Where there’s video streaming, there’s piracy.
When pirates started siphoning video content from OTT streaming services over a decade ago by hacking their many vulnerabilities and common weaknesses, the barriers to entry were high: In order to illegally restream high-value content, they needed a high level of technological expertise and the means to set up expensive, complex labs.
But the times they are a-changin’. Piracy is now relatively easy. These days, one no longer needs to be a crack hacker to be a pirate, particularly given that piracy automation and setup services are so readily available. And it certainly pays off… at your expense.
All of us are aware of the prevalence of content theft. But based on discussions with myriad service providers, we at Synamedia realize that most aren’t fully aware of the many and varied ways that pirates obtain content. Moreover, we’ve discovered that streaming service providers often use ineffective tools in their efforts to defend against piracy.
Synamedia has been tracking pirates’ behaviour and modus operandi for decades, recognizing the shifts in piracy methodologies. At the same time, we’ve been auditing dozens of different OTT services and analysing the various mechanisms that pirates use to hack them.
In this blog series, we will describe the vulnerabilities that pirates repeatedly exploit with ease, as well as explore the futility of existing security mechanisms. We will also demonstrate how, with the right countermeasures, you can address all these vulnerabilities to protect your content and to thrive.
The bad news: Vulnerabilities galore
If you think having DRM is sufficient to protect your streaming video service, think again. Here’s a quick summary of the many OTT service vulnerabilities that pirates are exposing, and how they impact your business.
Hacking applications
Since streaming over the top (OTT) arrived, unmanaged devices like mobile phones, browsers and smart TVs have quickly become a target for exploitation. Once hackers tap into these devices, they can reverse engineer applications to impersonate legitimate apps and strip away DRM protections, thereby gaining service and content access.
Duplicating tokens
One part of the DRM encryption-decryption process involves a token-based negotiation between the platform back-end and client application that results in issuing a token for future service requests. These include proving user and device authentication, granting permission to access specific content (authorisation), and more. Tokens are hard to forge, but once a pirate duplicates one token to another device, your service won’t be able to distinguish between the two, enabling, for instance, any number of users to access your content via a single account.
Tricking your concurrency mechanism
OTT services typically limit the number of devices an individual account can stream concurrently. They usually do this by requesting that each client send, during streaming, a ‘heartbeat’ message to the service every few minutes. Pirates have no trouble hacking and bypassing concurrency mechanisms, enabling them to piggyback as many streams as they want onto the same account.
Stealing content directly from your CDN
While CDNs enable large-scale content distribution, they often lack protection, opening the door to pirate exploitation. A streaming service with basic protection can grant a CDN access token. And when the CDN validates the service, it may offer the client a CDN session token for use throughout the viewing session. But as we’ve seen with other types of tokens, pirates can easily duplicate both access and session tokens, enabling multiple clients to access the CDN freely.
Exposing common DRM vulnerabilities
Since there are only three predominant DRM systems – Google Widevine, Apple FairPlay and Microsoft PlayReady – content providers encrypt their content once, and then use each system to securely distribute keys to each device type. To service these systems, a multi-DRM system (mDRM) is required. mDRM deployments, however, are open to several vulnerabilities that pirates exploit. Some of them are related to DRM system breaches, enabling hackers to obtain encryption keys. Others are due to service providers not following mDRM best practices, making it much easier for pirates to exploit at scale.
The really bad news: Scripts make piracy scalable and easy
Before OTT, pirates had to rely on traditional methods for stealing content. That involved costly expenses, including equipment, lab space, electricity, and bandwidth. And the user experience they offered was typically inferior to what you and other providers consistently deliver.
All of that changed, however, once pirates targeted OTT services through scripts. Easy to use and obtain, these off-the-black-market-shelf programmes automate the exploitation of the OTT vulnerabilities described above, granting pirates unauthorised and undetected access to streaming platforms. Scripts essentially carry out two types of tasks – service hacking and DRM protection stripping.
Piracy, meanwhile, continues to evolve beyond, and because of, scripts. Today, pirates no longer have to be tech savvy and well-funded. They don’t need much time to set up shop. They have little concern over getting caught or even disrupted. And they can deliver the same outstanding experiences that you offer.
Hitting you where it hurts
With pirates now able to easily expose myriad OTT service vulnerabilities via scripts, it’s no wonder that piracy is impacting your business in many ways.
For starters, you’re losing subscriber revenue. Users are turning to cheaper services that offer stellar experiences – so stellar that many users, and even advertisers, don’t know they’re doing business with pirates.
Then there are higher infrastructure costs. By piggybacking onto your CDN, pirates not only steal your service, but also give you the “courtesy” to cover the added expenses.
And there’s damage to your brand. Some pirate services are so slick that users often think they’re using the brand’s service, which damages your reputation and prevents upsell opportunities.
Now for the good news
At Synamedia, our extensive experience and intelligence gathering have enabled us to understand not only the vulnerabilities that pirates exploit, but also how they do it. In response, we’ve developed a comprehensive anti-piracy solution, OTT ServiceGuard, to address these exploitations and keep your content secure.
Throughout the rest of this blog post series, we will explore in greater detail the different vulnerability areas outlined above, as well as the common defence mechanisms that providers deploy… and where they fall short.
In the meantime, if you want to find out more about OTT ServiceGuard and see it in action, meet us at IBC 2022 or book a demo.
About the Author
Nitsan Baider is a Director of Product Management at Synamedia. In his role he leads the development of new and innovative security solutions for streaming OTT service providers, taking them to market, and evangelizing them. Nitsan has spent many years in cyber security and has led several products in the past. He holds a B.Sc. In Mathematics and Computer Science from Tel-Aviv University. In his spare time, Nitsan enjoys playing piano.