Premium content is becoming an increasingly important differentiator in today’s media and entertainment industry and, as a result, content budgets for the biggest pay TV operators and OTT service providers continue to increase. Netflix’s most recent content budget was reported to have hit $13 billion, while the cost of rights for content such as Premier League football matches remains high. With the increasing value placed on premium content, properly securing it is absolutely paramount and pay TV operators are evolving their approach here.
In the quest for secure delivery of premium content amid an ever-evolving consumer device landscape, cardless conditional access (CA) systems are becoming the de facto choice for pay TV operators. This is because they can provide equally robust security as smart cards and eliminate the cost and logistics associated with card management. However, to ensure proper security, the importance of the execution environment for the CA client on the secure chipset cannot be underestimated.
One option an operator may consider is a TrustZone-based Trusted Execution Environment (TEE), which is available in a growing number of chipsets. A solid TEE implementation can provide a reasonably secure environment in which to execute the security sensitive DRM logic and key handling for DRM clients. However, in common implementations today, TrustZone-based TEE is not secure enough for cardless CA.
Complexity, limitations and security gaps
TrustZone is a security concept of the ARM processor architecture where one CPU core is shared between the unprotected “normal” world and the secure “TEE” world. In addition, memory and potentially other I/O devices are shared in this concept. To ensure secure sharing that separates the two worlds, chipset vendors must implement the following on the TEE:
- Complex hardware changes in I/O devices, interrupt controllers and memory controllers that strictly follow the ARM architecture.
- A software security framework that supports this architecture and accommodates the unique characteristics of their specific hardware.
In principle, these extra steps can be taken to secure a TEE. In practice, however, the complexity of implementing the hardware and software framework to securely share CPU, memory and I/O is extremely high, making it virtually impossible to do it correctly. This means that we can expect many vulnerabilities in a TEE for attackers to exploit which are caused by mistakes in the vendor implementation. In addition, sharing CPU architecture components introduces vulnerabilities that have broad and serious implications and, as we saw from the Meltdown and Spectre attacks in 2018. CPU sharing is simply unadvisable when it comes to protecting high-security operations.
In contrast to a TEE, a dedicated secure execution environment is much more robust for protecting cardless CA clients. Its attack surface is significantly smaller as resources are not shared and thus not exposed to the vast volume of threats, and it typically has additional security implementations such as hardware root-of trust, key ladders and/or other software protection mechanisms. For these reasons, a dedicated secure execution environment is critical to the overall effectiveness of a cardless CA solution, ensuring equivalent protection of premium content to what smart cards can provide.
TEE for DRM vs. cardless CA
DRM clients are typically implemented in a TEE and this is acceptable because of how DRM works. DRM systems operate in two-way, connected environments, and DRM licenses are issued for specific content pieces to individual users. As such any security breach due to a TEE implementation mistake can be easily identified and isolated because the operator knows which piece of content is exposed to piracy and from which user ID. The operator can then take corrective actions to limit the damage, including denying new DRM license requests from the client in question until the situation is resolved.
In contrast to DRM, CA systems operate in one-way broadcast environments, where messages are delivered from a central CA head-end to the end-user devices. The CA head-end has no information about which CA clients are receiving the messages, or which content any client is accessing at any time. To support all viewers, it must assume all CA clients require access to all content they are authorized to view at all times.
If a CA client is implemented in a TEE, a breach in the TEE will cause far greater damage for broadcast content than DRM-protected content, as the CA client has authorized access to all content at all times. This means the compromised CA client would give the pirate access to all content it has rights for, instead of just a specific content piece authorized by a DRM license at a given time. What’s more, the CA head-end would not know about the breach because the communication is one way from the head-end to the client and a breach is therefore likely to go unnoticed for days or weeks.
For any pay TV operator looking to move from smart card CA to cardless CA to reduce operational cost, it is important to remember that optimum security requires both a robust cardless CA solution and a secure execution environment to protect the CA client. Operators making this step should ensure they have access to both and leave TEE to DRM clients only.