News: 1726125906

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

If HDMI screen rips aren't good enough for you pirates, DeCENC is another way to beat web video DRM

(2024/09/12)


An anti-piracy system to protect online video streams from unauthorized copying is flawed – and can be broken to allow streamed media from Amazon, Netflix, and others to be saved, replayed, and spread at will, we're told.

The Common Encryption Scheme (CENC) is a form of DRM that is used by video-streaming giants to ensure movies and TV shows streamed to people's devices cannot be, for instance, saved to disk in a way that allows them to be played back later or distributed to others to enjoy. When you watch a film from a Big Tech streaming platform, you're not supposed to be able to keep a copy of that media, or else people could stream something once, save it, and replay it forever, wrecking the whole subscription model approach.

The algorithms and methods set by CENC make sure only the playback application, such as the viewer's web browser, successfully decodes and displays the compressed streamed media, and thus safeguards the content from pirates.

[1]

However, the scheme has flawed encryption and is vulnerable to a proof-of-concept decryption attack, according to security researcher David Buchanan.

[2]

[3]

In [4]a recent issue of the venerable hacking publication Phrack, Buchanan (aka "retr0id") refers to his attack as DeCENC, because it undoes CENC protection of streaming media content.

The name hearkens back to [5]DeCSS , which famously undid the Content Scrambling System, a DRM scheme protecting DVDs from piracy, when it was published online in 1999 and unleashed a futile legal campaign to suppress the disclosed code.

[6]

Buchanan told The Register that DeCENC should be of some concern to commercial streaming platforms like Amazon Prime, Netflix, Hulu, and YouTube, which all use [7]CENC in their content distribution platforms. The scheme encrypts and protects the data from the streamers to users' web browsers.

Although DeCENC can defeat that protection, there are easier and more practical ways to rip off streamed media, which Buchanan acknowledges.

"How concerned they [Amazon et al should actually be [about DeCENC] depends on a lot of factors, including their threat model," he said. "Compared to other approaches, DeCENC is fairly impractical, to the extent that it's almost a mere academic curiosity. The people that streaming services ought to be most worried about likely already have more convenient techniques available to them."

[8]

In his Phrack article, Buchanan cites examples of simpler CENC-bypassing techniques, including simply capturing content from a screen, digitally recording the HDMI port using a splitter dongle, and exfiltrating decrypted video prior to the use of decompression, content keys, or Content Decryption Module (CDM) secrets.

He also points to vulnerabilities, such as the Microsoft PlayReady client compromise that was [9]disclosed in May, as an example of a more practical attack.

"That (and any similar compromise) is the sort of thing that could enable content decryption at-scale, and in my view should be a higher priority concern from the perspective of a streaming platform," Buchanan told us.

Nonetheless, DeCENC, with its [10]published code , represents a plausible attack technique for security researchers.

It provides a way to exfiltrate decrypted video data without changing or meddling with the CDM – the black box software that normally handles the decryption of protected content. It relies on the manipulation of inputs and outputs to that software using the documented interfaces, including the CENC file format, the [11]Encrypted Media Extensions (EME) API , and the [12]Media Source Extensions (MSE) API .

[13]Microsoft says it broke some Windows 10 patching – as it fixes flaws under attack

[14]Mind the talent gap: Infosec vacancies abound, but hiring is flat

[15]Defense AI models 'a risk to life' alleges spurned tech firm

[16]As major web browser makers snuggle up to AI, these skeptical holdouts remain

This technique relies on bypassing the video decoder, in order to capture streamed video that has been decrypted but remains compressed. Essentially, you trick the CDM into decrypting but not decompressing the streamed video and have it displayed directly on the screen in raw format. Then with a HDMI capture card, you can collect that decoded yet compressed data, process it, save it, and have a clean raw copy of the stream.

"The main trick here is a method to 'bypass' the video decoder," retr0id said in his write-up.

"The consequence is that decrypted (but still compressed) video data is rendered onto the screen as-is, in raw form. Visually this just looks like random noise, but if recorded and processed appropriately it can be recombined with the source media stream to obtain a playable decrypted copy. Although a capture card may be involved in this process, there is no need to re-compress any data, making the resulting file a 'WEBDL' rather than a 'WEBRip'.

"The attack involves feeding a specially crafted MPEG-CENC file (containing a crafted h264 bitstream) into the CDM. You might be thinking 'surely the CDM would detect that you're feeding in the wrong file, and reject it?' That would be a very sensible thing for it to do, but the MPEG-CENC format provides no affordances for doing so."

He added DeCENC takes a lot of fiddling to use, which is partially deliberate. "It's not my intention to release something 'user friendly,' it's more of a proof-of-concept.

"The attack processes data at approximately 2 megabits per second. Depending on the quality of the video being processed, this might be faster or slower than real-time. For big files, you could in theory run multiple instances of the attack at once to speed things up."

Perhaps the CENC authors assumed that authentication would be somebody else's problem, and so did everyone else

What makes this approach possible, Buchanan told The Register , is the use of encryption without authentication.

"I think that should've been addressed as part of the CENC specification," he explained. "Perhaps the CENC authors assumed that authentication would be somebody else's problem, and so did everyone else."

Buchanan attributes the viability of the attack to the sprawling set of overlapping specifications that describe EME, the MP4 video format, and CENC. The complexity and non-public nature of these technical documents ensures that there will be gaps that can be exploited, he contends.

To better benefit from security research, he argues, the International Organization for Standardization (ISO) should stop keeping specifications like CENC behind a paywall, pointing to The Register 's [17]past reporting on the subject.

