In an electronic ecosystem that includes closed computing systems such as cellular phones, cable set top boxes, or videogame consoles, a service provider may want to offer per device services to each user. For example, a service provider may want to offer many different services and would like to charge each user for each service the user elects to receive. If the service provider is able to individually identify each device in the ecosystem, it will have a way to offer per device services, e.g., different services for each device. In a specific example, a service provider such as a cable TV provider may provide different programming packages at different price levels. Two typical services in this example would be a basic programming service that includes basic content, and a premium tier service that provides additional movie channels. If the service provider can identify each device, i.e., a set-top cable box in this example, then the service provider can have a way to make sure only the customer that pays for the premium content is able to receive the premium content. In systems such as these, if there is a way to share the identity of the device that is authorized to receive premium content, and/or service keys with another device, then for example, there is a way to duplicate services that are enabled on one device on another device. More specifically, if a user can obtain the secrets held in the devices, then the user could transfer some, or all of the secrets to a second device.
In order to make this type of attack more difficult, the service provider can manufacturer the closed computing devices to include encrypted memory regions that store the identity of the devices and/or service keys operable to access the different content offered by a service provider. When services request the service keys, the devices can decrypt the encrypted memory regions with a key stored somewhere in the device, and retrieve the requested information. While encrypting the device identifiers and/or service keys makes an identity theft attack difficult, a determined individual can probably discover the keys used to encrypt and decrypt the memory regions. After the keys are discovered, an attacker could copy the contents of the protected memory region from a first device (a device authorized to receive premium content for example) to a second device, thus enabling the second device to receive premium content.
A service provider may attempt to frustrate attackers by using various additional security techniques. For example, this type of attack can be made more difficult by changing the keys that can be used to access content at predetermined intervals. In this example, a third party authority could transmit new keys to the devices thereby creating a moving target for attackers. For example, an attacker could successfully obtain a key; however the key would only be valid for a short period of time. While this system works, it does have drawbacks associated with it. For example, it requires that a signing authority transmit keys via a network connection where they can be intercepted. Another problem with this system is that the service provider may not be able to use any of this information as a root of trust since it is constantly being updated from sources outside the device. This would require that the devices rely on other information in order to determine whether they have been tampered with. Additionally, in most operational implementations using this technique, the service provider usually maintains control over all the services since the keys are constantly changing. For example, if the signing authority of the service provider is changing keys, then the signing authority will have to update the services and the device to use the new key pair. In the instance where the service provider does not control all the services, it would have to transmit the keys to the services where they could be intercepted by attackers.