dynamoo.com home

 
Site navigation

home
blog
technical
diary
webmaster
orange book
moobiles
shop
contact
links
  
Updated
January 2008

© Dynamoo 2008

 

 

 

Blocking BBC iPlayer, 4OD and Sky-by-Broadband

BBC iPlayer 14th January 2008

The BBC have recently been promoting their BBC iPlayer service which allows viewers to catch up on BBC TV programmes delivered to the PC via the Internet. This is a good thing, but for many corporate organisations it could be a potential nightmare. Why? Because the BBC iPlayer, and also the 4OD service from Channel 4 and Sky-by-Broadband (which is BSkyB's offering) are actually delivered via a P2P (peer-to-peer) application called Kontiki.

I'm assuming here that you work for a corporate IT department, although I have included links to various resources that are aimed more at end users. I'm also assuming that you regard P2P on corporate networks at a bad thing.

Legal implications

One fundamental question is.. does the BBC iPlayer require a TV Licence? Surprisingly, the BBC say "no" in this blog item. In other words, it appears that it is not unlawful to view downloads using the iPlayer in a business with no TV Licence. That position may change in the future, so business should be cautious about long-term liability.

What is Kontiki?

Kontiki is a product of Verisign, a pretty well known company in the IT world. Instead of BBC (and 4OD, Sky) downloads coming from a central server, they are distributed through a network of "peers" - these peers are just ordinary PCs belonging to other Kontiki users. The advantage is that the BBC and its rivals don't have to pay for the massive amounts of bandwidth that the downloads take, and P2P downloads are often much quicker than that from a central server. The disadvantage is that if you use iPlayer, then you own PC becomes part of the content delivery service.. and that service runs all the time.

What is the potential impact of using Kontiki?

As with any P2P application, the two key problem areas with Kontiki are security and bandwidth use.

Security

Let's talk about security first of all - all P2P applications have open ports that are accessible via the internet. Potentially, a remote attacker could exploit a flaw in the P2P application to gain unauthorised access to a target machine - either through a vulnerability in the application itself, or an error in the way it is set up.

The good news is that at the time of writing, there are no reported vulnerabilities in Kontiki - and because the Kontiki configuration is handled by the BBC / 4OD / BSkyB then you should hope that the P2P configuration has been checked carefully. However, almost all internet based applications have some sort of security flaw, and it is vital to keep those applications up to date. Kontiki's update mechanism is not clear.

Bandwidth Use

On a home broadband connection, most consumers have a lot of bandwidth available to them - in a business, the bandwidth is shared between typically the whole business, and it's perfectly possible for a P2P application to have a severe network impact in that environment.

Generally speaking, most organisations ban the use of P2P applications on their corporate network. In terms of impact, Kontiki is no different from any other P2P application.

Blocking Kontiki

The good news is that if your corporate firewall is properly configured, then Kontiki will probably not work.

The BBC states that Kontiki uses the following ports:

  • 80 (http)
  • 443 (https)
  • 1947
  • 1948
  • 4000
  • 5000
  • 8888

Ports 80 and 443 are commonly used, but you would generally only see outbound traffic unless you are running publicly available web servers. Blocking 1947, 1948, 4000, 5000 and 8888 should typically be enough to stop Kontiki from working, if you haven't already.

According to research from strix.org.uk, the BBC iPlayer will make an initial connection to a site in the iplayer.bbc.co.uk subdomain which might be worth blocking.

Removing / Disabling Kontiki

Removing iPlayer (or one of the other on demand applications) does not remove Kontiki, so it is possible that the client PC can still be connected to the Kontiki P2P network.

Kontiki runs as a service called KService on the client PC - this can be fairly easily disabled in the control panel, or if you're using Active Directory then it might be possible to do this with a Group Policy Object (GPO). PC Doctor has an article on how to remove Kontiki manually.

Alternatively, the BBC have an application called KClean which can be downloaded from their site. This should remove Kontiki completely.

Our Recommendations

We do not believe that the BBC iPlayer and other Kontiki-based applications are suitable for use within a business. The obvious bandwidth issue aside, the most worrying aspect is the security of the application.

Imagine the following scenario: a laptop user requests a Kontiki-based application for use on their laptop while out travelling so that they can catch up with TV programmes while they are away from home. Your corporate firewall is configured to block Kontiki, so it will only work outside your corporate network. This seems like a reasonable request - but the laptop will still be vulnerable to any security vulnerabilities in Kontiki that may appear (and it is likely that given time there will be some flaws discovered). The machine then becomes infected, and at some point the user reconnects to the corporate network with the infected machine - causing a security breach.

The fact that the Kontiki P2P service runs all the time can be a problem too. Here's another scenario: a field-based user has a Kontiki-based application installed on their laptop. Sometimes they will connect to the corporate VPN using a 3G data card or Bluetooth connection - the Kontiki application then uses up all their data allowance and makes you company liable for some extremely hefty data billing.

So, we feel that not only should you not allow the BBC iPlayer (and other Kontiki-based applications) on your corporate network, but you should also ensure that they are not installed on any corporate laptops either. Of course, if your users want to install it on a home laptop or desktop then it is entirely up to them.

If you have any comments or tips, why not post them to our blog?

Further Reading

 

 

 Subj: Shopping and Services

 

 home   technical   diary   webmaster stuff   orange book   shop   contact   links   your privacy