Everyone hates paying for things. Especially if you don’t want the thing you just paid for. This could be an iPad, a voice line when you want ADSL or for your mother in law’s flight so she can come visit you on Christmas. This also happens when you subscribe to a pay TV service.
The NCC and CPA against DSTv and TopTV
At the end of October 2011 the National Consumer Commission (NCC) issued compliance notices to the operators of both DSTv and TopTV notifying them that they were in contravention of the new Consumer Protection Act (CPA). The NCC states the bouquet subscription model these services offer amount to bundling of services, which the CPA disallows in most cases.
This article makes the claim that “No DTH (direct-to-home) pay TV satellite operator in the world currently has the back-end technological infrastructure to organise and customise unique channel selection sign-ups to hundreds of thousands, if not millions of individual subscribers.” An interesting claim considering that these guys seem to be offering this exact kind of service.
It only takes a quick look at the comments on these articles, as well as the ones here, to know that individual channel selections is something that is greatly demanded by South African consumers. While this might be a case of the vocal minority doing what they do best, the idea behind individual channel selections is what my research is about. In this blog post I’ll try to explain some of the mechanics behind it.
Everyone loves pictures, right?
First thing to notice is that there are two pictures included in this blog, conveniently labelled figures 1 and 2. One of these figures is more complicated than the other. For a dry and long winded 1000 word explanation of what that figure is, click on it (hint: it’s a Set Top Box and how product entitlement is achieved). For the purposes of this entry you may safely ignore the first figure and concentrate only on the second.
Figure 2 illustrates the contents of a transport stream (TS). A TS is what your set top box (STB) is looking for when you get the ominous “Searching for signal at XYZ MHz” screen instead of the final exciting minutes of the sports match you were just watching. A TS contains various types of elementary streams as can be seen from the figure (you have looked at figure 2, right?). A TS can also contain more than one elementary stream of a certain type, also evidenced by the figure. According to the latest and greatest DVB-S2 factsheet, a TS in a satellite broadcast environment has about 60Mbps of bandwidth. This bandwidth is shared between all subscribers, unlike a cable or ADSL connection where each subscriber has their own 10Mbps of bandwidth. A SD video stream in a TS consumes around 2Mbps of that bandwidth and an HD video stream 10Mbps. Some quick and nimble mental arithmetic shows that a broadcaster can cram about 30 SD channels into one TS. Obviously this is not enough for some broadcasters and they then have to use more than one TS to deliver all the content they have to the subscriber. The catch is, STBs can only tune into one TS at a time. I will conveniently ignore those new STBs that allow you to watch more than one channel (because it suits my purposes to do so and they are not the norm everywhere). I have ignored talking about the two acronyms in figure 2: ECM and EMM. For information about the former, click figure 1. For the latter, continue reading.
Fun fact: the average amount of arms per person is less than two
Relevant fact: EMM stands for Entitlement Management Message. This is the message that contains all the information about which channels your STB has access to. It is also the reason that an STB being only able to tune into one TS at a time is a problem. If an STB can only tune into one TS, then it can only receive the EMM stream of that TS. If an EMM stream only carried the entitlement information for that TS then switching to a channel in another TS means the STB has to wait for an EMM in that TS to entitle your decoder. Considering I normally skip through every channel at least twice before settling on something to watch, this would be far from ideal. For this reason the EMM stream is the same for each TS the broadcaster uses.
EMMs are limited to 256 bytes. Because an EMM ES is chosen to be around 1Mbps, in a network of 3.5 million subscribers (like DStv has in South Africa), it would take 15 minutes of faultless transmission to broadcast a single EMM for each STB. That doesn’t sound too bad, right? Assuming that each channel is protected by a 128-bit AES key (oh, and look at this flash animation about AES, it explains the workings quite well), an EMM can at most contain 16 such keys. With a 128 channel bouquet 2 hours of faultless transmission is now needed to get these keys to everyone. A simple solution would be to simply increase the bandwidth of the EMM stream, but doubling the bandwidth it currently uses means that you are using the bandwidth of one SD channel per TS just to protect your content. Not really an attractive option.
