Digital content providers seek to restrict usage by implementing conditional access. One such scenario is the security aspects of digital video broadcasting via satellite (DVB-S). There has been a history of attacks on this technology to circumvent any security measures and some techniques have been countered by the deployment of customized/provider specific receivers. However, this leads to a definitely fixed choice of provider. Hence, a plurality of equipments are necessary at the customer level for multi access of providers. Open satellite receivers have been introduced to allow a single user to access several different services/content providers from a single piece of receiver equipment. These boxes provide a highly configurable environment with software emulations of conditional access systems that is unfortunately open to abuse. The key factor of the security gap is that when an open receiver (even the proprietary one) comes into the possession of the user, it cannot be considered trusted. The user domain is an untrusted one and could be subject to standalone or colluded user attacks. The introduction of smart cards with a built-in processor into such receiver aims to provide a trust in an unsecured environment. It is believed that the answer lies in the smart card: this is the only trusted entity at the client end.
It is worth noting that the introduction of the smart card does not resolve automatically/absolutely all threats to security. Thanks to the flexibility, well modularized structure of the open receivers, fraudulent user can still compromise the system with the “unbreakable” security unit as in the follow. Fraudulent users with the legitimately subscribed card runs a Card Server on their reconfigured/hacked open receiver and listens for (illegal) client communication on a given port. In the Card Server, the conditional access is performed as usual for an authorized client thanks to the legitimate card. That is the Entitlement Management Messages (EMMs) and Entitlement Control Messages (ECMs) are processed by the famous “unbreakable” security unit (still left intact) that in turn decrypts and returns the control words to the descrambler to decrypt the content. By spying the communication between the descrambler and the security unit, the server can further carries out a mass distribution of the control word to its own clients, allowing clients (without subscription to the real content provider) to access encoded DVB programs. It is believed that this attack, namely “Sharing Card Attack,” or “Control Word Sharing,” will become central to the use of the open receivers in the present as well as in the future. It will affect the industry in the long run by siphoning at a steady rate the industry revenue and potential customers.
Admitting that conditional access never provides absolute security, digital content providers try to deploy the fingerprinting technique to insert automatically unique identification of the demanding user into the final content whenever it is consumed. With the assumption that the fingerprinting process was performed successfully, the tractability feature of the technique could discourage the illegal distribution of the content when the conditional access is defeated. The open receiver can again challenge the implementation of the technique. The inserting process can be circumvented such that the distributed content does not contain any identification at all. It is interesting to note that the fingerprinting technique may mislead the tracing process if it is not designed carefully. For instance, the user with the smart card that drives the Card Server—the primary fraud, i.e., the initial leaking source—may leave no trace on the broadcasted control work. On contrary, the clients who take advantage of the illegal transmission—they are actually the secondary (naive) frauds, i.e., the victims—can incidentally let the fingerprinting process insert their identification into the final consumable content. The primary fraud is never detected in such scenario.