Telecom Security Testing on IP TVs:

A walk down Telecom Security Testing on IP TVs:

What is IP TV?

IPTV is one of the emerging technologies that provides IP-based digital TV, video-on-demand, and streaming services over the Ethernet.

A more enhancement over IP TV is the “Fiber to the Home” (FTTx) and “Local Loop Unbundling” (LLU) enhancement.

Most of the service providers offers this as a package which is referred to as triple play services including (Data, Voice and IPTV). The feature is served to home connections over a single broadband transmission medium.

On a quick note, it is useful to note the classification of IPTV services in the four broad types:

·         Live television/live media- With/without related interactivity

·         Time-shifted media: Catch-up TV (which allows replaying a TV show, start-over TV (replays the current TV show from its beginning);

·         Video on demand (VOD): browse and view items in a stored media catalogue.

·         Interactive applications: web browsing, games etc.

Let’s understand IP TV Architecture on a simplified diagram how the above discussed case of a single broadband line being leveraged

Image source: google

Elementary concepts of IP TV

• IP TV head-end: This is the part where live TV channels and AV sources are encoded, encrypted and delivered in the form of IP multicast streams.

•Video on Demand (VOD): On-demand video program are those which are stored and broadcasted as IP unicast streams whenever a user makes a request. An easy reference to related would be Netflix)

•Delivery network: The packet switched network that carries IP packets (unicast and multicast).

•Endpoints: Any end user equipment that can request, decode and deliver IPTV streams for display to the user including computers, mobile devices as well as set-top boxes.

•Home TV gateway: Equipment at a residential IPTV user's home that terminates the access link from the delivery network.

•User set-top box: Endpoint equipment that decodes and decrypts TV and VOD streams for display on the TV screen.

Architecture of a video server network

Two broad types of video server architecture that can be considered for IPTV deployment:

Centralized

All media content is stored in centralized servers, ruling out comprehensive content distribution system. This system is useful for small VOD service deployment needing only core and edge bandwidth with an efficient content delivery network (CDN).

Distributed

This offers greater bandwidth over centralized system for larger server network. The advantage of distributed architecture is it needs intelligent and sophisticated content distribution technologies to provide effective delivery of multimedia contents over the service provider's network

Protocols

IPTV covers both live TV (multicast) as well as stored video-on-demand/VoD (unicast).

Here streaming requires a broadband device to be transmitted to either a fixed or wireless IP network in the form of either over computers or limited embedded OS devices including smartphone, touch screen tablet, game console, connected TV or set-top box.

Video compression is provided by either a H.263 or H.264 derived codec, audio is compressed via a MDCT based codec and then encapsulated in either an MPEG transport stream or also as RTP packets or Flash Video packets for live or VoD streaming.

IP multicasting allows for live data to be sent to multiple receivers using a single multicast group address. H.264/MPEG-4 AVC is commonly used for internet streaming over higher bit rate standards such as H.261 and H.263 which were more designed for ISDN video conferencing. H.262/MPEG-1/2 is generally not used as the bandwidth required would quite easily saturate a network which is why they are only used in single link broadcast or storage applications.

In standards-based IPTV systems, the primary underlying protocols used are:

Service provider-based streaming:

A limited live multicast stream for TV channels and for changing from one live multicast stream to another (TV channel change).

This operates via IP multicast within LANs and WANs also. This operates via network core via Protocol Independent Multicast (PIM), setting up correct distribution of multicast streams (TV channels) from their source all the way to the customers who wants to view them, duplicating received packets as needed.

On-demand content uses a negotiated unicast connection. Real-time Transport Protocol (RTP) over User Datagram Protocol (UDP) or the lower overhead H.222 transport stream over Transmission Control Protocol (TCP).

Web-based unicast only live and VoD streaming:

Local IPTV, as used by businesses for audio visual AV distribution on their company networks is typically based on a mixture of:

·         Conventional TV reception equipment and IPTV encoders

·         IPTV gateways that take broadcast MPEG channels and IP wrap them to create multicast streams

Detailed IP TV Architecture:

Image source: Foundstone

Parallel systems in the IP TV architecture which includes:

Parallel systems in the IP TV architecture which includes:

1)      Content Source/ Delivery and Management Network

All devices, processes and networks that import and store video contents where sources include:
– Satellite
– RF
– Pre-recorded tapes
– Cable

2)      Home Network

All Customer Premise Equipment that connects to a consumer’s home network
 –Computer
 –Set-Top Box
 –Home Gateway
 –Game Console
 –Phone
 

Inlays for an attacker on IP TV:

·         Gain control of home networks

·         Attempt Service disruption

·         Spreading Worms, Trojans, virus

·         Take control of Broadcast Relays

·         Pirate content

·         Be a free TV or VOD user without subscription

Enter: Security Testing of IP TVs:

While on the similar level of Vulnerability Assessment and Penetration Testing, the below hybrid approach covers a consolidated view of the security testing areas for IP TV:

·         Network penetration testing

A thorough assessment for encryption protocols encompassing infrastructure of network devices, IPs, servers and communication devices.

·         Web application security testing

A penetration testing exercise revolving web application penetration testing for the applications hosting IP TVs for scenarios such as authorization bypass, authentication mechanisms, SQL injections, business logic test cases etc.

·         Device security testing

A focused security review on the device (set top box) related to encryption, transmission of data over network, authentication to network and its hardware configuration.

·         Software/firmware security testing

·         Set Top Box boot image analysis

Regarding set top box, the boot images are downloaded over TFTP servers, post which it gets registered via middleware servers. The channel access is regulated via IGMP Membership for receiving content. The devices can be managed via SNMP / Telnet.

How to access the device via SNMP/telnet?

telnet <IP of set top box> <telnet port>

Information which gets sent includes device PIN and account number.

Practical test cases include - Local Access Testing:
Plug in keyboard via usb and Enumerate command shell access

One interesting thing involves the limited memory of set top boxes and CPU resources. If multiple listener services are initiated, this may lead to Denial of Services

A closer look at IP TV Architecture:

Performing a security testing for IP TVs includes:

è Reviewing  Content Provider Security

·   Review configuration of Extranet and IPSEC Site-to-Site security review

·   Review the Remote Access Policies Review in terms of encryption, VPNs and Endpoint Security

·   Review login mechanisms along with Monitoring and Access Controls for Content Provider Administrators

è Service Layer Security

·   This involves set Top Box authentication and encryption mechanism review

·   GPON(Gigabit Passive Optical Network) architecture review and security risks review

·   VLAN security assessment

·   IGMPv2/v3 security issues

·   Head End presentation and middleware server security assessment – EPC, HMS, VoD

·   RTP and RTSP buffer overflow assessment (RTSP refers to real time streaming protocol to stream live content whereas RTP is a transport protocol which is used to transport media data which is negotiated over RTSP.)

è Transport Layer Security

·   Multicast Security and review of using IGMPv3

·   Review of Intrusion Detection and Prevention Security Systems at PoP sites

·   Checking Security zone and domain separation

·   RTP and RTSP traffic flow analysis (same as above)

è  Web Application Security Testing

·   Input validation test cases

·   Telnet/ SSH test cases

·   Weak account management

·   Scanning in the set top box IP address range

·   Enumeration of database server, middleware server etc

è  Protocol level attacks

·   Buffer overflow over RTSP (tampering URI schemes on “DESCRIBE” method to a abnormal chunk of data, getting buffer overflow on the Video on Demand server

·   Attacking TCP / IP Stacks- testing on bulk data of incoming traffic( such as aggressive port scans

So that’s it, a concise conceptual walkthrough on IPTV security testing which still has weak points around technology, deployment and processes.