Is Your DRM Effectively Securing Your Revenue Streams?

Kingsmead Security Ltd is an independent content security consultancy serving the TV and film industry. Over the last few years, we have completed many commercial engagements reviewing the security of over-the-top (OTT) streaming services, and we have observed how Digital Rights Management (DRM) is deployed around the world in free, ad-funded and subscription OTT services.

The critical message from this post is that treating DRM use as a simple checkbox item for satisfying content licensing requirements may lead to a false sense of how effective the technology can be for protecting content and protecting service revenue streams.
When correctly applied, DRM technology is an essential tool to help protect content from unauthorised use. However, our experience has shown that DRM use is not always fully considered at a service-wide level, providing an excellent opportunity for a malicious attacker to gain unauthorised access to content.

This blog provides some basic guidance for improved deployment of DRM technology in commercial video services.

Introduction

There are three primary DRM systems in use for OTT content today:

• FairPlay – Developed by Apple and available on Apple products such as iPhone, iPad, Apple TV and Mac OS X.
• PlayReady – Development by Microsoft and available on a range of products such as Edge Browser, Xbox, Chromecast, Android TV, Smart TVs, etc.
• Widevine – Developed by Google and available on a range of products such as Google Chrome Browser, Android, Chromecast, Android TV, Smart TVs, etc.

• Content Encryption – The content is encrypted to ensure that the content is unplayable if stolen in transit or from storage. Authorised users are issued with a DRM license which contains the keys required to consume the content.
• Authorizing Access – A DRM license server is used to issue DRM licenses to devices associated with authorized service users. The license server should be setup to ensure that such licenses are only issued to valid devices and users.
• Enforcing Constraints – A DRM license can describe constraints on the use of the content key. For example, constraints include validity time periods, device security levels, and analogue/digital output protections.

These features are discussed in more detail below.

1. Content Encryption

Content encryption keys are used to encrypt content. When creating and using content encryption keys, it is important to:

• Use unique content encryption keys for each asset. If content encryption keys are shared, the leak of one key can unlock multiple assets.
• Use unique content encryption keys for different video profiles within an asset. In other words, use different keys for SD, HD and UHD resolutions. If keys are common across resolutions, a leaked low-resolution key allows higher resolutions to be decrypted. This is a real concern as low resolution content is often delivered to less secure devices, increasing the risk of key leakage. Further, high resolution content is often a premium product, increasing the impact on the streaming operator.
• For live assets, rotating keys at regular time intervals is also recommended. This forces regular requests for new DRM licenses, giving the streaming operator an opportunity to re-confirm that the user is entitled to continue playback.

2. Authorizing Access

DRM license servers are either developed internally by the streaming operator, or more commonly provided by a third-party multi-DRM vendor. Multi-DRM vendor servers issue licenses to the client devices if authorised to do so by the streaming operator. 

Multi-DRM vendor authorisation generally occurs in two ways:

• Pre-Authorisation via Tokens – When a client device requests access to a channel, the streaming operator approves the request and issues an authentication token back to the client device. The token is then passed by the client device to the multi-DRM vendor who validates the token and issues the DRM license.
• Real-time Authorisation via Callback – The client device requests access to the channel directly from the multi-DRM vendor. The multi-DRM vendor will send a request to the streaming operator (a “callback”) to confirm the request is from a valid device and user before issuing the DRM license.  

Regardless of the authorisation method, streaming operators need to carefully validate all requests in order to guard against malicious attack:

• Always validate the customer – Is the customer genuine? Is the customer account closed/blocked?
• Always validate the entitlement – Does the customer have access to this content?
• Always validate release dates – Is the content requested within its license date window?
• Confirm geo-location – Is the request from an IP address within the country of service? Is the content valid in this country
• Check for VPNs – Is the customer using a VPN to conceal their location?
• Check client capability – Check the DRM security level and HDCP support on the client device to ensure it is suitable for the content requested. For example:
  • UHD content – Generally requires hardware-protected DRM and HDCP v2.2 or above.
  • HD content – Generally requires hardware-protected DRM and HDCP v1.4 or above.
  • SD content – Software-protected DRM is acceptable and HDCP may be optional.

If tokens are used during the authorisation process, each token should be fully validated as follows:

• The token is from an approved source and has not been tampered (tokens should be signed).
• The token has not expired (time expiry or single-use expiry).
• Any customer identifier in the token matches the customer presenting the token.
• Any content identifier in the token matches the content being requested.

Some streaming operators may consider finer control over license delivery. For example, they may opt to block requests from certain device types or known/suspected malicious devices.

It is important to consider carefully how license requests are approved. Default configurations often leave services wide open to attack. Always configure the DRM license service to limit the risk of content leakage based on the unique requirements of the streaming operator.

Finally, always log DRM requests and the reason for accepting or rejecting the request. Log analysis can reveal suspicious DRM activity and allow post-mortem analysis in the event of content leakage.

3. Enforcing Constraints

Once the license is authorised, the DRM license server should create a license with appropriate constraints set. As noted above, streaming operators should not rely on defaults. Constraints will vary across services and assets but can be used to prevent common attacks such as screen scraping or HDMI recording. 

Constraints to consider:

• License validity period - Always specify an expiry time for licenses. Expiry times should be minimised where possible. For example, limit validity of on-demand licenses to the rental period (optionally add a grace period). Don’t have open-ended or extremely long duration licenses.
• Output controls – For many services, analogue outputs can be disabled. For digital outputs, ensure that the minimum HDCP version is set appropriately (at least HDCP v2.2 for UHD, v1.4 for HD). Don’t forget to consider other output types such as AirPlay.
• DRM Security Level – Where unique content encryption keys are used for different video profiles (SD, HD and UHD), ensure that an appropriate DRM security level is set for each profile. HD and UHD keys require hardware-protected DRM clients (PlayReady SL3000, Widevine level 1 or FairPlay), whereas SD keys do not.

Summary

DRM can provide protection against unauthorised viewing of content, but only if applied in a systematic way within the service delivery architecture. The guidance described above ensure that a basic level of protection is achieved for all services using DRM. For streaming operators carrying premium content, further steps may be required.

In summary, always:

1. Ensure that unique content encryption keys are used across assets and resolutions.
2. Ensure that DRM license requests are fully validated before licenses are released.
3. Ensure that DRM license constraints are set based on the unique requirements of the streaming operator.

About Kingsmead Security

Kingsmead Security Ltd is an independent content security consultancy serving the TV and film industry. We aim to support content owners, streaming operators and technology vendors protect movie, sports and other premium content. We specialise in consumer content distribution and deliver a range of auditing, testing and security consulting projects to our worldwide client base.

Brian Paxton founded Kingsmead Security in 2018, bringing over 25 years’ experience in the TV and film industry to the company.

www.kingsmeadsecurity.com