The card cased CAS common in DVB broadcasting are indeed designed for the particular environment one-way broadcast represents.  In one-way communication security can only be enforced if there is a [tamper resistant] security device in the user terminal [STB].  This is the card.

If the card is compromised, the security can be upgraded through a card replacement.  20 year experience with cards shows the average lifetime of a card generation to be more than 4 years.
Software based pay-TV systems origin from broadband / IPTV, and are based on two-way communication between the STB and a central server.  The two-way communication is used to check the identity of the STB.  However, the content is most often multicast / broadcast to the STB making it in practice a one-way broadcast operation.

Software based content protection has worked based on the two-way identification – but perhaps more due to software based broadband / IPTV operations having been small and of low interest for pirates. This may change.
Some operators consider to use software based CAS for pure one-way broadcast.  The reasons are lesser costs due to no card, only the STB, and a faith in the slogan that software content protection is faster and cheaper to upgrade than card based CAS.  However, at closer scrutiny neither argument is strong.

The card indeed represents a hardware cost, yet with card based STBs being sold in larger volumes, the investment costs become similar.
The software CAS security update story rests on a weak foundation as if the environment is compromised on a level deeper than the software can repair, the STBs may need to be replaced.  Thisis certainly both more expensive and complex than to replace a card.

Further, the security environment for the software CAS is the STB, while the security environment for the card based CAS software is the card chip.  With the card chip having a far higher security level than a STB, security breach can be expected sooner via the STB than via the card.
Strong vendor lock-in is another disadvantage of software based CAS. 
Read More for a deeper discussion.

Software CAS in broadcast

1. Introduction
   Software CAS has over the last 4-5 years entered the CAS scene via IPTV.  The software CAS companies have (sometimes) promoted software CAS as robust as hardware (card) based CAS.  This note discusses aspects of software CAS vs. card based CAS when applied to the broadcast scenario.


2. Broadcast mode vs. two-way IP connection
   When used in a two-way environment, e.g. VOD or other small scale broadband operation, each STB can authenticate itself for the CAS server before content is released to the particular STB.  In this way the CAS server may monitor the overall consumption, and detect abnormal behaviour.  Software CAS may then provide a quite secure solution for small and medium size operations.
   
   
   Important note: the above applies to the delivery of the content itself, and not to the rights negotiation/preparation level.  A network may seem two-way if the STB is negotiating the right with the CAS server via a two-way link.
   

When used in a one-way environment and broadcast mode, there is no communication from the STB to the head-end.  So, there is no way to detect abnormal behaviour. In broadcast mode, the entire security of the operation therefore relies on the strength of the STB/user security device.

However, if the delivery of the content itself is one-way broadcast mode – or in unicast mode accessible to many other subscribers – like WiMAx – then, from a content security point of view, the scenario is not two-way, rather one-way broadcast mode.


3. Software CAS software upgrades
   Software CAS boasts that if there is a security issue, then this is easily fixed by a software upgrade.  However, while this sounds easy, there are more to it:
   • If the pirate has gotten into the software upgrade mechanism itself, the pirate can monitor all upgrades and dissect them from inside. It is like the pirate has come inside the fence representing the STB hardware/software CAS loading mechanism and sits inside observing how the software CAS vendor is building a new maze within the fence.
   • An upload mechanism is a very high risk on its own. If the pirate gets to know the software upload mechanism, the pirate may modify the STB behaviour to become a pirate controlled STB (or a hostile operator controlled STB).
   • Cards in card based CAS may also include software upgrade mechanisms, butfor security reasons such mechanisms are often deliberately disabled or omitted.
   • One must assume that the CAS vendor did its best security effort within the capabilities of the (STB) hardware available in the first place. The scope for upgrades that significantly improves the security level is therefore limited. [and if the best security effort was not applied in the first place – why?]


4. STB vs. cards as a security environment
   STBs are not designed for high level security.  The STBs would become prohibitively expensive if they should feature high level security.
   
   The chips used in [CAS] smart cards are specifically developed for providing a very high level of tamper resistance, i.e. to be robust against commercial hackers/pirates.
   
   So, the hardware security level is far lower for software based CAS than chip based CAS.
   
   Software CAS “sounds” indifferent from the hardware security level, however, if the pirate gets inside the hardware, the pirate will be able to monitor the software CAS execution including all software CAS upgrades.  The pirate may also be able to block such upgrades altogether.
   
   The threshold to get into the card hardware is very much higher making the time until replacement (of the software environment = the hardware) longer.
   
   Cards represent a level of security where software CAS can’t go.


5. Cost of CAS retrofit – what to replace
   As the most expensive pay-TVinfrastructure element is the STB, an important aspect is if a security breach reduces the overall lifetime expectation of the STB.
   
   i)    Security upgrade of card based operation:
   
   • CAS hacks can be recovered by card replacement. STB lifetime is not affected by CAS hacks.
   • STB replacement must be considered in case of effective pairing hack as this can be used for STB hi-jacking or card sharing.
   ii)    Software CAS:
   
   • One must expect STB lifetime to be much reduced due to (repeated) hacking of the software CAS.


6. Initial cost of STB and card
   Intuitively, STB + card seem more expensive than a cardless STB.  However, the prices of the card based STBs and the cardless STBs are not the same.  This as card based STBs are the same for various (card based) CAS whereas the cardless STB platform become much more CAS vendor specific.
   
   A CAS vendor specific STB in general becomes more expensive by its lower volume.  Then, if the CAS vendor specific STB becomes CAS vendor “un-specific” to increase volume of scale, or the cardless CAS vendor uses the same STB for many operators – well then the STB environment comes under harder hacking/piracy pressure – and a penetration of the relatively weaker STB environment in one operation or for one cardless CAS can cause avalanche effect.  So, the “advantage” of obscure STB environment that the hacker needs time to understand is in contradiction with volume of scale of the STBs.
   
   Also, even if the CAS is cardless – its STB security clients do not come for free.The net effect is that the cost per subscriber is similar for a cardless STB and a volume-of-scale STB + card.


7. CAS vendor lock-in
   Software based CAS needs to maintain full control over the STB (software), including keeping control with all incoming software.  In turn, this means the CAS vendor also controls if other CAS support shall be possible to upload to the STB.  The implication is the operator having to replace the STBs to replace the CAS – the operator is subject to CAS vendor lock-in.

Some card based CAS also claim control over the STB by controlling the STB software loader thereby representing the similar CAS vendor lock-in effect. 

However, several card based CAS promotes third party STB software loader enabling the CAS to be replaced on the STBs.