A 2 hour switching time can’t be that bad, can it?
To answer this question, I’m going to refer to a Irdeto white paper. Irdeto is a subsidiary company of MIH who specialises in media content protection. Or more colloquially, they design the security system in your STB (among other things). A core component of this security system is the smart card. Each smart card allows a subscriber decrypt certain video streams in a TS. In their white paper entitled “Sustainable Device Security: Breaking the Hacker Business Model With Software Security ” they refer to the hacker business model:Commercial hackers exist because it is financially attractive for them to be in business: the benefits of a successful attack exceed the cost to develop and implement the attack. If a device manufacturer can make it difficult for hackers to have a sustainable business, the vast majority of hackers will focus their attention elsewhere.
From our earlier mathematical feats we know that changing the key for a single channel takes at least 15 minutes. Consider the case where you are broadcasting a live rugby match and you offer your subscribers the ability to buy viewing access to only that match and nothing else. A normal rugby match takes about 90 minutes from start to finish when ignoring all the pre and post match analysis, awards, and countless interviews. A hacker could see this as an economic opportunity to buy in to the match and then sell access to a live Internet stream to many more people at a lower cost. Now you find out about this scallywag and want to cut off his access. The problem is, he already has access to the key protecting the channel. Thus to deny him access you have to give everyone else a new key. This takes 15 minutes but is doable.
Not quite. All the hacker has to do is detect this re-keying of the channel and then at the last moment switch over to a second smart card. Since up to this moment the second card was seen as legitimate and thus received the new keys. Now you as broadcaster have to re-key every decoder again to cut off the hacker’s second smart card. This of course assumes that you can instantly link his stream to a specific smart card or STB. The hacker only needs six smart cards to successfully broadcast the entire match, not something that is prohibitively expensive to someone reselling a broadcast at a quarter of the original price.
“But this isn’t the type of broadcasts that DSTv sells! This case is not applicable!” you may shout. That might be true, but now the problem is, how does DSTv remove viewers who have stopped paying them? They have to re-key all the other decoders at the start of the month. This process takes 2 hours as we know, but when to start it? You only know who haven’t for the next month by the end of the month so that is when you start to send out the new keys. But what if I am on vacation for the last two weeks of said month and switched off my STB to conserve power? When I get back home after a 6 hour drive and switch on my STB to relax a bit, I now have to wait 2 hours for my STB to receive the new keys. This will leave DSTv with one not very happy customer.
Basically what this wall of text is trying to say, doing individual channel entitlements is not as simple as counting from 1 to 10.
So what is TataSky doing different from DSTv?
I am not exactly sure. Interesting enough, the cost of the best bouquet of both TataSky and DSTv are very near to what is considered the poverty line in each county. South Africa’s is R587 per month and India’s is Rs 7600 per year
DSTv currently offers around 10 different bouquets. Each bouquet can be seen as one large channel a viewer is subscribing to. This means that DSTv can get away with only including one AES key in an EMM and do a key update for every STB in 15 minutes. The cost of picking individual channels on TataSky is about 3 times that of picking the bouquets. The extra money can be used either to buy additional bandwidth for more EMMs but most likely serves as a deterrent for people to use this service. If few enough people use the service they can easily accommodate the extra few EMMs in what bandwidth they have.
There is also of course the entire economic argument behind the bouquets.
What am I doing about it?
My research is into ways on how to better utilise EMMs and their contents to do individual channel entitlements. And keeping the system secure against large groups of dishonest viewers pooling their resources. How exactly they can pool their resources is something I’ll talk about next time.
On a final note, you would probably have noticed that I have not used the word pirate in my entire discussion . This is because I believe applying this term to things in the digital domain is merely an attempt to garner a more emotional and serious response rather than accurately describing the illegality of the act.