From Cable-TV Scrambling to Security: Simple Obfuscation Isn’t Enough

From Cable-TV Scrambling to Security: Simple Obfuscation Isn’t Enough

September 5th, 2018

By Lynnette Reese, Editor-in-Chief, Embedded systems Engineering

A Dutch company that’s been securing electronic content delivery for decades wants to bring its experience to IoT. Are pay-TV hackers all that different from hackers of IoT?

Irdeto (pronounced “Ear-debt-oh”) has been in the security business for around 50 years. Irdeto started out in paid television, creating conditional access via techniques like cable TV scrambling. The higher-end content was scrambled so that pay-TV operators could provide tiered levels of content to consumers. Later on, Irdeto expanded into security services covering a wide range of different technologies targeting media. In 2007, Irdeto acquired the Canadian start-up Cloakware to create a software-based security system. Irdeto is the leading conditional access vendor in the world today.

However, Irdeto sees tremendous opportunity to contribute to IoT security. A hacker doesn’t view their target as an elevator, car, or a control system; it’s just a computer. The hacking community is constantly sharing information about how a vulnerability translates to different operating systems, or different chipsets, and so forth. Irdeto has been tuned in to the hacker mentality for decades and can bring that knowledge into the IoT market.

Irdeto looks forward to applying decades of experience in securing electronic content delivery to securing IoT. I sat down with Irdeto’s Mark Hearn, Head of IoT Security, to discuss how Irdeto’s long experience with hackers makes a difference when dealing with IoT.

Figure 1: Major components and functionality of Irdeto’s Cloakware Software Protection solution for improving embedded security. (Image: Irdeto)

Lynnette Reese, (LR): How is the original mission of securing pay-TV delivery from hackers changed in the last four decades? What do pay-TV signaling and IoT have in common?

Mark Hearn, (MH): The first concern is security in both cases. By applying techniques to thwart hackers, Irdeto makes IoT more secure. We open up new business opportunities, new ways of doing business for customers launching into IoT so that they can take advantage of all the benefits of IoT. Think about an industrial control system. Inherently, some security has always been in place with proprietary OSes and chipsets. That kind of model has always been safer because it’s not connected to the outside world. But for the full benefits of IoT, they have to connect, which creates a new variable in an existing business, including the whole security aspect of it, and of what it means to be connected. This is where Irdeto gets involved.

LR: Would you say that you are more of a consulting company now? Or do you have a line of specific products or solutions?

MH: We have a list of products, and we also have a services division. We approach it from the perspective that we are the security partner of our customers. We want to help them understand the threats, the risks that they engage in with what they want to do, and how Irdeto can help them build a strategy. With long experience working with entertainment content, including large concerns in Hollywood, we can help them determine the right balance of investment-to-risk in a given release, and then how they can continually evolve so that they are staying ahead of the hacking community. Irdeto services can help with threat-risk assessments and identify the security requirements. Both Irdeto and partner technology can then be implemented or put into products to secure them. We also have a number of services, including monitoring the dark web and initiating forensics that identifies trends within the hacker community that may affect customers. Irdeto takes the view that security is an ongoing, everyday activity, like breathing.

LR: Are your products mostly software?

MH: While we do interwork with hardware security, we base much of our products around software that’s in the firmware or the application layer. And for any interaction between a device and the network, we would place some elements in the system to ensure that communication is secure. We do not work as much on the cloud side as we do on the edge, down with the devices. A hacker could take a customer’s machine, separate it from the network, reverse engineer it, and figure out what it does. Once they figure that out, how do they scale it across every other device? This is what we stop.

LR: What is Irdeto’s experience with hackers?

MH: Through the pay-media space, we have been in some pretty deep battles with hackers. After several years, we have figured out the hacker lifecycle and how they try to monetize it.

LR: How does that work?

MH: Any tampering or reverse engineering starts with analysis. It could be an analysis of timing at the hardware level or merely in software using debug tools. Hackers follow the flow of code, look at memory, and so forth. Irdeto starts by making that part of the process for hackers very difficult.

LR: How?

MH: Irdeto’s Cloakware® Software Protection (CSP) technology goes beyond simple obfuscation and analyzes the complete application code at a global level. By “simple obfuscation,” I mean that you take a finished binary and modify it a little bit. CSP induces algorithmic transformations to affect the code and even embedded data in a non-local fashion, entangling it all so that it’s much harder than simple obfuscation to reverse-engineer.

LR: Isn’t obfuscation a bit like taking all the pieces in a jigsaw puzzle box and throwing them up in the air, with one or more pieces hiding under the couch?

