Downloadable Security and the Future of CableCARDs

Downloadable Security and the Future of CableCARDs Ralph Brown

Ralph Brown

Sep 10, 2015

The Downloadable Security Technology Advisory Committee (DSTAC) just released its final Report on August 31, 2015. A large number of companies (including CableLabs members) issued a joint statement regarding this Report.   All of which naturally raises several questions, such as, what is DSTAC? What does the Report say? And what does it mean for consumers?

A little background first: the DSTAC was created as a result of the Satellite Television Extension and Localism Act Reauthorization (STELAR) bill that was passed in December 2014. Among other things, this bill included a repeal of the set-top box security integration ban on cable operators, also known as the CableCARD mandate. Under the CableCARD mandate, cable operators were not only required to supply CableCARDs to retail cable devices, such as TiVo DVRs, but they were also required to employ CableCARDs in all of their own set-tops, which increased cost and energy consumption, while adding no additional functionality or capability. This requirement was referred to as “common reliance”; that is, in order to ensure that CableCARDs worked properly, cable operators were forced to use the same security technology as retail devices. There were several cable operators and vendors that received CableCARD waivers, but the last NCTA report to the FCC on CableCARD deployment shows the dramatic impact of this regulation. This report states, “there have been over 617,000 CableCARDs deployed for use in retail devices by the nine largest incumbent cable operators. By contrast, those nine companies have more than 53,000,000 operator-supplied set-top boxes with CableCARDs currently deployed.” This means that only approximately 1% of the CableCARDs deployed are for retail devices, the rest are deployed in cable operator-supplied set-top boxes. That is some “common reliance” insurance policy!

Fortunately, with the passage of the STELAR bill, this integration ban expires in December 2015. This means that cable operators will no longer have to employ CableCARDs in their own set-tops. To be crystal clear, this does not mean that cable operators will no longer supply CableCARDs for retail cable devices and they have all committed to supporting retail CableCARD devices for the foreseeable future.

In addition to repealing the integration ban, STELAR directed the FCC Chairman to establish a working group of technical experts that represent the viewpoints of a wide range of stakeholders “to identify, report, and recommend performance objectives, technical capabilities, and technical standards of a not unduly burdensome, uniform, and technology- and platform-neutral software-based downloadable security system designed to promote the competitive availability of navigation devices in furtherance of Section 629 of the Communications Act.” Section 629 of the Communications Act addresses retail availability of “navigation devices.” DSTAC is this working group of technical experts from across Multi-channel Video Program Distributors (MVPDs cable, satellite, telco, and fiber), consumer electronics manufacturers, and consumer advocates. Here is the list of DSTAC members.

One should recognize how daunting a task this was, given the diversity of technologies and architectures deployed across Multi-channel Video Program Distributors (MVPDs) and the fact that the committee had only nine months to generate this Report. As you can imagine, an enormous amount of work, representing millions of dollars of effort, went into the generation of the DSTAC Report. CableLabs played a leadership role in coordinating much of this activity.

Given all of this effort, what does the Report say? As directed by the FCC, the work was broken up into four Working Groups. The output of Working Group 3 produced two security-related proposals, and the output of Working Group 4 produced two proposals addressing non-security issues. The Executive Summary of the Report provides an overview of the DSTAC work.

The most important result of the Report is that there is no collective recommendation for any new FCC technology mandate. And, while the DSTAC report does not provide a consensus recommendation, there were several key points of agreement among the DSTAC members.   As described in the Executive Summary, the key points of agreement include:

  • Recognition that “there is a wide diversity in delivery networks, conditional access systems, bi-directional communication paths, and other technology choices across MVPDs (and even within MVPDs of a similar type).”
  • “None of the proposals recommend a solution based on common reliance[1].”
  • Recognition that “it should not be necessary to disturb the potentially multiple present and future CA/DRM[2] system choices made by cable, DBS and IPTV systems, which effectively leaves in place several proprietary systems for delivering digital video programming and services across MVPDs.”
  • Conversely, recognition “that it is unreasonable to expect that retail devices connect directly to all of the various MVPDs’ access networks; rather they should connect via an IP (Internet Protocol) connection with specified APIs[3]/protocols, via the MVPD’s cloud and/or from within the home.”
  • Recognition “that it is unreasonable to expect that MVPDs will modify their access networks to converge on a single common security solution.”
  • Recognition “that the downloaded security components need to remain in the control of the MVPD.”
  • Recognition that “[i]t would not be a step forward or economically viable to require an environment in which a retail manufacturer would have to equip a device with RF tuners for cable and satellite, [and] varied semiconductor platforms, to support the dozen-plus proprietary CAS technologies that are currently in use.”
  • Recognition that “[i]t is not reasonable to expect that all MVPDs will re-architect their networks in order to converge on a common solution.”

So, given all this, what does the Report mean for consumers? What the Report does provide is an extensive overview of the current support of MVPDs for retail devices. A good example of this is the table below. Some amazing statistics can be extracted from this table and are presented in the Report.

  • The total number of retail devices in the US that can be served by an MVPD app is over: 450 million devices
  • The percentage of these retail devices that can be served by one or more MVPD apps is: 96%
  • The percentage of these retail devices that can be served by an app from all of the top 10 MVPDs is: 67%
  • There have been over 56 million downloads of the top 10 MVPDs’ iOS and Android apps and growing every month

This means that there are almost twice as many retail devices on average per household, that are capable of receiving MVPD content, than there are MVPD provided set-tops! Consumers can take comfort knowing that a wide variety of their retail devices can receive MVPD services.

