Is the FCC’s Set-Top Box Plan a Security Risk? Hardly
The FCC is pushing a plan to let consumers ditch the boxes supplied by their TV providers and replace them with devices of their choosing. The plan is a popular one because it currently costs an average of $231 per year to rent kits from cable companies.
But now two lawmakers are warning that the open device model could be a gateway for nasty hackers to stampede into our homes.
According to Rep. Devin Nunes (R-Ca) and Rep. Mike Pompeo (R-Ks), the FCC’s plan could let “cyber criminals” use the new devices as an attack vector, and “permit third parties to reach network entitlement servers, billing, and local, regional and national content servers.”
But it would it really?
While the two lawmakers raise a host of chilling possibilities, outlined in a June 8 letter to FCC Chairman Tom Wheeler, their warning may represent rhetoric more than a bona fide security problem.
Sign up for Data Sheet, Fortune’s technology newsletter.
According to John Bergmeyer, an attorney with Public Knowledge, the fears are misplaced, especially given that our living rooms are already stuffed with other devices (i.e. routers, modems, etc.), all of which could theoretically serve as backdoors into home networks. Indeed, concerns about device security could even apply to existing set-top boxes.
“It’s hard to see how it’s different from cable boxes or any other piece of electronics,” stressed Bergmeyer. “Huawei has been making cable boxes made for U.S. companies for a decade.”
In practice, if the FCC plan goes ahead, consumers will simply swap out the pay-TV box for a new or existing piece of equipment. It could be a smart TV, a plug-in device like a Roku or an Amazon Fire Stick, or even a modem. For this to happen, the industry must define a common standard for the devices to read TV signals.
In doing so, the FCC is letting the TV distributors themselves make key decisions about content security. In a February letter announcing the process, the FCC wrote:
This gives [TV companies] the ability to create their own content protection system to prevent theft and misuse, while ensuring that manufacturers will be able to build devices that can access protected content from a variety of [TV providers].
The biggest obstacle in the set-box process, however, may not be technical but political.
As the New York Times explained this weekend, companies like Comcast and AT&T have been mounting a ferocious lobbying and public relations campaign to block the FCC process. One reason, no doubt, is because the plan threatens to undercut the $19.5 billion in annual fees that the TV companies collect through set-top box rentals.
The industry, of course, takes a different view, and has raised a host of reasons—security is just the latest one—as to why the FCC should not unlock the set-top boxes.
One argument that might be persuasive is that the TV industry is getting rid of set-top boxes already and replacing them with apps. To make the point, Comcast has pointed to its recent decision to offer its Xfinity platform on third-party devices like Roku.
But Bergmeyer is skeptical, noting that Comcast has only released the app in a few places and in a limited fashion.
“Comcast has been deploying tens of thousands of boxes a month,” Bergmeyer said. “As much they say boxes are going away, their own actions belie that.”
Meanwhile, most consumers who are still paying hefty rental fees may want to decide for themselves whether or not to keep the the boxes.