"Apart from anything else, it makes security research much more tedious," he said. "A single spec like CENC itself is vaguely affordable (CHF 173 [$203], at the time of writing). But the reality is that there's a whole network of specs that cross-reference each other, and it's impossible to make sense of things without all of them.

"It's also hard to know which ones are relevant until you've seen them – I'm not going to spend CHF 173 on something that might be useful, and I don't think I could afford the full suite of MPEG specifications."

ISO did not immediately respond to a request for comment. ®

Get our [18]Tech Resources



[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZuK7xkmPa-mykRPC3VXZmwAAABA&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZuK7xkmPa-mykRPC3VXZmwAAABA&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZuK7xkmPa-mykRPC3VXZmwAAABA&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[4] https://phrack.org/issues/71/6.html#article

[5] https://www.cs.cmu.edu/~dst/DeCSS/

[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZuK7xkmPa-mykRPC3VXZmwAAABA&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[7] https://www.iso.org/standard/84637.html

[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZuK7xkmPa-mykRPC3VXZmwAAABA&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[9] https://seclists.org/fulldisclosure/2024/May/5

[10] https://github.com/DavidBuchanan314/DeCENC

[11] https://developer.mozilla.org/en-US/docs/Web/API/Encrypted_Media_Extensions_API

[12] https://developer.mozilla.org/en-US/docs/Web/API/Media_Source_Extensions_API

[13] https://www.theregister.com/2024/09/11/patch_tuesday_september_2024/

[14] https://www.theregister.com/2024/09/11/mind_the_talent_gap_infosec/

[15] https://www.theregister.com/2024/09/06/defense_ai_models_risk/

[16] https://www.theregister.com/2024/09/10/web_browsers_ai_holdout_vivaldi/

[17] https://www.theregister.com/2021/07/31/iso_paywall_battle/

[18] https://whitepapers.theregister.com/



ISO = extortion scheme...

Joe W

"Use the standards or else!"

"What are the standards?"

"Hand over your money or you'll never know!"

sitta_europea

*Every* anti-piracy scheme designed to protect movies and the like is doomed because it's more or less trivial to capture the video and sound outputs.

I could do it very easily, but I can't be bothered because I'm not really interested and at six for a pound I could buy vastly more DVDs from the charity shops than I could ever find time to watch.

Even my wife cracks the copy protection on DVDs after she's bought them so that she can compress the data by a factor of five or ten and put a lot more movie files on her 3TB movies disc.

I really can't understand why people make such a fuss about it, they're just bringing attention to the flaws in the cobbled-together systems.

Spazturtle

At the end of the chain is always a scaler that converts the signal into a raw un-encrypted pixel map to send to the display panel, there is no way that set can be protected. So all of this is just a folly anyway.

Re: and the like is doomed

Mage

A 4K camera is now cheap, as is a 4K screen.

Pull the curtains and camera on tripod pointing at screen. Sound by line / earphone to analogue in.

Never been easier.

HDCP and all other DRM are consumer taxes and never stopped commercial pirates.

An ebook is slightly harder if you want decent text from the still photos of the screen (but most Amazon & Adobe DRM is defeated anyway).

DRM serves to divide & conquer markets and control consumer consumption, it has no effect on commercial pirates who may even copy at studio, production facility, projection booth, or cut spine off paper ARC and auto-sheet-feed scanner. Though some now have page turners and cameras.

Doctor Syntax

"or else people could stream something once, save it, and replay it forever, wrecking the whole subscription model approach."

Even worse - instead of watching the stream in real time they could watch the recording and fast forward through the ads.

Lee D

I have to say that although I don't pirate content, HDMI's in-built "content protection" is all but useless by the look of it. It very much reeks of DVD's region protection or content control where you just need a cheap device from China that ignores it and everything "just works".

And it seems, again, that those people with the cheap, junky hardware - or even just outright pirating - get a better deal than those customers who buy top-of-the-line kit that then honours such things and only stops legitimate users watching their content.

My dad had a very expensive Philips DVD player back in the day and it wouldn't read other regions, wouldn't play DVD-Rs, couldn't play even older formats like VCDs or SVCDs, MP3 CDs, etc., forced you to honour the DVD operations (so you couldn't skip ads on the DVD, etc.).

He hated that my £10 DVD player allowed you to do all that, and pretty much gave you the same output because DVD is just digital data.

HDMI content protection appears to be the same.

And now even streaming protection appears to be going the same way.

Knock-off, cheapo devices and pirates - all the content none of the hassle, store perfect copies digitally and keep forever.

Genuine customers - locked out of their own purchased content, lose it when a service shuts up shop because they can't back it up.

We kind of got over this with MP3s, didn't we? Didn't the music industry eventually wake up and realise that people just want their music and don't want obstacles and they were still making billions even if people had MP3 files with no DRM on them? Even iTunes ended up going that way. Are we going back to the old ways again?

I don't actually pirate. But I ripped all the DVDs I own and put them on my own Plex as basic MP4 files with no gumph or DRM. My entire media-viewing experience is SO MUCH BETTER.

The other stuff I watch I record off TV as direct, perfect MPEG-2 streams captured from DVB-T. No DRM, stays around as long as I can keep hold of it.

I never understood streaming at all. It's like renting access to someone else's Plex and it all goes away if you stop paying, and they can delete and change content any time they like and load it with ads throughout every video if they want.

Laugh and the world laughs with you, snore and you sleep alone.