MH: Yes, but with simple obfuscation, reverse engineering can gather all the pieces of the puzzle, including the ones under the couch, and still put them back together. Cloakware Software Protection, instead of taking a binary and just jumbling it up, does things with the map at the very beginning, using algorithms. Continuing the puzzle analogy, you could say that CSP modifies how the puzzle looks before it’s ever printed. So even if a hacker can find all of the pieces, he still cannot put them back together again because they don’t make any sense. Only a legitimate user would be able to do it. We also offer technologies where CSP will even withhold “printing” some of the puzzle pieces until it is already executing and you know that it’s tamper-free.

LR: Setting aside the jigsaw puzzle analogy, what does CSP do?

MH: CSP is based on a random seed that you inject into the code at the beginning of the process. For example, someone could create C++ code and compile it, creating what we call a “clear version” that’s fully readable by anyone. With CSP, you put the “clear” code through the CSP tool, then compile it through the same compiler to produce a “cloaked” version. In this way, we build the security techniques into the source code from the beginning. CSP creates legitimate source code that is wholly mangled from a human point of view, but it’s mathematically linked together.

LR: And this doesn’t cause a problem for the compiler?

MH: There are some aspects that can cause the compiler to get a bit antsy, but we follow the same testing standards as all of the other compilers that are out there. We regularly test on par or better than what Visual Studio does with its test suite, its standardized compiler tests. CSP generates semantically correct C and C++ code based upon the original code.

LR: Can’t the code be logically vulnerable?

MH: Even if someone left a buffer overflow in his original source code, CSP would create a more secure buffer overflow. The beauty of it is that it would be effortless to discover in the original code–although it would still be a bug after CSP, it would be tough to find, thus difficult to exploit. If hackers try to inject anything, our code is so mathematically intertwined that it’s very brittle to change, and the program would break.

LR: What other kinds of tricks do you use to make it difficult for hackers?

MH: Besides CSP, we have several techniques built over 20 years for this kind of technology. We also perform many different binary methods after compilation, like checking to see if debuggers are running. We do binary checking techniques of the output at runtime to make sure that someone is not scanning memory while a device is running so that we know that someone isn’t using a debugger or that type of thing.

LR: Are these binary tools more of a bolt-on thing?

MH: Yes. In general terms, we have libraries that get linked to the binary. What happens is that while the program is executing, a binary is checking to make sure that code signatures have not changed and that a memory signature has not changed. We have an encrypted image to know if there is anything that could be changing during runtime, and we detect that.

LR: This type of security adds an extra step. What labor is involved?

MH: This adds an extra step to the production process. But the labor involved is reasonable for the protection you get. We recently did training with a new customer. Within the first afternoon, their guy was able to get a protected application out with blanket protection and nothing specific. But within four hours they had output fully integrated and ready to go. After that, they can customize based on the security strategy we worked out earlier—one founded on risk analysis.

LR: How do these products and technologies work?

MH: Cloakware Software Protection is a suite of advanced technologies, libraries, and tools that enable users to customize protection, whether on an application on a phone, or embedded in firmware, or on any device. It also allows renewable software security; an updated key can utterly re-jigger security. Cloakware supports C, C++, Swift, Web Assembly, JavaScript, iOS, Android, Linux, Mac OS X, Windows, and others. Another product, called Cloakware Secure Environment, uses CSP techniques to create a hardened OS that runs only the software that you specify, signs all binaries to prevent modification, encrypts certificates and resources, and protects the system with a hardware-rooted chain of trust.

LR: What type of products has Irdeto protected so far?

MH: Cloakware protects software and applications on more than five billion devices including PCs, set-top boxes, mobile handsets, portable media players, and more. Our pedigree has been built with Digital Rights Management (DRM), conditional access, defeating hackers on Blu-ray discs, and things like that. Media is probably one of the most hacked markets. Much of Irdeto’s success has been accomplished through battle-hardened experience, and we want to bring this experience to the IoT space.

Mark Hearn, Head of IoT Security, Irdeto.

Mark Hearn is the Head of IoT Security at Irdeto. He is responsible for leading Business Development strategies to secure organization’s IoT applications and connected devices. Mark has been with Irdeto since 2003, through Irdeto’s acquisition of Cloakware. Mark is a seasoned Product Management executive with 20 years of bringing technology and business requirements together to solve market problems, particularly within Media Entertainment and Security markets. In addition to being a product leader in the private sector, Mark has also provided Business Analysis security consulting into the Canadian government and has spoken at security conferences. Mark holds a Bachelor of Computer Science from Acadia University in Nova Scotia, Canada and has received certifications in Product Management, Technical Marketing and Strategic Marketing.

Lynnette Reese is Editor-in-Chief, Embedded Intel Solutions and Embedded Systems Engineering, and has been working in various roles as an electrical engineer for over two decades