Doing Business | IT & Technologies

June 27, 2016

A Bug in Chrome Makes It Easy to Pirate Movies

For years Hollywood has waged a war on piracy, using digital rights management technologies to fight bootleggers who illegally copy movies and distribute them. For just as long, hackers have found ways to bypass these protections.

Now two security researchers have found a new way, using a vulnerability in the system Google uses to stream media through its Chrome browser. They say people could exploit the flaw to save illegal copies of movies they stream on Chrome using sites like Netflix or Amazon Prime.

David Livshits from the Cyber Security Research Center at Ben-Gurion University in Israel and Alexandra Mikityuk with Telekom Innovation Laboratories in Berlin, Germany, alerted Google to the problem on May 24th, but Google has yet to issue a patch. The vulnerability exists in the way Google implements the Widevine EME/CDM technology that Chrome uses to stream encrypted video. The researchers created a proof-of-concept executable file that easily exploits the vulnerability, and produced a brief video to demonstrate it in action.

DRM Hole

The problem is with the implementation of a digital management system called Widevine, which Google owns but did not create. It uses encrypted media extensions to allow the content decryption module in your browser to communicate with the content protection systems of Netflix and other streaming services to deliver their encrypted movies to you. EME handles the key or license exchange between the protection systems of content providers and a CDM component in your browser. When you choose a protected movie to play, the CDM sends a license request to the provider through the EME interface and receives a license in return, which allows the CDM to decrypt the video and send it to your browser player to stream the decrypted content.

A good DRM system should protect that decrypted data and only let you stream the content in your browser, but Google’s system lets you copy it as it streams. The point at which you can hijack the decrypted movie is right after the CDM decrypts the film and is passing it to the player for streaming.

The researchers say the bug is very simple but won’t reveal details about it until at least 90 days after their disclosure to Google, since they don’t want to provide anyone who doesn’t already know about the vulnerability with information that would allow them to steal movies. Ninety days is the minimum that Google’s own security researchers in its Project Zero project give vendors to fix vulnerabilities they uncover before they disclose the bugs publicly.

Livshits and Mikityuk believe the issue can be fixed easily with a Chrome patch. But if Google wants to fix the issue and also mitigate against future vulnerabilities that might be uncovered in its Widevine DRM system, it would need to design the CDM so that it runs inside what’s called a Trusted Execution Environment or TEE. The TEE would act like a protective tunnel so that the decrypted content is written to a protected memory space, preventing someone from hijacking the content as it’s going to the player.

Asked about the vulnerability, a Google spokesman told WIRED that they’re examining the issue closely, but he also downplayed the bug, saying the problem is not exclusive to Chrome and could apply to any browser created from Chromium, the open-source code from which Chrome is derived.

“Chrome has long been an open-source project and developers have been able to create their own versions of the browser that, for example, may use a different CDM or include modified CDM rendering paths,” the spokesman wrote WIRED in an email.

What he meant is that the hijacking problem has long been known and that even if Google were to add code that forces the CDM to operate in a different way, other browsers that developers might compile from the Chromium could eliminate this code, leaving streaming content just as vulnerable and therefore not solving the problem of content hijacking.

The lab researchers say Google’s response is baffling. Just because other developers could produce a different browser that doesn’t incorporate more secure measures, doesn’t mean Google shouldn’t fix the problem in its own Chrome browser.

“[A] vulnerability in the product of Google which is distributed by Google, and users and [movie] studios expect to be secure, should be highly prioritized and fixed to prevent theft of protected content,” says Dudu Mimran, CTO of the lab in Israel where one of the researchers works.

Livshits and Mikityuk found the bug about eight months ago. It’s apparently existed ever since Google embedded the Widevine technology in its browser, though it’s not clear when that occurred. “The way the vulnerability works, it makes sense that it existed from the early days,” says Mimran. The tech giant acquired Widevine in 2010 to secure Chrome streams and premium YouTube channels. Widevine is also embedded in more than 2 billion devices that play protected content, according to its web site.

