How to Fight Video Piracy: Notes from a Real-Life Battle
Over the past four years, video streaming has grown into the default form of “watching TV,” with subscriptions reaching 1.1 billion worldwide at the height of the COVID-19 pandemic. According to Variety, streaming subscriptions are “cooling down from torrid growth rates seen in 2020 and ’21,” but are nonetheless still expanding.
Unfortunately, so is video piracy. After comparing January to September 2021 with the previous nine-month period, James Mason, CTO of MUSO — a company that globally tracks television, movies, software, and publications — said, “In many areas, piracy is still a growing problem, with an overall 16% increase.”
Akamai Security Research partnered with MUSO to create our State of the Internet Report on piracy earlier this year. MUSO’s data revealed 82 billion visits between January and September 2021 to piracy websites in the television and film industries alone. Add in music, software, and publishing, and the global total jumps to more than 132 billion visits. If these counts were related to malware infections, or a single data breach, it would be classified as one of the worst cybersecurity incidents on record.
Piracy is a cybercrime and needs to be treated as one
The size of the piracy threat is partly explained by its wide-ranging forms. Consider this high-level view of the range of cyberattack vectors, depending on whether the streamed content is live or on demand:
Live events and channel simulcast attack vectors
Tampering with video playback software or Android OS
Recording screens during playback or capturing during a screen-share session
Intercepting decrypted video using High-bandwidth Digital Content Protection strippers connected to set-top boxes
Using credential stuffing attacks to access and use legitimate viewer details
Tampering with video to defeat watermarking, such as re-quantization
Transporting video out of a given market using a virtual private network
On-demand attack vectors
Enterprise network breaches, which have resulted in the theft of user credentials, cryptographic keys, or video content
User identification theft from freelance and full-time staff providing access to video content through various systems
Recordings of physical assets (less prevalent now) for sharing and distribution
System hacks against various production systems providing direct access to video assets
Ripped content from legitimate sources
Cinema filming systems
Direct theft using impersonation attacks
Despite this slew of attack vectors, our piracy report — which, along with MUSO’s data, included data and observations from live sporting events streamed by an Akamai client — identified a few key takeaways. The first is that credential reuse and credential compromise play a big role in broadcast piracy. After that, it’s clear that broadcasters need to address API-based issues, including access controls and workflows. Finally, broadcasters can’t just focus on a single method of piracy, as criminals will layer their attacks across several attack surfaces (often at the same time) in order to confuse defenders and bypass restrictions.
What it takes to fight video piracy and win
Akamai’s video piracy reference architecture began as a response to one of our large media clients, a leading distributor of TV, film, and sports rights across multiple countries. Given the range of tactics employed by attackers and their ability to shift in response to defensive measures, our customer’s journey to curb piracy started with three principles as a foundation:
The anti-piracy solution must operate at scale and be capable of managing surging logins.
Real-time situational awareness across a range of possible attack vectors must operate at linear scale.
The anti-piracy solution must identify and remove pirate activity within minutes.
From this foundation, Akamai created its 360-degree security architecture (including video delivery, the player, landing page, credentials, watermarking, DNS, DDoS, and more), much of which was developed through extensive research into the attack surfaces targeted by content pirates. Some of that research happened in real time, during live-streaming events, which turns out to be a great, if stressful, incubator.
Reducing video piracy from 40% to 15% during one event
In 2020, during a sporting event in southern Asia, Akamai observed a wide variety of tools and techniques being used by malicious actors attempting to pirate the live stream. Those tools included:
User-agent spoofing against API endpoints. Pirates attempt to mimic devices or operating systems that might have delegated access. If the workflows for these devices (e.g., Apple TV, WebOS, Fire TV, etc.) are different, then the pirates will look to exploit them.
Rebroadcasting. Pirates share access to the live stream across a number of known social platforms, including Twitch, YouTube, and Facebook. These platforms quickly terminate pirated streams when they’re reported, but the pirates themselves just keep streaming from new accounts and/or locations.
HTTP replay against API endpoints. Pirated apps leverage a single user’s credentials in order to get multiple playback tokens. This leads to token exploitation, where if the assigned tokens have a time to live longer than the event, the pirates will attack during nonevent times. Since the tokens are not bound to IPs, this leads to token sharing.
Modified Android packages (APK). Found on third-party app stores, modified APK files are repackaged versions of the original application. However, the protections and obfuscations used to protect access are bypassed using a number of techniques.
Our architecture worked on all of these fronts, and we were ultimately able to reduce piracy levels from 40% at the start of the event to 15% by the end (erring on the side of ensuring access by all possibly legitimate users). But in the heat of it all, attackers resorted to DDoS attacks to the API that was handing out the tokens in an attempt to overwhelm this process.
Their hope was that the provider would remove the token layer, thus triggering a fail open, which would enable them to continue pirating the stream. This was prevented with DDoS and web application firewall rules. However, the speed with which the pirates pivoted to different attack vectors was eye-opening. Luckily, with preparation and cybersecurity tools in place, we were able to keep up and prevent access for this broadcaster.
The event received 5.5 billion hits that triggered DDoS protection, of which 2.07 billion were mitigated — 3.4 billion of those hits triggered rules that were created for visibility and were logged in alert mode. In addition, there were 38 million requests that triggered application-layer protections, which were 100% blocked.
This is the good news: You can gain the upper hand on piracy of your video streams. But it’s a battle that requires an architecture built for the task. To learn more about Akamai’s approach to anti-piracy and securing your streaming content, visit our Broadcast Operations Command Center.
