Now two security researchers have found a new way, using a vulnerability in the system Google uses to stream media through its Chrome browser. They say people could exploit the flaw to save illegal copies of movies they stream on Chrome using sites like Netflix or Amazon Prime.
David Livshits from the Cyber Security Research Center at Ben-Gurion University in Israel and Alexandra Mikityuk with Telekom Innovation Laboratories in Berlin, Germany, alerted Google to the problem on May 24th, but Google has yet to issue a patch. The vulnerability exists in the way Google implements the Widevine EME/CDM technology that Chrome uses to stream encrypted video. The researchers created a proof-of-concept executable file that easily exploits the vulnerability, and produced a brief video to demonstrate it in action.
The problem is with the implementation of a digital management system called Widevine, which Google owns but did not create. It uses encrypted media extensions to allow the content decryption module in your browser to communicate with the content protection systems of Netflix and other streaming services to deliver their encrypted movies to you. EME handles the key or license exchange between the protection systems of content providers and a CDM component in your browser. When you choose a protected movie to play, the CDM sends a license request to the provider through the EME interface and receives a license in return, which allows the CDM to decrypt the video and send it to your browser player to stream the decrypted content.
A good DRM system should protect that decrypted data and only let you stream the content in your browser, but Google’s system lets you copy it as it streams. The point at which you can hijack the decrypted movie is right after the CDM decrypts the film and is passing it to the player for streaming.
The researchers say the bug is very simple but won’t reveal details about it until at least 90 days after their disclosure to Google, since they don’t want to provide anyone who doesn’t already know about the vulnerability with information that would allow them to steal movies. Ninety days is the minimum that Google’s own security researchers in its Project Zero project give vendors to fix vulnerabilities they uncover before they disclose the bugs publicly.
Livshits and Mikityuk believe the issue can be fixed easily with a Chrome patch. But if Google wants to fix the issue and also mitigate against future vulnerabilities that might be uncovered in its Widevine DRM system, it would need to design the CDM so that it runs inside what’s called a Trusted Execution Environment or TEE. The TEE would act like a protective tunnel so that the decrypted content is written to a protected memory space, preventing someone from hijacking the content as it’s going to the player.
Asked about the vulnerability, a Google spokesman told WIRED that they’re examining the issue closely, but he also downplayed the bug, saying the problem is not exclusive to Chrome and could apply to any browser created from Chromium, the open-source code from which Chrome is derived.
“Chrome has long been an open-source project and developers have been able to create their own versions of the browser that, for example, may use a different CDM or include modified CDM rendering paths,” the spokesman wrote WIRED in an email.
What he meant is that the hijacking problem has long been known and that even if Google were to add code that forces the CDM to operate in a different way, other browsers that developers might compile from the Chromium could eliminate this code, leaving streaming content just as vulnerable and therefore not solving the problem of content hijacking.
The lab researchers say Google’s response is baffling. Just because other developers could produce a different browser that doesn’t incorporate more secure measures, doesn’t mean Google shouldn’t fix the problem in its own Chrome browser.
“[A] vulnerability in the product of Google which is distributed by Google, and users and [movie] studios expect to be secure, should be highly prioritized and fixed to prevent theft of protected content,” says Dudu Mimran, CTO of the lab in Israel where one of the researchers works.
Livshits and Mikityuk found the bug about eight months ago. It’s apparently existed ever since Google embedded the Widevine technology in its browser, though it’s not clear when that occurred. “The way the vulnerability works, it makes sense that it existed from the early days,” says Mimran. The tech giant acquired Widevine in 2010 to secure Chrome streams and premium YouTube channels. Widevine is also embedded in more than 2 billion devices that play protected content, according to its web site.