Blocking BBC iPlayer, 4OD and Sky-by-Broadband
14th
January 2008
The BBC have recently been promoting their BBC
iPlayer service which allows viewers to catch up
on BBC TV programmes delivered to the PC via the Internet.
This is a good thing, but for many corporate organisations
it could be a potential nightmare. Why? Because the
BBC iPlayer, and also the 4OD service from Channel 4
and Sky-by-Broadband (which is BSkyB's offering) are
actually delivered via a P2P (peer-to-peer) application
called Kontiki.
I'm assuming here that you work for a corporate IT
department, although I have included links to various
resources that are aimed more at end users. I'm also
assuming that you regard P2P on corporate networks at
a bad thing.
Legal implications
One fundamental question is.. does the BBC iPlayer
require a TV Licence? Surprisingly, the BBC say
"no" in this blog
item. In other words, it appears that it is not
unlawful to view downloads using the iPlayer in a business
with no TV Licence. That position may change in the
future, so business should be cautious about long-term
liability.
What is Kontiki?
Kontiki is a product
of Verisign, a pretty well known company in the
IT world. Instead of BBC (and 4OD, Sky) downloads coming
from a central server, they are distributed through
a network of "peers" - these peers are just
ordinary PCs belonging to other Kontiki users. The advantage
is that the BBC and its rivals don't have to pay for
the massive amounts of bandwidth that the downloads
take, and P2P downloads are often much quicker than
that from a central server. The disadvantage is that
if you use iPlayer, then you own PC becomes part of
the content delivery service.. and that service runs
all the time.
What is the potential impact of using Kontiki?
As with any P2P application, the two key problem
areas with Kontiki are security and bandwidth
use.
Security
Let's talk about security first of all - all P2P
applications have open ports that are accessible via
the internet. Potentially, a remote attacker could exploit
a flaw in the P2P application to gain unauthorised access
to a target machine - either through a vulnerability
in the application itself, or an error in the way it
is set up.
The good news is that at the time of writing, there
are no
reported vulnerabilities in Kontiki - and because
the Kontiki configuration is handled by the BBC / 4OD
/ BSkyB then you should hope that the P2P configuration
has been checked carefully. However, almost all internet
based applications have some sort of security flaw,
and it is vital to keep those applications up to date.
Kontiki's update mechanism is not clear.
Bandwidth Use
On a home broadband connection, most consumers have
a lot of bandwidth available to them - in a business,
the bandwidth is shared between typically the whole
business, and it's perfectly possible for a P2P application
to have a severe network impact in that environment.
Generally speaking, most organisations ban the use
of P2P applications on their corporate network. In terms
of impact, Kontiki is no different from any other P2P
application.
Blocking Kontiki
The good news is that if your corporate firewall
is properly configured, then Kontiki will probably not
work.
The BBC states
that Kontiki uses the following ports:
- 80 (http)
- 443 (https)
- 1947
- 1948
- 4000
- 5000
- 8888
Ports 80 and 443 are commonly used, but you would
generally only see outbound traffic unless you
are running publicly available web servers. Blocking
1947, 1948, 4000, 5000 and 8888 should typically be
enough to stop Kontiki from working, if you haven't
already.
According to research from strix.org.uk,
the BBC iPlayer will make an initial connection to a
site in the iplayer.bbc.co.uk subdomain which
might be worth blocking.
Removing / Disabling Kontiki
Removing iPlayer (or one of the other on demand applications)
does not remove Kontiki, so it is possible that
the client PC can still be connected to the Kontiki
P2P network.
Kontiki runs as a service called KService
on the client PC - this can be fairly easily disabled
in the control panel, or if you're using Active Directory
then it might be possible to do this with a Group Policy
Object (GPO). PC Doctor has an article on how to remove
Kontiki manually.
Alternatively, the BBC have an application called
KClean which can be downloaded
from their site. This should remove Kontiki completely.
Our Recommendations
We do not believe that the BBC iPlayer and other
Kontiki-based applications are suitable for use within
a business. The obvious bandwidth issue aside, the most
worrying aspect is the security of the application.
Imagine the following scenario: a laptop user requests
a Kontiki-based application for use on their laptop
while out travelling so that they can catch up with
TV programmes while they are away from home. Your corporate
firewall is configured to block Kontiki, so it will
only work outside your corporate network. This seems
like a reasonable request - but the laptop will still
be vulnerable to any security vulnerabilities in Kontiki
that may appear (and it is likely that given time there
will be some flaws discovered). The machine then becomes
infected, and at some point the user reconnects to the
corporate network with the infected machine - causing
a security breach.
The fact that the Kontiki P2P service runs all the
time can be a problem too. Here's another scenario:
a field-based user has a Kontiki-based application installed
on their laptop. Sometimes they will connect to the
corporate VPN using a 3G data card or Bluetooth connection
- the Kontiki application then uses up all their data
allowance and makes you company liable for some extremely
hefty data billing.
So, we feel that not only should you not allow the
BBC iPlayer (and other Kontiki-based applications) on
your corporate network, but you should also ensure that
they are not installed on any corporate laptops either.
Of course, if your users want to install it on a home
laptop or desktop then it is entirely up to them.
If you have any comments or tips, why not post them
to our blog?
Further Reading
|