April 24, 2017
At a SMPTE symposium on the Future of Digital Cinema, speakers addressed the “unknown” cyber threats to movie security. SMPTE vice president of education Richard Welsh, cofounder/vice president of Sundog Media Toolkit, identified threats beyond “the kid with a camcorder.” The audience also heard from Emile Monette, a government cybersecurity senior advisor and Ted Harrington of ISE (Independent Security Evaluators). The general consensus is that many companies fail to understand the way hackers work, leaving their content vulnerable.
Welsh noted that many studios and companies in media and entertainment don’t think beyond the most basic threat of a young person in a cinema filming a movie. “That isn’t your worry,” he said, reporting that a recent report said the average age of a hacker is 17. What he’s worried about are so-called script kiddies: 11-year old kids who, in five minutes on Google, can download a rootkit, which probes websites for vulnerabilities that its owners probably do not know exist.
“It’s easy to attack if you have a rootkit,” said Welsh. As to script kiddies themselves, he added, “they’re not looking for anything in particular but if they find your Web service or your movies, they’ll attack them.”
“They need no skills to do so,” warned Welsh. “So we need to think about teenagers with nothing better to do.” In another ploy, hackers focus on the hard disks that carry encrypted movies. Interested parties can often find them in the firewalls of cinemas. “They’re available in perfect digital form in a projection room in the middle of nowhere,” said Welsh.
Movies can also be hacked via satellite distribution, something that Welsh says, “Happens every day, particularly in the U.S.” Fiber networks can also be easily attacked.
He points out that although the hard disks are encrypted, clever hackers can spoof the destination. “I can make a site that looks like a digital cinema server,” he said. “And maybe you can engineer your way into getting a certificate. The studio issuing keys may give them to you, and no one will discover [the hack].”
Monette described some of the recent, scariest hacks: the Blue Phone hack, discovered in November 2016, in which 700 million inexpensive Android phones were found to have a backdoor that sent the users’ data daily to Shanghai.
Was that an example of a nation state hack? Ted Harrington said, not necessarily. “It does look that way but it’s hard to say,” he said. “It could be hackers re-directing blame.” Monette also mentioned the Operation BugDrop hack, in which the laptop microphone was used to eavesdrop on users. “The global supply chain and our increasing reliance of services rather than products is the heart of the problem,” said Monette. “Outsourcing has proven its merit and the prices are cheaper, but now we don’t see what’s happening in the supply chain.”
Harrington revealed the results of his company’s study on hospital hacks, to draw parallels to the media and entertainment business. “The findings of the research demonstrated that hospitals focus on protecting patient data without considering protecting patient health,” he said. “The key takeaway is to think about what your mission is.” He also pointed out that hackers don’t always attack the ultimate victim first, since they will commonly daisy-chain a group of victims.
“Get your own house in order,” advised Monette. “Do a basic assessment of cybersecurity in your business. Next, assess your third parties and make sure they have cybersecurity in place relevant to the content you’re protecting.”