Common attack modes used in the piracy ecosystem

Posted On

By Team ExpressPlay


In parts one and two of this series, we looked at the simultaneous growth of live streaming and live sports piracy. As shown by the scale of loss estimates, piracy ecosystem is a big business that leverages the same advances in streaming, asset management, advertising support, and other components of legitimate OTT operations. In this article, we’ll look at the various attack modes used in the piracy ecosystem, including: 

  • Skirting DRM protection 
  • Deceptive service facades 
  • Open software platforms 
  • Watermarking attacks 

How pirates skirt DRM protection

The least technically sophisticated approach to getting around the robust protection provided by DRM systems is also the one that’s most commonly employed by amateur thieves: using high-quality 4K TV displays and video cameras to record programming directly from their screen and retransmit it. 

More advanced methods used by professional pirate operations include the use of high bandwidth digital content protection (HDCP) strippers to pull video from HDMI links to TV displays. The output control setting in the DRM policies is used to enforce a required specific HDCP version by the end device connected to the HDMI link. But since older devices don’t support later versions of HDCP, then that could limit the content reach for the streaming service provider, and therefore the latest HDCP versions are not enforced at all times. Therefore, professional pirates rely on HDCP stripper devices to set up their piracy ecosystem operations. Not only can they feed the pirated  content to origin servers for distribution of live streaming, but there is next to no loss in quality compared to the legitimate service. 

Finally, in older devices without Trusted Execution Environment (TEE) or Secure Video Path (SVP) support, pirates can capture in-the-clear content from device memory as it awaits playback in the buffering process. Hackers can also use side-channel attacks to extract the encryption keys without breaking the Advanced Encryption Standard (AES) algorithms by using logic analyzers to read electronic waves or power consumption patterns. The latter kind of attack was more common when smart cards were used in set-top boxes as the receiver security component of one-way broadcast conditional access systems, and it also required advanced analysis equipment and knowledge.

Deceptive service facades 

The most successful approach pirates use is to run deeply discounted online services with linear portfolios, often with hundreds of channels. By aggregating content into multichannel streams with professional-quality EPGs, pirates can deliver a user experience that’s comparable to legal services — and steal their advertising and subscription revenue in the process. 

These illegal services organize the content into multi-language presentations, allowing them to reach an international audience. They add features and use interactive communications between clients and services to gain insights into device usage, and the popularity of their content offerings. Moreover, they often benefit from ad revenue generated by online ad networks that believe they are legitimate OTT service providers. 

Sometimes apps that offer pirate services also have legitimate offers at much higher prices, leading consumers to believe that the illegal sites are genuine competitors. Indeed, pirates have co-opted the “IPTV” label to the point that when people use such pirated sites, they think they are subscribed to legitimate IPTV services with a line up of television channels from major telcos.

The illegal streaming situation seems to be worse among Millennials. One study focused on Millennials between 18-35 in North America found that of the 53% who admitted to having used illegal providers to stream TV shows and movies, nearly two-thirds said that streaming seemed “less wrong” than downloading. A 2016 Google survey of 2,700 19-24-year-olds in the U.S. found that 25% of those who access pirated content think such activity is legal, and all think it’s culturally acceptable. 

The Kodi factor 

The most significant piracy ecosystem threat today comes from an open software platform that operates under the Kodi brand. Kodi is a completely legal initiative and can be installed on various devices to deliver a unified experience, similar to Chromecast or Apple TV, but without the restrictions imposed by those systems. Unsurprisingly, the ease-of-use and popularity of Kodi boxes translate to Kodi accounting for 95% of the illegal live consumption in North America. 

Kodi is used to facilitate access to illegally streamed content in two ways: 

  • Fully-loaded boxes. Consumers can buy fully-loaded Kodi boxes, or devices that are preloaded with Kodi software and plug-ins that can provide access to thousands of TV channels.
  • Add-ons. After downloading and installing Kodi, users download apps or “add-ons” from piracy ecosystem  sites that allow them to stream whatever content is offered from the site. 

It’s also possible to subscribe to M3U playlists, which direct Kodi-enabled devices to pirate IPTV sites. These playlists can be found through search engines, which can also be used to find instructions on how to download and use Kodi software to access pirated content. A simple Google search turns up articles with headlines like “Which is the best website for watching free live sports online?” and “How to Install TV Portal Kodi.” A study of online sports piracy ecosystem in Spain found that 78% of access to pirated content occurs through the use of search engines.

Professional pirates are also making use of YouTube Live and Facebook Live to post and generate stolen content. But, per the stat above, these efforts pale in comparison to Kodi-based activities and only account for 5% of illegal streaming. 

Attacks aimed at defeating watermarking 

In our blog post An Anti-Piracy Security Strategy for Live Sports Content, we discussed the principles of video watermarking as an essential tool in the battle against live streaming piracy ecosystem. Watermarking is an important complement to DRM, and the two work together to protect content before and after rendering on the viewer’s device. Further complicating matters is the fact that pirates are constantly coming up with ways to defeat the effectiveness of watermarks, even when undetectable. Recent approaches to attacking watermarking effectiveness include intermittent blurring, chopping off the top and bottom of the screen, and combining multiple streams of the same piece of content into a single stream through a process known as collusion. 

Another technique involves obscuring the source identity through direct penetration of the distributor’s client app. In such cases, the watermark remains intact but becomes associated with a phony ID. 


Now that we’ve covered some of the attack modes used in the piracy ecosystem, the need for an effective end-to-end content protection solution is abundantly clear. 

To find out more about the risks and opportunities of streamed content and how it will affect your business over the short to medium-term, read our in-depth white paper here. Stay tuned for part four of this series, where we dive further into the need for an effective content protection and anti-piracy strategy to battle live streaming piracy ecosystem. 


intertrust-expressplay-drm CTA Banner

Related blog posts



Posted on 27 Mar 2024

Mastering the tide: Protecting live streaming from the surge of piracy

Read more



Posted on 06 Jul 2023

Curbing account sharing: how service providers can preserve revenue

Read more



Posted on 30 Jun 2022

Six advantages of direct-to-TV broadcast content protection technology

Read more