Researcher Claims to Have Cracked Microsoft's DRM Technology

Founder and head of the Polish research company AG Security Research (formerly Security Explorations) Adam Gowdiak announced that he discovered vulnerabilities in Microsoft’s PlayReady content protection technology. According to him, these issues could allow dishonest subscribers of streaming services to illegally download movies.

Gowdiak is known for his research in Java security, as well as television and streaming platforms, which have frequently made headlines over the past 16 years. While his previous research focused on satellite TV platforms, television set-top boxes, and DVB, Gowdiak has recently been investigating digital content protection and its impact on streaming platforms.

For example, in 2022, Gowdiak informed Microsoft engineers that he was able to download content protected by PlayReady from Canal+, a premium VOD platform in Poland. This research involved compromising television set-top boxes to obtain the keys necessary to access protected content.

However, Canal+ ignored the researcher’s attempts to address the vulnerability, and a year later, the company announced the closure of the vulnerable platform without acknowledging Gowdiak’s work. Microsoft stated that the described problems related to service provider-controlled settings and third-party client security, emphasizing that there was no vulnerability in Microsoft’s service or client.

Nonetheless, Gowdiak continued to study the security of Microsoft PlayReady and is now focusing on international streaming services that use PlayReady to protect content.

PlayReady is a technology to prevent media file copying, incorporating encryption, output prevention, and DRM. Microsoft claims it is the most widely used content protection technology in the world.

In his new research, Gowdiak bypassed hacking television set-top boxes and instead targeted Protected Media Path (PMP) technologies that secure content in Windows environments, as well as the Warbird compiler developed by Microsoft to complicate reverse-engineering of Windows components.

The researcher claims that vulnerabilities found in PMP components could be used to access the plaintext keys of PlayReady-protected content. These keys could allow an infiltrator to decrypt content from popular streaming services.

The attack involves exploiting a temporary window during which content keys are in XOR form. The plaintext value of these keys can be obtained by a simple XOR operation with a 128-bit magic key sequence, according to Security Explorations blog. Tests showed that only two such sequences are used in Windows versions released after 2022 – one for Windows 10 and another for Windows 11.

Videos showcasing downloading movies from Canal+ and obtaining content keys for Netflix are published in the same blog. However, it is noted that this technique could also be applicable to other platforms like HBO Max, Amazon Prime Video, and Sky Showtime.

Some streaming platforms allow users to download content for offline viewing, which remains accessible in the app for a limited time. Gowdiak claims he was able to download HD-quality movies to a local drive and watch them using Windows Media Player.

Per Gowdiak, a malicious actor only needs Windows and a subscription to a streaming platform to extract movie keys from those using the vulnerable Microsoft PlayReady technology. However, the exploitation of these bugs is not straightforward. The research took nine months, in addition to the six months spent analyzing PlayReady back in 2022.

Furthermore, Gowdiak has not disclosed technical details and noted that he is dissatisfied with how Microsoft responded to his previous vulnerability report concerning PlayReady. Microsoft has now requested additional information on the issue, mentioning a possible bug bounty reward. Nevertheless, Gowdiak is now willing to share information with the company only under a commercial agreement to protect their valuable IP and know-how, critical for their future Windows-oriented projects.

In the scope of their latest research, Gowdiak and his colleagues developed several tools, including a Warbird reverse-engineering kit to analyze Warbird-protected binaries and a sniffer for extracting content keys from the PMP process.

A Microsoft representative commented that they are aware of the problem affecting a subset of content using software DRM solutions and are collaborating with partners to address the issue.

0 / 5

Your page rank:

Subscribe: YouTube page opens in new windowLinkedin page opens in new windowTelegram page opens in new window

Leave a Reply

Your email address will not be published. Required fields are marked *

Post comment