Google's version of the W3C's video DRM has been cracked

Since 2013, the World Wide Web Consortium (W3C) has been working with the major browser companies, Netflix, the MPAA, and a few other stakeholders to standardize "Encrypted Media Extensions" (EME), which attempts to control web users' behavior by adding code to browsers that refuses to obey user instructions where they conflict with the instructions sent by video services.

This DRM system uses two pieces: the EME component, which handles key exchanges and other high-level functions, and a "Content Decryption Module," which converts the scrambled video received by the computer into an unscrambled form for playback in the browser.

Google's CDM is Widevine, a technology it acquired in 2010. David Livshits, a security researchers at Ben-Gurion University and Alexandra Mikityuk from Berlin's Telekom Innovation Laboratories, discovered a vulnerability in the path from the CDM to the browser, which allows them to capture and save videos after they've been decrypted. They've reported this bug to Google, and have revealed some proof-of-concept materials now showing how it worked (they've withheld some information while they wait for Google to issue a fix).

Widevine is also used by Opera and Firefox (Firefox also uses a CDM from Adobe).

Under German law — derived from Article 6 of the EUCD — Mikityuk could face criminal and civil liability for revealing this defect, as it gives assistance to people wishing to circumvent Widevine. Livshits has less risk, as Israel is one of the few major US trading partners that has not implemented an "anti-circumvention" law, modelled on the US DMCA and spread by the US Trade Representative to most of the world.

The integration of DRM into HTML5 standards by the W3C poses real risks to security researchers who come forward with information about defects. One proposal for fixing Chrome's leaky CDM is to integrate the video stream into a "Trusted Execution Environment" that the browser could use for other sensitive kinds of data-handling tasks. Bugs in such a system could leak copyrighted video — but also financial information, telemetry from the computer's sensors, and access to the computer's main memory and storage.

Creating liability for disclosures of true facts about browser vulnerabilities has obvious, grave implications for the hundreds of millions of people who entrust browsers with the most sensitive information in their lives, from the login credentials for banking, medical and employment services to the contents of their intimate conversations with their loved ones.

EFF proposed a small step to protect users and security researchers: a modification to the W3C's existing policies, that would prevent W3C members from abusing the DMCA to attack security researchers who come forward with this kind of revelation.

The researchers who revealed the Widevine/Chrome defect say that it was likely present in the browser for more than five years, but are nevertheless the first people to come forward with information about its flaws. As many esteemed security researchers from industry and academe told the Copyright Office last summer, they routinely discover bugs like this, but don't come forward, because of the potential liability from anti-circumvention law.

Thus far, the W3C has not adopted any measures to protect security researchers, and the relevant committee chairman won't entertain discussion of it even though some of the world's foremost security researchers have raised the alarm about the implications of not protecting their work.

"Chrome has long been an open-source project and developers have been able to create their own versions of the browser that, for example, may use a different CDM or include modified CDM rendering paths," the spokesman wrote WIRED in an email.

What he meant is that the hijacking problem has long been known and that even if Google were to add code that forces the CDM to operate in a different way, other browsers that developers might compile from the Chromium could eliminate this code, leaving streaming content just as vulnerable and therefore not solving the problem of content hijacking.

The lab researchers say Google's response is baffling. Just because other developers could produce a different browser that doesn't incorporate more secure measures, doesn't mean Google shouldn't fix the problem in its own Chrome browser.

"[A] vulnerability in the product of Google which is distributed by Google, and users and [movie] studios expect to be secure, should be highly prioritized and fixed to prevent theft of protected content," says Dudu Mimran, CTO of the lab in Israel where one of the researchers works.

A Bug in Chrome Makes It Easy to Pirate Movies [Kim Zetter/Wired]

(Thanks, Coyote!)