Retail Device United States Units MVPD Apps
Android phones[4] 92,036,000 All top 10 MVPDs[5]
PCs & Macs w/Broadband[6] 85,358,000 All top 10 MVPDs
iOS phones4 71,449,000 All top 10 MVPDs
Xbox 360[7] 48,460,000 5 of the top 10 MVPDs
Android Tablets[8] 43,260,000 All top ten MVPDs
PlayStation 37 29,160,000 2 of the top 10 MVPDs
iOS Tablets8 23,730,000 All top 10 MVPDs
Samsung TV[9] 14,740,800 4 of the top 10 MVPDs
Vizio TV9 12,151,200 0
Apple TV[10] 8,800,000 N/A
Sony TV[9] 8,764,800 1 of the top 10 MVPDs
PlayStation 4[7] 8,650,000 2 of the top 10 MVPDs
Xbox One[7] 7,790,000 2 of the top 10 MVPDs
LG TV[9] 6,500,000 2 of the top 10 MVPDs
Roku[10] 5,000,000 1 of the top 10 MVPDs
Chromecast[10] 4,000,000 1 of the top 10 MVPDs
Total Number of Retail Devices 469,849,800

It is worthwhile to review this Apps based approach. It is clearly the current trend for On-line Video Distributors (OVD) such as Netflix, Hulu, YouTube, etc. to write device specific apps, but also the trend among MVPDs. In addition to writing device specific apps for iOS and Android devices, MVPDs have also pursued approaches based on open standards from multi-stakeholder consortia, such as the Digital Living Network Alliance (DLNA), RVU Alliance, and the World Wide Web Consortium (W3C).

The following diagrams taken from Mark Vickers’, VP Software Architecture at Comcast, presentation at the August 4, 2015 DSTAC meeting describe the app-based approach.

DSTAC Blog Diagram


The figure above shows the various service providers, both MVPD and OVD, and the various layers in the solution. At the bottom are the hardware platforms utilizing System on a Chip (SoC) from various silicon providers such as AMD, Broadcom, Intel, etc. Above that are the Conditional Access (CA) or Digital Rights Management (DRM) providers that port their security solutions to the respective hardware platforms. Above this are the various Operating System (OS) or software platforms, including Android, iOS, Mac OS X, Windows, etc.   Above this are the service provider (MVPD or OVD) applications that utilize the cloud services to provide the service to the consumer.   Finally, at the top are the cloud-based services specific to each provider that supports the respective service provider applications.

While this app-based model ensures that the service provider can take advantage of the latest features and capabilities of each new device, there is still room for broader reach. This is where new W3C specifications come into play.


DSTAC Blog Diagram2

The figure above shows how the W3C specifications for HTML5, Encrypted Media Extensions (EME), Media Source Extensions (MSE), and Web Crypto APIs provide a layer of abstraction from the underlying hardware, CA/DRM and OS platforms. The MVPDs and OVDs can write one HTML5 web app that runs across all platforms that support a compliant HTML5, EME, MSE, and Web Crypto implementation. As was noted in the Working Group 3 Report, not only do all of the commercial browsers support HTML5, EME, MSE, and Web Crypto APIs, but also all of the CA/DRM providers surveyed either plan to implement EME or already have EME implementations. Further, DLNA uses HTML5, EME, MSE, and Web Crypto APIs in its Remote User Interface (RUI) that are part of the DLNA VidiPath guidelines.

This app-based approach follows the latest trends on the Internet, using Cloud services, together with platform specific and/or Web apps to reach the broadest range of devices on which consumers demand their video be available. Importantly from a security perspective, it does not select a single security solution that can be targeted by hackers. And, from a marketplace perspective, it allows for competition amongst CA and DRM providers, while, at the same time, appearing basically seamless to the end user. Consumer device apps have become a competitive imperative, as MVPDs compete against each other and the growing number of OVDs in the market. As always, competition benefits the consumer.



[1] Common reliance is the concept that operator supplied equipment use the same security solution as retail devices to receive MVPD services.

[2] Conditional Access / Digital Rights Management

[3] Application Program Interface; a set of routines, protocols, and tools for building software applications.

[4] comScore Reports January 2015 U.S. Smartphone Subscriber Market Share, March 4, 2015 -

[5] Top 10 MVPDs – AT&T, Bright House, Cablevision, Charter, Comcast, Cox, DirecTV, DISH, Time Warner Cable, Verizon

[6] Computer and Internet Use in the United States: 2013 American Community Survey Reports, U.S. Department of Commerce Economics and Statistics Administration U.S. CENSUS BUREAU, November 2014 -

[7] Platform Totals, VGChartz Limited, (accessed: 6/18/15)

[8] THE STATE OF THE TABLET MARKET - (accessed: 6/18/15)

[9] Majority of US Internet Users to Use a Connected TV by 2015, eMarketer, June 13, 2014 - and Samsung, Vizio Control US smart TV market, Broadband TV News, MARCH 10, 2014 -

[10] Streaming devices sales in the United States in 2014 (in million units), Statista Inc. - (accessed: 6/18/15)

Ralph Brown is Chief Technology Officer at CableLabs -