes this year. They will be licensing Android TV and GMS (Google Mobile Services), meaning that Google Play will be included on the set-top boxes, providing a potentially rich source of apps for consumers to enjoy. Conax believes this is a great option for smaller platform operators who want Internet-style agility and rich functionality, all at relatively low cost, if they are willing to accept the Google-defined user interface rules and allow potentially competitive apps, like Netflix, onto their set-top boxes.

There is another approach to using Android for set-top boxes: Android Open Source Project (AOSP), which allows operators to develop a modified version of the operating environment that includes their own user interface. This is the path that Swisscom has taken with its Swisscom TV 2.0 platform. Swisscom is considered a Tier 1 operator however, with the resources to manage their own development project, and Tor Helge Kristiansen, EVP & Principal Architect at Conax, believes the T2 and T3 market will favour Android TV. “It is a very good option for them. Despite AOSP, we see operators who want to go with Android TV, the more open environment. This is not only for IPTV either – it is for any connected set-top box including cable and satellite.”

The problem with Android generally, and especially Android TV, is that this inherently open and feature rich environment exposes a set-top box to potential intruders at various points, which is why Conax has been implementing a content protection solution that completely separates the management of broadcast Pay TV video from what happens on the rest of the platform. The philosophy is simple enough: there are so many potential ‘holes’ in an Android TV environment you could never be confident of plugging them, so the only really safe approach is to firewall the video. Thus the Conax solution creates a trusted execution environment (TEE) for the video operations that runs in its own piece of hardware on a secure chipset, quite apart from the Android rich execution environment (REE).

Conax has been working with chipset vendors and set-top box developers to deploy this solution for premium broadcast TV on Android TV, and says we should expect to see something in the market in the first half of this year. Kristiansen predicts that it is possible to make an Android TV set-top box as secure as any other in terms of its content protection, although an Android STB may still leave operators more vulnerable to cyber attacks (like denial of service attacks) than they would be on a ‘proprietary’ middleware.

According to a Conax white paper, the trusted execution environment is a secure, integrity-protected processing environment inside the main processor (SoC), where both security sensitive operations are run, and sensitive data is kept separate from the rich execution environment that is connected to the Internet.

“STBs provided by Conax include a chipset with two separate environments in the hardware. All CA/DRM functionality is placed inside the TEE, and the solution is smart card-based. Apps can only access functionality inside the TEE via APIs,” the company explains. “The APIs decide whether or not a given app is allowed to make use of the functionality inside the TEE, and responds appropriately. This prevents malware from circumventing the APIs.”

Like in other Conax-certified chipsets, TV-related apps such as Live-TV and PVR access are in the form of Android (Java) apps that have a very thin API towards the CA libraries in the TEE. The API calls are securely dedicated for the TV-related apps. The calls will access the library layer in Linux user space, and for the CA functions they will be re-routed to the CA libraries in the TEE.

Meanwhile the Conax solution also implements Secure Media Pipeline, a requirement from MovieLabs for UHD/4K video that aims to ensure that content is protected at every stage of communication. “The Secure Media Pipeline further separates the plaintext content from any CPU access. Not even the TEE is able to touch the content itself,” Conax adds.

One of the main threats that this solution addresses is the possibility of attack via badly implemented or malicious apps found in the Android environment. “When you choose this open model then applications are not trusted and an application could be used to attack the Android framework and then attack the broadcast system,” Kristiansen explains. “That is the main security issue.”

There are other attack points that could be used on an Android set-top box including the mandatory support in Android TV for Bluetooth and the demands that it is always left on. Conax says this is a potential issue due to Bluetooth’s requirement for backwards compatibility. “The first version of Bluetooth had severe security problems, and exploitation of backward compatibility can allow an attacker to trick Bluetooth into using the less secure version,” the company explains.

It should be noted that for Bluetooth version 4.2 onwards, provisions have been made for running Bluetooth in a secure mode where full backwards compatibility is no longer an absolute requirement.

Conax reckons that Android Debug Bridge (ADB) – which allows you to communicate with an emulator instance or connected Android-powered device via Wi-Fi or a USB connector – is a potential security weakness, as well. So too is the Monkey framework that is used for user interface and application testing. “As with the ADB, it is possible for end-users to activate the Monkey framework. As a testing framework, those using it, including attackers, are able to gather information about the STB system, and it also acts as a way into the STB,” Conax says in its white paper.

Kristiansen reckons it would be quite scary to deploy a Pay TV service with these security weaknesses without the full hardware separation from the Android environment. The Conax points out that if you implement the content security properly on any Android STB, someone can ‘take the box down’ but they will still not get access to the Pay TV content.