For those in doubt about what constitutes piracy, Avi Wachtfogel, Senior Director of Security Strategy at Synamedia, lays it out in black and white and suggests ways to keep one step ahead of the pirates.
Avi Wachtfogel, Senior Director of Security Strategy at Synamedia
Actor Johnny Depp admits modelling the character of pirate Captain Jack Sparrow in the Pirates of the Caribbean films on legendary rock star and Rolling Stones’ lead guitarist, Keith Richards. With his eyeliner, dreadlocks, and over-the-top comedy acting, Johnny Depp brought plenty of rock ‘n’ roll swagger and glamour to the hugely successful swashbuckler film series.
In the films’ fictionalised historical setting, Captain Jack and his pirate crew are portrayed as loveable rogues – representing freedom from the ruling powers. But real-life pirates bear little resemblance to this image. Video pirates’ role involves threatening and stealing revenues from broadcasters and streaming service providers. And with billions of dollars at stake, it’s not surprising that video pirates want a piece of the action.
While beIN’s battle against beoutQ brought piracy in the MENA region into sharp focus, it is still very much a global problem. Today’s video pirates are increasingly sophisticated players who are continuously upping their game to exploit vulnerabilities at every link of the distribution chain. Parks’ latest report on video piracy calculates that consumers will access more than $67bn of pirated video services worldwide by 2023.
The Covid-19 pandemic has brought a surge in streaming as content-hungry consumers seek infinite entertainment at home; the closing of cinemas and theatres has seen a flood of new content on streaming services and some major film studios have opted to release films digitally.
And where there’s valuable content, there are pirates, siphoning off billions in revenue that rightfully belongs to content owners and services providers.
If only stamping out streaming piracy was as simple as spotting the skull and crossbones flag through a telescope! We take a look at the main ways in which piracy takes place today.
Take 1: Stealing content
There are two main ways for pirates to create their own copies of content from legitimate sources:
DRM bypass – Video protected by DRM is encrypted. By compromising or bypassing the DRM system, pirates can distribute content on file sharing sites soon after release. They can distribute exact replicas of original content either as files for download or stream the video from pirate sites.
Analogue/HDMI hole – This involves capturing the video from the output of a set-top box, PC, or other consumer device as it plays and re-encoding it to a file for onwards distribution. HDCP is used by HDMI connections to encrypt the output from STBs or PC but is easily bypassed. Less sophisticated methods include using a screen capture application on a PC or a video camera to capture content directly from a movie theatre or TV screen.
Take 2: Stealing the service
But many pirates have their sights set on much bigger treasure than individual pieces of content – they want to gain access to a streaming providers’ full service. By impersonating a legitimate user or device, or using fake apps that mimic the real app but cleverly circumvent the authentication and authorisation mechanisms, OTT pirates can trick the DRM system into decrypting and displaying content.
The threats include credentials’ abuse, which takes several forms. For instance, casual account sharing, where passwords are shared between friends or family members; swapping or pooling, where users with different service subscriptions swap their credentials so they each have access to the other services while only paying for one; phishing and credential stuffing, where pirates obtain the credentials of legitimate users without their knowledge and sell them either on the dark web and endless trials, where hackers take advantage of the practice of allowing subscribers to sign up for a free trial and generate a new identity at the end of each trial. In 2019, there were over 4.5bn credentials and passwords for sale on the dark web for as little as $4 with log-ins for a mainstream streaming service costing as little as $2.50.
There are other threats as well which include bypassing of concurrency controls. This is where systems that limit the number of concurrent devices, or viewing sessions a particular user is able access, can often be bypassed to allow many consumers to use a single account. Then there’s token theft, where once a user has logged on to a system, the application or web browser on the device uses tokens to identify the user to the CDN. These tokens can be copied to other devices and used to illegally access content. The other threat is key distribution attack. By working out the encryption key, a hacker can easily redistribute the key and allow others to access content directly from the CDN.
Hackers sometimes have more sinister intentions than simply obtaining access to a video service. Once pirates break in, they leave the door wide open for others to commit cyber crimes. Streaming businesses are not only exposed to a loss of revenue but also have to pay for infrastructure costs to support non-paying users; liability for fraud expenses alongside expensive legal costs; loss of confidence from customers; and even a tarnished reputation.
Take 3: Hosting a rival service
Pirates make their service attractive to users by creating copycat services, complete with smooth user interfaces, apps, STBs, and even customer service departments to aggregate all the legitimate content they have stolen. Sometimes, the experience is so good that consumers don’t even know it’s illegal; in other cases, consumers choose the pirated service because they have access to a wide range of content in a single place. This is particularly true for live sports, with millions of people using competing pirate services to access live streaming services.
And action: Outwitting the pirates
Fighting piracy requires a multi-layered approach to security and solutions that go beyond content protection to demotivate pirates at every point along the video distribution chain. This requires using a robust CA or DRM system to ensure end to end content and key protection; hardening client devices against tampering and manipulation, and using watermarking and other technologies to detect and disrupt leaks; educating subscribers to use different credentials across multiple services; securing data centres to reduce the risk that the next data breach comes from the service providers’ network; using operational security services that combine AI technologies with human intelligence (including undercover investigators and cyber security, psychology, criminology, and sociology experts) to monitor and map the piracy supply chain and orchestrate anti-piracy activities and legal and technical takedowns; and lastly, working together to fight back.
Everyone, including CDN and cloud service providers, ISPs, payment providers, chip manufacturers, anti-piracy tool vendors, integrators, rights owners, streaming providers and legislators must cooperate to combat and outwit pirate plunderers.
Just as celebrity rock stars and actors attract hordes of fans, content is much too valuable booty for pirates to ignore – and they will not give up without a fight. But by keeping a close watch on the techniques of established pirate players and looking out for new pirate actors and methods emerging in the video landscape, we can keep the OTT ship sailing in trouble-free waters.