Skip to content
  • There are no suggestions because the search field is empty.

What makes Hololight Stream a Secure XR Streaming Solution?

An overview of Hololight Stream’s security measures, ensuring encrypted, secure, and controlled pixel streaming

Hololight's pixel streaming is fundamentally based on webRTC and its security philosophy. We leverage its core strengths and build our interactive layer on top of it. This foundation provides several key security advantages:
  • End-to-End Encryption: Just like standard webRTC, Hololight Stream utilizes SRTP for end-to-end encryption of all data streams, including video, audio, and user interactions . This ensures that sensitive 3D model data remains confidential during transmission and is protected from unauthorized access.
  • User Interactions (or any RAW data i.e. user input, device configuration, user access/authentication) uses SCTP encapsulation.
  • Secure Key Exchange: DTLS is used for secure key exchange, protecting the encryption keys used for SRTP . This prevents attackers from intercepting and decrypting the streamed data.  
  • Client Application Security: Hololight Stream operates within the secure environment established between the rendered application and the XR device client. This reduces the attack surface and minimizes the risk of vulnerabilities. 
  • Air-Gapped Deployment: Generally, our customers deploy Space (and its respective XR Clients) in air-gapped networks for highly sensitive data. This is made possible by the Stream SDK, as customers are not required to process any data externally.
In addition to these core webRTC security features, Hololight Stream adds further enhancements:
  • No Data Stored on Devices: Sensitive 3D model data is never stored on the XR device itself. It remains securely on the server, minimizing the risk of data loss or theft .  
  • Control Over Network: Hololight Stream allows you to stream XR applications over networks you control, adding an extra layer of security . This is particularly important for industries dealing with highly sensitive data.  
At the cybersecurity attack simulation, you can confidently explain how these security measures protect against common attack vectors:
  • Data Interception: End-to-end encryption prevents attackers from accessing the 3D model data even if they intercept the network traffic.
  • Device Compromise: Even if an XR device is lost or stolen, the sensitive data remains safe on the server.
  • Man-in-the-Middle Attacks: Secure key exchange with DTLS prevents attackers from tampering with the encryption keys.
While no technology is completely invulnerable, Hololight Stream's combination of webRTC's robust security architecture and our own enhancements provides a strong defense against cybersecurity threats.
Jumping into the details, here is a breakdown of the technologies used when establishing a pixel stream with Stream or Space:
  • End-to-end Encryption: underlying webRTC as well as Stream SDK mandates the use of Secure Real-Time Transport Protocol (SRTP) for encrypting media streams, ensuring confidentiality and preventing unauthorized access to the data stream. This is crucial for protecting sensitive CAD models from interception or eavesdropping.
  • Secure Key Exchange: Datagram Transport Layer Security (DTLS) is used for secure key exchange, protecting the encryption keys used for SRTP. This ensures that only authorized devices can decrypt and access the streamed 3D content.
  • Secure Signaling: Stream utilizes HTTPS for secure signaling (if setup by the developer), protecting the initial handshake and session establishment process from tampering or interception.
  • Firewall and NAT Traversal: Stream employs a combination of technologies to securely navigate firewalls and Network Address Translation (NAT) devices. These technologies include:
    • Interactive Connectivity Establishment (ICE): This framework allows devices to find the best path for communication, even when behind firewalls.   
    • Session Traversal Utilities for NAT (STUN): STUN servers help devices discover their public IP addresses and the type of NAT they are behind.   
    • Traversal Using Relays around NAT (TURN): If direct peer-to-peer connection is not possible due to restrictive firewalls, TURN servers act as relays, forwarding traffic between devices.
In summary, the data is neither copied nor duplicated; it can remain securely stored, whether in a Product Lifecycle Management (PLM) system, Omniverse, or other data storage solutions. Customers retain full control, with all operations conducted within their own network and infrastructure. As long as the foundational infrastructure is secure, the integrity and confidentiality of the data will be maintained.