Text by Wired
 

Tags Cloud

20102011accaaccidentaccidentsADSUadvertisingafghanistanAfrAsiaafricaagalegaagreementagricultureagroAIairair asiaair australAir Franceair madagascarair mauritiusairasiaAirlinesairportairway coffeeAlbionalgeriaalibabaalteoAlvaro SobrinhoamazonAmeenah Gurib-FakimAMLandroidApollo BramwellappappleappointmentsappsaquaculturearrestasiaATOauditaudit reportaustraliaaustriaaviationawardawardsBABagatelleBagatelle DamBAIBangladeshbankBank OnebankingbanksbarclaysbeachbeachesBeau Bassin-Rose HillbeautybeerBelgiumBelle-MareBelle-RivebetamaxbettingBharat Telecombig databitcoinblue economyBlue-BayBOIboko haramBollywoodBOMbombingbookbookmakerbossBotswanabpmlBPOBramer BankbrazilbrexitBritish AirwaysbudgetbuildingbusesBusinessbusiness trendsCabinetcall centresCanadacanecareercareer tipscargocarnivalcasinoCCIDCCMCCTVCEBcelebretiescementChagoscharityCharlie HebdoCHCchilechinachromeCIELcigarettescinemaclashesCMTcomorosconcertconferenceCongoconstitutional amendmentconstructioncontestcontestscontractcooperationcorruptioncounterfeitcoupCourtCourtsCPBCPEcreativitycreditscrisiscruise shipsCSOCT PowerCultureCurepipecustomercustomerscustomsCVCWAcyclingcyclonedamDawood RawatdayDBMdeficitdenguedeportationdevelopmentDiego GarciadivalidoctorsdodoDomaine les PaillesDonald TrumpDPPdrug traffickingdrugsDTAADubaiDuty Freee-commercee-servicesearthquakeebeneebolaecoecologyeconomiceconomicseconomyEducationeducation abroadeducation reformEEZEgyptEIILMelectionselectoral reformelectricityelon muskembassyEmiratesemirates airlinesEmtelenergyENLentrepreneurshipEOCEUEuroEuropeeventeventsexaminationexamsexpoexportfacebookfairFalcqfarmersfarmingfashionfast foodfbiFDIfeefeesferryfestivalFievre AphteuseFIFAFIFA World CupFilm Rebate SchemefilmingfilmsfinancefinancesfinancingFirefishfishingFIUFlacqFlic-en-FlacFloodsflourfoodFootballforecastforeign workersForumFrancefraudfruitfruitsFSCFTAfuelfunnyGAARgabongadgetsgalaxygalaxy notegamblinggame of thronesgamesgasgazaGDPGermanyghanaGlobal BusinessgolfgoogleGorah Issac casegovernmentGRAGrand Baygrand-baiegreecegreengreen energygrippeGTUH1N1hackershajjhamashappinessHawaiihawkershealthhealthcareHeritage Cityhi-techhighlandshistoryHolcimholidaysHong Konghorse racingHospitalhotelhotel businesshotelshowhow toHRHRDCHSBCHSCHSC ProhtchungaryhuntingIBAIBLICACICTICTAID cardiframacillegal fishingillegal migrationillegal workersIMFimportindiaIndian OceanIndian Ocean Island GamesIndonesiainflationinfluenzaInfographicsinfrastructureinnovationinnovationsinsuranceinterest rateinternetinterpolInterviewinterview tipsinvestinginvestmentinvestmentsIOCIORECiosiPadiphoneIPOiraniraqirelandIRSISISislamicisraelITItalyjapanJellyfishJewelleryJin FeijobjobsjournalismJulian AssangeKailash TrilochunKenyakitesurfingKPMGkreollabourLafargelandlandslidelawlawslayoffsLe MorneleadershipleakLepepliberiaLibyalifeloanloanslocal governmentlogisticslotteryLottotechLRTLufthansaMadagascarmalariamalaysiamalaysia airlinesMaldivesMalimallmanagementmanagement tipsmanufacturingmarketmarketingmarketsMauBankMauritiansmauritiusMBCMCBMCCIMDFPMeatmeccamediaMedical CouncilMedical tourismmedicamentsmedicineMedineMedPointmeetingMEFMegh PillayMESMetro ExpressMEXAMFAMGIMHCmichaela harte caseMicrosoftMIDMidlandsMIEmigrationmigration crisisminimum salaryminimum wagemiss mauritiusmistakesMITDmlMMMmobilemobile phonesMokamoneymoney launderingmonkeyMont-ChoisyMoody’sMoroccomotivationmoviesMozambiqueMPAMPCMPCBMPLMQAMRAMSBMSCMSMMTMTCMTPAMusicMV BenitaNaïadeNamibiaNandanee SoornackNarendra ModinasanatureNavin RamgoolamNavind KistnahNCBNCGNDUNECnefNelson MandelaNeotownNepalnetherlandsnetworkingNew Mauritius Hotelsnew zealandNGONHDCNICNICHLNigerianight clubsNitin Chinien caseNobel Prizenokianorth koreaNRBNTANTCNWCCoceanocean economyofofficialsoffshoreoilOlympic GamesOmega ArkOmnicaneoniononlineopinionOppositionorangeoscaroscar pistoriusOUMoutsourcingPakistanpalestinePamplemoussesPanama Paperspandit sungkurparliamentPaul BérengerpensionpensionspeoplePhilippinesPhoenix Beveragesphonespicture of the daypillspiracyplanPlanet Earth InstitutePMPMOpmsdPNQpokerpolicepoliticspollutionPonzi SchemeportPort LouisPort-LouispostPovertyPRPravind JugnauthPRBpresentationpresentation tipspresidentpricepricesprisonproblemprofitprojectprojectsprostitutionprotestspsacPSCpsychologyPTRpublic servicepwcQatarquatre-bornesquotesrainsRajindraparsad SeechurnRakesh Gooljauryransomwareratesratingratingsreal estaterecallsreformreformsrefugeesreligionrepo ratereportRESrestaurantrestaurantsresultresultsresumeresume tipsretailReunionrevenuericeRiche-TerreriseRiviere-du-RempartRiviere-Noireroadsroche-boisRoches-Noires caseRodriguesRogersRose-HillrosewoodRoshi BhadainRum and SugarRundheersing BheenickrupeeRussiaRwandasafetySAJsalariessalarysalesalessales tipssamsungsanctionssaudi arabiaSBIsbmSCscamscandalSCBGscholarshipscholarshipsSchoolschoolsscienceseasecuritySEMSEMDEXSenegalSeychellesShakeel MohamedShanghaisharksshootingshoppingshopping fiestashopping mallshopping mallsshowShowkutally SoodhunSICsicomSierra LeonesingaporeSITskillssmall businesssmart citysmartphonesSMeSMEDAsmmsnapchatSobrinho casesocialsocial mediasocial networks & messengerssoftwaresolar energySomaliasonysouthsouth africaSouth China Seasouth koreasouth sudanspainsponsorshipsportSportsSquatterssri lankaSSRStar KnitwearstartupsstatisticsstatsSTCstockstock marketstocksstrategystreet vendorsStressstrikestudystudy abroadstylesuccesssuccess storysugarsugar canesummitSun ResortsSun Tan caseSunkai caseSunnystarssurveySwanSwedenSwitzerlandsyriaTAtabletsTaiwanTanzaniataxtax fraudtax heaventaxesTbillsteaTeachersteamTECtechnologytelecomtendersterrorismtertiarytextilethailandthethefttimetime managementtipstototaltourismtoystradetrade feetradingtrainingstransporttraveltrendsTrioletTripAdvisorTrou-aux-BichestsunamitunaTunisiaTurfTurkeyturkish airlinesTVtwittertyphoonUdMUgandaukukraineununemploymentunionsuniverseuniversityuomUSUTMvacanciesVacoasVacoas Popular Multipurpose Cooperative SocietyVacoas-PhoenixVanilla Islandsvarma caseVATVeekram BhunjunvegetablesVerizonvideoVideo of the Dayvirtual realityvisaVishnu Lutchmeenaraidoovisitvivo energyvolcanowasteWaterWaterparkWeatherwest africawhatsappWhitedot Casewi-fiwikileakswindowsWMAwomenworkworkersWorkshopWorldWorld Bankwriting tipsWTOXavier-Luc DuvalyahooyemenYEPyoutubeZambiazimbabwe
Mauritius
© 2010-2017 mega.mu