MY TAKE: Can Hollywood’s highly effective ‘source-code’ security tools help make IoT safe?

By Byron V. Acohido

Over the past couple of decades, some amazing advances in locking down software code have quietly unfolded in, of all places, Hollywood.

Related: HBO hack spurs cyber insurance market

Makes sense, though. Digital media and entertainment giants like Netflix, Amazon, Hulu, HBO, ESPN, Sony, and Disney are obsessive about protecting their turf. These Tinsel Town powerhouses retain armies of investigators and lawyers engaged in a never-ending war to keep piracy and subscription fraud in check.

And over the years they’ve also financed security breakthroughs – at the source-code level. These security breakthroughs have not received much mainstream attention. What they have done is proven to be wickedly effective at tracking digital assets and preserving digital rights.

I recently had the chance to meet with Mark Hearn and John O’Connor, of Irdeto, a 50-year-old software security and media technology company based in Amsterdam that has been a leading supplier of source code tracking and fingerprinting systems for big media companies.

We met at Black Hat USA 2018, where Hearn and O’Connor, came bearing a message about how these technologies, so heavily relied on by Hollywood, could play a starring role in shoring up the foundational  layers of digital transformation — at the source code level.

For a drill down on our discussion please listen to the accompanying podcast. Here are the big takeaways:

Making it too expensive

Irdeto’s suite of products helps set-top box manufacturers protect high-value content; its technology also is used by live sports broadcasters to deter hackers from siphoning off pay-for-view sporting events.

Irdeto’s Cloakware technology is a key component in these technologies.Cloakware accomplishes this at the source-code level, through mechanisms only a hardcore  programmer would comprehend.

Hearn

Here’s how Hearn described it for me: “Cloakware is a collection of techniques that make reverse engineering and tampering very, very difficult. The source code that contains critical algorithms is mathematically transformed at the compile stage . . . ultimately, what we do is make it very expensive for a hacker to be able to get in and figure out the source code.”

Of course pirating still happens. But Hollywood has shelled out multi millions to support the advance of  source-code security. The result: pirating, overall, has been driven down to a level that’s an acceptable cost of doing business.

“The beauty of Cloakware technology is that it is security that is built directly into the original source code,” Hearn told me. “So it is intertwined and incredibly difficult for anyone to try to pull it apart without actually breaking it.”

Protection scenarios

So how does this translate to other business verticals? Hearn pointed to the scenario of a small startup striving to build a business around a patentable software asset.

“Maybe he’s gotten some VC funding, but his whole livelihood depends on that patented algorithm remaining secure,” Hearn said. “We would actually integrate Cloakware into his source code and keep his idea safe from anyone else who might want to steal it.”

Another example Hearn cited was a company that deploys a unique version of an expensive industrial control system to several different factories. “That core software that runs in the factory would be something that we would keep someone from being able to steal,” he said.

In a business environment where DevOps, cloud computing and IoT services are proliferating, the notion of scrambling source code for every system, even every computing device tied into a network, is intriguing.

I asked O’Connor about this. He told me Irdeto is anticipating this shift and taking steps to capitalize; for instance, it recently upgraded Cloakware to work in several additional computing languages.

Here’s O’Connor’s take: “What we’ve really got here is an advanced way to protect critical business assets against reverse engineering . . . If you boil everything down, developers are building software applications and they need protections to stop people from tampering with their software, from inserting malware into the software stop, and from stealing intellectual property from that software.”

Baking in security

Hearn sees it this way: “Think about where some of the different IoT technologies are taking us. We are connecting a lot of our ecosystems that previously were protected because they were air-gapped from each other. But now we have IoT devices connecting into these ecosystems.  And we have microservices that are being offered in an IoT platform. All of these different source codes are now reaching in and out of networks and ecosystems that were never meant to be connected.”

Irdeto and other suppliers of source code centric security systems are doing their part to improve delivery of source-code security technologies and tune them for wide, general use.

Hearn gave me a couple more scenarios: “It’s possible to cloak the source code you use to manage the cryptographic keys that connects up to the IoT cloud. Or you could cloak the source code of the computing device that a maintenance person uses to enter a smart building. This would help you make sure that the source code doesn’t become an attack point that let’s some get inside and provision a factory.”

It will be fascinating to see how quickly and pervasively source code security catches on, beyond Hollywood. This appears to be a promising approach. It holds potential for baking in security at a foundational level.


(Editor’s note: Last Watchdog has supplied consulting services to Irdeto)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone