Over the years, the cable television industry has endeavored to provide an ever-wider range of services to cable TV subscribers. The industry has ventured into digital video, voice and data to accommodate the growing demands of its client base. However, the launch of innovative solutions such as operating the set top box (STB) via a mobile phone; recording shows through click of a button; and, online payment using handheld devices, has also increased the application security attack surfaces for hackers to exploit.
There are thousands of websites related to cable modem hacking alone. Application security is a serious concern, and hackers focus on extracting personally identifiable information (PII) of users at the subscriber end, as well as on backend processing applications. To address these application security concerns, a cohesive solution around a robust information security policy is essential.
A typical cable eco-system has two major players – service providers and subscribers. If we hypothetically map the X.805 standard prescribed by the International Telecommunications Union to a cable network, the service provider spans the management and control plane, while subscribers can be placed at the end-user plane.
Figure 1. Cable infrastructure showing management plane and end-user plane
The service provider network comprises various network components such as edge quadrature amplitude modulation (EQAM) and cable modem termination system (CMTS) that receive radio frequency signals. It interfaces with various underlying applications to deliver services. In the management plane mediation, billing, operational and business support systems, end-user portals and content processing applications are deployed.
End user plane
On the end-user plane, STBs and cable modems receive signals from the service provider and deliver them to subscribers. Cable services are then accessed via digital TVs, smart phones, tablets, laptops, or desktops. This is facilitated by applications such as embedded operating systems, CAS/DRM applications for encryption and decryption or mobile applications for live TV, payment processing and other features.
Security threat vectors
Application security threats affecting the cable industry fall within the domains of content, device and user. Attacks on content processing applications or gateways can involve altering or stealing content. These attacks exploit misconfigurations, improper input validation checks, inadequate access control logic and lack of hardening of the application.
Applications deployed on STBs and cable modems can be manipulated to steal content and user data. Conditional access management (CAS) and digital rights management (DRM) solutions are deployed to protect the content using cryptographic techniques. However, once decrypted for consumption, the content is vulnerable to unauthorized access and distribution.
Application security threats include tampering of applications in terminal devices, allowing attackers to steal content or PII and also cause a device failure. Cable modems used as wireless access points are vulnerable to brute force and password hacking attacks.
End user security
On the management plane, portals or databases are hosted on the operator’s network, which may be used by subscribers for bill payments or on-demand video purchase. Attacks on these applications can expose customer credentials. Application security penetration attacks to obtain administrator privileges can give away complete control of the system.
On the end-user plane, STBs or cable modems hold subscriber information. Applications for handheld devices, such as payment processing applications, store or carry subscribers’ sensitive personal data. While the majority of applications for handheld devices are developed in Java, non-secure programming logic in applications can lead to end-user data loss. Application security compromises occur when hackers breach applications during transmission, exploiting unsecured communication channels between the service provider application server and the mobile client. Subscriber data can be stolen if not encrypted. If encrypted, there is a potential risk of private keys getting compromised if algorithms are not secure.
Application security threats can be alleviated to a certain level with implementation of security measures such as firewalls, intrusion prevention systems, and so on. However, a holistic approach to addressing application security threats is desirable, by designing and implementing appropriate information security controls that work in unison. The recommended best practices to address application security threats are:
- Implement content protection systems such as CAS and DRM.
- Design applications on terminal devices such that they do not transmit decrypted content through user-accessible bus, storage or memory, and require permission of the content-protection solution deployed.
- Store content protection keys used for decryption in a safe location accessible only by a built-in device cryptographic module.
- Provision terminal devices to detect, isolate and remove malicious codes or viruses.
- Make applications on terminal devices tamper-proof using code obfuscation or HSM to store content keys.
- Follow a secure image download process (DOSCIS specification) and validate software images using digital signatures during installation.
- Harden cable modems being used as wireless access points.
- Use secure communication channels such as HTTPS/SSL for applications deployed on smart devices.
- Use FIPS compliant encryption libraries such as Bouncy Castle and B-SAFE.
- Implement step-up authentication for financial transactions.
In addition to the above controls to mitigate application security threats specific to the cable industry, following are the overall security recommendations to address security at a holistic level:
- Follow secure SDLC as an institutionalized process.
- Implement access control solutions to identify, authenticate, authorize and provide accountability.
- Adopt application security assurance testing to provide actionable data for vulnerability validation and remediation efficiency.
- Operate a secure computing infrastructure to ensure confidentiality, integrity and availability of information.
- Enforce regular application security audits to ensure compliance sustenance.
About the author: Sriram Gopalakrishnan is a senior security consultant with Tech Mahindra. He has 12+ years of experience in security compliance, information security assurance and security presales.
This was first published in November 2011