FOR YEARS HOLLYWOOD has waged a war on piracy, using digital rights management technologies to fight bootleggers who illegally copy movies and distribute them. For just as long, hackers have found ways to bypass these protections. Now two security researchers have found a new way, using a vulnerability in the system Google uses to stream media through its Chrome browser. They say people could exploit the flaw to save illegal copies of movies they stream on Chrome using sites like Netflix or Amazon Prime.
David Livshits from the Cyber Security Research Center at Ben-Gurion University in Israel and Alexandra Mikityuk with Telekom Innovation Laboratories in Berlin, Germany, alerted Google to the problem on May 24th, but Google has yet to issue a patch. The vulnerability exists in the way Google implements the Widevine EME/CDM technology that Chrome uses to stream encrypted video. The researchers created a proof-of-concept executable file that easily exploits the vulnerability, and produced a brief video to demonstrate it in action.
The problem is with the implementation of a digital management system called Widevine, which Google owns but did not create. It uses encrypted media extensions to allow the content decryption module in your browser to communicate with the content protection systems of Netflix and other streaming services to deliver their encrypted movies to you. EME handles the key or license exchange between the protection systems of content providers and a CDM component in your browser. When you choose a protected movie to play, the CDM sends a license request to the provider through the EME interface and receives a license in return, which allows the CDM to decrypt the video and send it to your browser player to stream the decrypted content.
A good DRM system should protect that decrypted data and only let you stream the content in your browser, but Google’s system lets you copy it as it streams. The point at which you can hijack the decrypted movie is right after the CDM decrypts the film and is passing it to the player for streaming.
The researchers say the bug is very simple but won’t reveal details about it until at least 90 days after their disclosure to Google, since they don’t want to provide anyone who doesn’t already know about the vulnerability with information that would allow them to steal movies. Ninety days is the minimum that Google’s own security researchers in its Project Zero project give vendors to fix vulnerabilities they uncover before they disclose the bugs publicly.
Livshits and Mikityuk believe the issue can be fixed easily with a Chrome patch. But if Google wants to fix the issue and also mitigate against future vulnerabilities that might be uncovered in its Widevine DRM system, it would need to design the CDM so that it runs inside what’s called a Trusted Execution Environment or TEE. The TEE would act like a protective tunnel so that the decrypted content is written to a protected memory space, preventing someone from hijacking the content as it’s going to the player.
Asked about the vulnerability, a Google spokesman told WIRED that they’re examining the issue closely, but he also downplayed the bug, saying the problem is not exclusive to Chrome and could apply to any browser created from Chromium, the open-source code from which Chrome is derived.
“Chrome has long been an open-source project and developers have been able to create their own versions of the browser that, for example, may use a different CDM or include modified CDM rendering paths,” the spokesman wrote WIRED in an email.
What he meant is that the hijacking problem has long been known and that even if Google were to add code that forces the CDM to operate in a different way, other browsers that developers might compile from the Chromium could eliminate this code, leaving streaming content just as vulnerable and therefore not solving the problem of content hijacking.
The lab researchers say Google’s response is baffling. Just because other developers could produce a different browser that doesn’t incorporate more secure measures, doesn’t mean Google shouldn’t fix the problem in its own Chrome browser.
“[A] vulnerability in the product of Google which is distributed by Google, and users and [movie] studios expect to be secure, should be highly prioritized and fixed to prevent theft of protected content,” says Dudu Mimran, CTO of the lab in Israel where one of the researchers works.
Livshits and Mikityuk found the bug about eight months ago. It’s apparently existed ever since Google embedded the Widevine technology in its browser, though it’s not clear when that occurred. “The way the vulnerability works, it makes sense that it existed from the early days,” says Mimran. The tech giantacquired Widevine in 2010 to secure Chrome streams and premium YouTube channels. Widevine is also embedded in more than 2 billion devices that play protected content, according to its web site.
Firefox and Opera also use the Widevine CDM, though the researchers haven’t examined those browsers yet. They limited their research to the desktop version of Chrome. Neither Safari nor Internet Explorer use Widevine. Safari uses Apple’s FairPlay CDM, and Microsoft’s Internet Explorer and Edge browsers use Microsoft’s PlayReady CDM. The researchers haven’t examined those CDMs yet.
It’s not the first time flaws have been uncovered in a digital rights management system. In 2001 Russian programmer Dmitry Sklyarov discovered vulnerabilities in the encryption system Adobe used for protecting electronic books produced with Adobe Acrobat. That same year a group of researchers found flaws in the digital watermarking technology created by the Secure Digital Music Initiative, a consortium of recording companies and consumer electronics firms, to thwart piracy.
But the Chrome vulnerability is different in that it involves a third-party system that streamers are trusting to protect their valuable content.
“The simplicity of stealing protected content with our approach poses a serious risk for Hollywood [studios] which rely on such technologies to protect their assets,” Livshits says. Though the researchers have no way of knowing if this hole has been used in the real world, it shows that the battle to fight piracy continues on ever shifting territory.