Lightspeed Ahead!

By Dan Cornell

I had the opportunity to check out Alan Weinkrantz’s Lightspeed IPTV setup today and I must say I was impressed.  For more information check out Alan’s SATechNews blog.

The UI was very well done – certainly better than my Tivo.  I liked the way that the current show playing never completely left the screen.  While I was searching for other channels to watch or on-demand movies to buy the current channel was always playing.  Very nice.

I did some crudimentary poking around as to how the service worked (sans-benefit of any technical documentation) and it looks like the service works on a combination of TCP and UDP multicast.  Very cool stuff if they can run three receivers from a single Lightspeed connection.  If they can make three HD connections work over the cabling allocated to a single house – fantastic!

If they are actually using multicast UDP to transfer the content it would be interesting to see what sort of encoding and encryption facilities that have included in the system.  If those weren’t well-put-together it should be straightforward for a reasonably technical attacker to pick them apart.  Given an understanding of the encoding and encryption protocols for the UDP packets an attacker could potentially:

  • Observe and snoop what another television in your household is watching
  • Store pay-per-view movies indefinitely and possibly convert the content to other, more portable formats
  • Force another television in your household to watch arbitrary programs

If AT&T has done a good job securing the service these things shuld  not be possible.  I only looked at the service to a very cursory degree and didn’t really have a chance to formulate an opinion of how well they did.  And I am more of a (web) software security guy than a network and infrastructure security guy.  I am sure, however, that the attacker community will be watching and taking notes.  Hopefully AT&T did their homework.

–Dan
dan _at_ denimgroup.com

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Categories: Uncategorized

Leave a Reply

Your email address will not be published. Required fields are marked *