“Housejacking” the next big threat to operators, warns Conax
“We have come to a point in time where something we call ‘housejacking’ is a very real possibility,” said Jahr. “The increasingly connected nature of everything we own – from refrigerators to home security systems to pay-TV services – has greatly widened the space in which hackers can operate.”

May, 2016: While most pay-TV operators are taking measures to protect their content, they do not always realize that pirates often have other goals for hacking than getting hold of content, Conax’ Executive Vice President of Product & Marketing has warned.

Speaking recently at TV Connect 2016, Tom Jahr told a busy auditorium that centralization due to the rise of the Internet of Things (IoT) makes hacking more appealing and, in turn, increases the need for effective security measures.

“While the refrigerator that tells you when you are out of beer and having a washing machine you can turn on and off from your office are great for the consumer, they are also a playground for hackers and organized crime,” warned Jahr.

A new playground for hackers and organized crime; “Housejacking’ – a real threat
With the number of ‘smart’ devices increasing in every home, we are also increasing the number of hackable IP addresses.

The main overall challenge is that the threats posed by these other forms of hacking attacks are generally less intuitive. That is, it is difficult for operators to see the big picture of how an attack can affect their operations.

Furthermore, while some high-profile incidents of connected device hacking have taken place, the incidents of attacks on operators are generally unknown or underreported and thus not a widespread enough issue in the pay-TV world to cause concern among operators.

Types of attacks through hybrid set-top boxes
Distributed Denial of Service (DDoS) attacks – whereby multiple compromised systems are flooded with traffic in order to target one specific system – are becoming a significant threat as hybrid set-top boxes (STB), highly attractive to be used as vehicles for a DDos attack in the connected home due to ‘always on’ status and internet-based services, are interlinked. By hacking one STB, you can use it to perform a DDoS attack on somebody else. Nearly half of 287 businesses surveyed between November 2013 and November 2014 had been the victim of a DDoS attack, and December 2014 saw one of the most notorious DDoS hacks to date, when Microsoft and PSN servers were attacked.

Ransom attacks can occur when hackers exploit unsecured hybrid STBs to install ransomware. One example of such an attack is where the invading software runs a program that encrypts files within a hybrid STB population and deletes the local keys. The hacker can then offer the key to resolve the issue to the operator for money. Ransoming has already affected some TV stations. In Australia, the ABC network was victim to a ransomware attack, forcing ABC News 24 to go off air for 30 minutes.

Other possibilities include blackout and blackmail attacks, where operators are threatened directly through the termination of their live broadcast for a period until a ransom demand is met, and data hijacking, where hackers take advantage of unsecure or poorly secured hybrid STBs to steal the end-user’s personal details.

While these may seem exaggerated and farfetched, these types of attacks are happening now and will become more common with the ever-increasing number of connected devices, continued Jahr.

“In a worst case scenario, everything with an internet connection can be compromised in a connected home,” he said. “Lights can be turned on and off, credit card details stolen from your devices, your webcam can be remotely accessed and even the electronic signature for your automatic garage can be replicated and used to gain access when you are not home!”
Anyone can be a pirate; easy to use tools are readily available

Pirating content in the past has been expensive and demanding due to the high levels of skill and advanced equipment required to break the strong content protection mechanisms used in broadcast operations. The amount of money and resource required to carry out an attack would need to result in huge gains in order for it to be worthwhile. Today, the situation is different.

“Nowadays, hacking connected devices such as hybrid STBs is easy and inexpensive – if not free – to carry out. Hackers do not even have to have a high level of knowledge about hybrid STBs to compromise them,” said Jahr. “Hacking kits and malware created by advanced hackers are available on forums for use by anyone who can follow a set of instructions.”

Don’t become the next target
Despite this somewhat frightening prospect, continued Jahr, securing content and more is not impossible for operators. Separation technologies can help secure hybrid STBs by preventing malicious apps and malicious software from attacking the security core of the STB.

As the hacks become more severe and frequent, it is expected that the general public’s interest in security will grow and, eventually, they will demand that IoT suppliers implement the necessary precautions to ensure that their private information is kept safe.

“Operators’ main focus is making their business models work to generate revenue, gain new subscribers, and reduce churn. This means that an operator’s core competence will probably not be security,” concluded Jahr. “Companies specializing in security, such as Conax, can help ensure that all of the security needs of any operation are being met, from content piracy protection to securing hybrid STBs against the attacks that come from unmanaged networks.”

Conax’ role in protecting the end-user
Conax has been focusing on the security issues of hybrid STBs since their introduction into pay-TV operations, with stringent testing and evaluation requirements to determine security level.

Conax also provides guidance to operators to analyze the entire end-to-end operation to ensure security needs are being met, report the potential risks in the operation, and advise on how to mitigate these security risks. Implementing these security processes and protocols in pay-TV operations provides a high level of security and sustains revenue for an operator’s business

Invitation
We’d like to invite you to read our comprehensive whitepaper on piracy for valuable insight on tech-savvy pirates looking to exploit vulnerabilities outside the traditional content security domain, using the operator’s client devices.


About Conax
A part of the Kudelski Group, Conax is a leading global specialist in total service protection for digital TV and entertainment services via broadcast, broadband and connected devices. The Conax Contego unified security hub provides telcos, cable, satellite, IP, mobile, terrestrial and broadband operations with an innovative portfolio of flexible and cost- efficient solutions to deliver premium content securely. Conax’ future-ready technology offers modular, fast-time-to-market solutions that enable easy entry into a world of secure multiscreen, multi-DRM content delivery and secures rights for premium content delivery to a range of devices over new hybrid network combinations. Headquartered in Oslo, Norway, ISO 9001 & 27001 certified Conax technology enables secure content revenues for 400 operators in 85 countries globally. For more information, please visit www.conax.com and follow us on Twitter and LinkedIn to join in the conversation.