Shedding Light on the Echostar NDS Trial: Building Sustainable IP Protection against Hacking

By Amena Ali
Information Security Magazine
May 21, 2008

Echostar had accused NDS of hiring professional hackers to reverse engineer and break competitor Echostar's security subsidiary Nagrastar's conditional access system of smart cards which are used to protect Dish TV's subscription satellite content. To make matters worse, the hackers had posted Nagrastar's code on the Internet, allowing hundreds of thousands of people to access Dish content for free, causing an estimated $900 million in losses. Due to the depth and breadth of the hack, Nagrastar had to reengineer and replace all its smart card installations, at an estimated expense of over $90 million. The hack also undermined the company's competitive strength, allowing NDS a competitive advantage when the two companies were engaged in a bidding war for DirecTV's business. The final blow came with the conclusion of the courtroom drama of Echostar against NDS. The California jury found NDS guilty of hacking Nagrastar's conditional access system and violated some anti-piracy laws, but only awarded a nominal fee of $1500 as compensation for one hacked smartcard.

This saga provides vivid insights into the prevalence and sophistication of professional hacking and reverse engineering in the high-technology world today, the vagaries of relying upon legal defenses to protect intellectual property, and the need for strong and sustainable defensive technologies.

Reverse engineering, the method by which NDS engineers found the weaknesses in Echostar's conditional access system, is rampant, and according to NDS attorneys is both legal and routine. Given that reverse engineering is a tool to understand competitors' technologies, improving one's products, and defeating the competition, the leap to counterfeiting is not a large one. Dedicated departments of reverse engineering in markets like China routinely develop counterfeits of cutting-edge software powered products. Software hacking and piracy by professional hackers is growing and increasingly sophisticated, and the latest BSA/IDC global piracy report estimates worldwide losses in 2007 alone at $48 billion.

Protecting software-based intellectual property is critical to maintaining competitive positioning, protecting R&D investments, and preserving product line profitability. Whether you build software, consumer electronic devices, digital media applications, communications equipment, machine tools, automotive telematics or signal processing platforms, hardening applications to tampering, piracy and reverse-engineering is indispensable to maximizing software-powered businesses.

How to effectively harden applications? Many consider encryption the silver bullet to solving all security needs. Unfortunately, while encryption works perfectly for securing internet-based data transfer, it is utterly inadequate to protect software IP. Attackers will have administrative privilege over your application when they are hacking it, and discovery of the encryption key is simply a forced crash-and-memory-dump analysis away. Defense in depth is required, with multiple defense measures in addition to obfuscation and encryption, in order to increase the difficulty of hacking an application.

The key to successfully deploying and building a software protection solution is to ensure that it is sustainable. Sustainability combines three characteristics: durability, resilience and low impact. Durability refers to strength of a protection solution out of the gate, in terms of robustness against static and dynamic attacks. Resilience refers to the speed and security with which a breach can be patched. When a hack emerges, you must have a plan to manage it quickly, efficiently and securely. For applications where your product gates access to other assets - such as media DRM, conditional access, document control, and data security - you also need a channel to reliably and transparently patch all existing installations. Impact of your protection solution on your software development life cycle, from development through quality assurance to maintenance, must be minimal. Unless your security solution is easy to design and scale, fast to implement, friendly to quality assurance and transparent to honest users, it will die a quick death.

What are strategies to successfully achieve sustainability? Here are some key considerations in developing a sustainable IP protection solution:

Entrenched Defense. Elimination of single points of failure is a fundamental requirement for durable protection. If your solution at some point comes down to a single yes-no branch or an isolated cryptographic calculation, rest assured that a hacker will find and exploit this vulnerability. Security must be built using a range of state of the art anti-reverse engineering, anti-tamper, encryption and self-healing measures. These must be layered to protect the application and each other. Base layers should protect sensitive functions, while deeper layers should be closely intertwined with your internal system logic and functionality. They should be programmed to initiate either defensive or aggressive reactions, as appropriate to your application, if failure of lower layers is detected. The more unpredictable and unstable your application is in the face of attempted attacks, the more durable your defense will be.

Diversity.For a system to be widely hacked, it must be possible to create a scripted exploit that runs reliably on a large percentage of installed clients - this is called a class hack. Otherwise, it does not receive the popularity and sharing level it needs to become truly catastrophic.

Diversity implies creating functionally equivalent but structurally different application binaries, such that security-critical code and data does not definitively exist at a specific address or execute at a specific point of time. In turn, this ensures that a class hack cannot be created.

Diversity also implies that your underlying protection solution and specific protection scheme is unique to your application. This protects your IP from compromise by one-size-fits-all attack kits that exist for most one-size-fits-all security technologies.

Effective diversity significantly magnifies the durability of your solution.

Communication.You'd never toss a soldier into enemy territory without a phone link to base. Why would you do that to your software? The ability for deployed products to communicate with a home server provides an attractive channel to push new features and upgrades, and is generally accepted by end users. This also provides a crucial security hook - it allows you to reliably push renewal patches to clients, and (if you have the luxury of a two-way channel) allows early warning and traitor tracing forensic information to be relayed back to you.

Communication significantly ease the achievement of resilience. As a simple strategy, you can require that a device successfully communicate with your central server at least every N days, at every significant event such as new content purchase, or shortly after any suspicious system state is detected.

Rapid Reconfiguration.Hacking technology advances every day. Once an exploit is known, it is imperative to quickly restructure your protection to close the exploited vulnerabilities. Further, it is imperative to restructure significant portions of the protection strategy and execution logic to ensure that differential attacks cannot be used to reverse engineer your patch and quickly release another hack. Secure breach management is necessary to avoid a death spiral of ever shortening breach-patch-breach races between your development team and your attackers.

Breaches never come with a warning, and they seldom occur at a convenient time. To be sustainable, your security must be renewable without impacting ongoing development of new features and releases. It must also be renewable quickly, to contain the spread of the breach and minimize losses. In order for you to achieve resilient protection, your protection platform must provide binary-based, point-click breach management.

Leverage Hardware, Rely on Software.Hardware beats software hands down for securely storing data and executing cryptographic calculations. However, at some point data and logic is transferred back to software, and becomes vulnerable. Moreover, once deployed, hardware is static while software can be renewed and reconfigured. You should fully leverage hardware to maximize your durability, but plan to use software-based techniques to realize renewability. Otherwise, as Echostar experienced, your only option to deal with a break may be to replace every old smart card with a new one. This is not only expensive, but is disruptive to customers and can result in brand devaluation as well as competitive disadvantage.

With the prevalence of tampering, piracy and reverse engineering today, from both competitors and hackers, preservation of your intellectual property depends entirely on the sustainability of your protection solution. Durability is certainly an important factor, but renewability and low impact are key considerations as well. Ensuring that your solution is sustainable will in turn optimize your development resource utilization, maximize your revenue protection and minimize your total cost of ownership. On the flip side, your legal department may need to downsize.

About the Author

Amena Ali is Chief Marketing Officer for Arxan Technologies, Inc., a leading provider of application hardening solutions designed to protect software intellectual property (IP) from piracy, tampering, reverse engineering and any manner of theft.