Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Researcher Cracks Google's Widevine DRM (L3 Only) (zdnet.com)

Posted by BeauHD on from the sounds-cooler-than-it-is dept.

The L3 protection level of Google's Widevine DRM technology has been cracked by a British security researcher who can now decrypt content transferred via DRM-protected multimedia streams. ZDNet's Catalin Cimpanu notes that while this "sounds very cool," it's not likely to fuel a massive piracy wave because "the hack works only against Widevine L3 streams, and not L2 and L1, which are the ones that carry high-quality audio and video content." From the report: Google designed its Widevine DRM technology to work on three data protection levels --L1, L2, and L3-- each usable in various scenarios. According to Google's docs, the differences between the three protection levels is as follows:

L1 - all content processing and cryptography operations are handled inside a CPU that supports a Trusted Execution Environment (TEE).
L2 - only cryptography operations are handled inside a TEE.
L3 - content processing and cryptography operations are (intentionally) handled outside of a TEE, or the device doesn't support a TEE

"Soooo, after a few evenings of work, I've 100% broken Widevine L3 DRM," [British security researcher David Buchanan] said on Twitter. "Their Whitebox AES-128 implementation is vulnerable to the well-studied DFA attack, which can be used to recover the original key. Then you can decrypt the MPEG-CENC streams with plain old ffmpeg." Albeit Buchanan did not yet release any proof-of-concept code, it wouldn't help anyone if he did. In order to get the DRM-encrypted data blob that you want to decrypt, an attacker would still need "the right/permission" to receive the data blob in the first place. If a Netflix pirate would have this right (being an account holder), then he'd most likely (ab)use it to pirate a higher-quality version of the content, instead of bothering to decrypt low-res video and lo-fi audio. The only advantage is in regards to automating the pirating process, but as some users have pointed out, this isn't very appealing in today's tech scene where almost all devices are capable of playing HD multimedia [1, 2].

26 of 76 comments (clear)

  1. Oops by butzwonker · · Score: 2

    I didn't even know that Google is in this shit business. Good to know, in order to avoid products that use this DRM crap.

    1. Re:Oops by dogsbreath · · Score: 2

      Widevine is used on stream transport and you almost certainly have watched something that was wrapped & unwrapped by their DRM code. Unlikely you will ever run across a consumer product that says "Widevine enabled".

    2. Re:Oops by ArchieBunker · · Score: 1

      Can you name any sites that use it?

      --
      Only the State obtains its revenue by coercion. - Murray Rothbard
    3. Re:Oops by CastrTroy · · Score: 4, Informative

      The most popular one is probably Netflix. If you use Netflix on an Android device you have used WideVine.

      --

      Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
    4. Re:Oops by swillden · · Score: 2

      The most popular one is probably Netflix. If you use Netflix on an Android device you have used WideVine.

      Or Google Play video, or Amazon Video, or Hulu, or basically any Android app that plays commercial content. Maybe even YouTube; not sure.

      I believe that Android and ChromeOS devices these days are required to provide L1, while desktop Chrome and Firefox provide only L3. L2 pretty much doesn't exist. You can tell easily what your device has: If your Netflix (etc.) streams are limited to 480p, then the device supports L3. If you can watch HD (720p, 1080i/p, 4K), then the device supports L1.

      More detail: https://www.androidauthority.c...

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    5. Re: Oops by MightyYar · · Score: 1

      I still pirate out of pure laziness. I pay for Netflix and Amazon Prime but it's often easier to simply search for a pirated version of whatever than to log in and search all the separate services. Kodi is no joy, but once set up it's still a better experience than any of the legit offerings - simply because search is centralized. The rights holders obviously aren't starving or they'd be more consumer-friendly - I have very little empathy for them and try to minimize the amount of money I send their way.

      --
      W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
    6. Re: Oops by Carewolf · · Score: 1

      I can watch full HD with a desktop browser on a cpu without encryption. Only 4K content seems to demand OS and hardware support for "trusted" computing.

    7. Re:Oops by dogsbreath · · Score: 1

      If you use any IPTV service then you have had content wrapped with Widevine

  2. DRM ugh. by serviscope_minor · · Score: 1

    I remember back in the early 2000s when google sounded like some sort of geek paradise where they also paid you.

    Now it's all about privacy violation and apparently DRM now too. Yuck.

    --
    SJW n. One who posts facts.
  3. Yawn ... by dogsbreath · · Score: 4, Insightful

    With respect to piracy of entertainment streams, what does it matter when HDCP is so eminently hackable? Widevine has been around forever and has not made any difference to unauthorized recording and distribution of video and audio.

    Widevine protects the stream down to the user's endpoint where it is conveniently stripped of any effective protection. I don't see how the entire stream path can ever be completely locked down.

    Widevine exists only to satisfy contract demands by content providers to protect the streams. Lot$ spent (and passed on to the consumer) to do nothing.

    1. Re:Yawn ... by dogsbreath · · Score: 2

      And this break means that the termination condition on those contracts is triggered and people without the latest hardware lose their legitimate access to the content.

      Uh, no.

      I don't think there are any delusions at the executive level and this certainly does nothing to contracts. Stream DRM is demanded by contract. This is a boiler plate thing about being seen to protect. The headend does their bit to implement DRM and delivers the protected stream to the user end point; c'est fini.

      What hardware issues? Either ignore the issue (unlikely, although this is not a high value exploit), or patch the code and move on.

      No service disruption; no revenue disruption.

      The interesting aspect of this story is the amateur implementation at L3. Raises questions about the rest of their code but again: who the hell cares? It does nothing anyways.

    2. Re:Yawn ... by dogsbreath · · Score: 1

      This level of protection is valuable too. For unprotected content it will likely be stolen from your cdns - you will pay for storage and transfer but someone else will get revenue by offering this content on their site/app.
      Also widevine is free outside of initial implementation dev time.

      Yes. Let's make sure the pipe does not leak while pumping everything into an open bucket.

      Recording is trivial.
      Near real time re-streaming is easy.

      Initial implementation and ongoing support can be expensive but you are right, Google has made Widevine effectively free to use. More being seen to protect; a political issue of particular importance to Google.

    3. Re: Yawn ... by fuzzyfuzzyfungus · · Score: 3, Interesting

      I imagine that the main area of interest(aside from people doing cryptoanalysis for its own sake or professionally) is in getting output that hasn't been decompressed, potentially resized or munged a bit by the decoding device's particular color profile; and finally grabbed off the HDMI output and recompressed.

      If the stream provided to L3 clients is lousy enough you may still come out ahead by qualifying for L1-super-premium-secure and then HDCP stripping; but the clean copy will be worse than what was originally provided.

      There's also the matter of convenience: HDMI framegrabbers are much cheaper than they used to be; but setting up a capture arrangement based on one is still way more of a hassle than just being able to clean up a media file with just a little bit of software manipulation. Unless the provider caps the download bitrate to 'just fast enough for real-time, maybe 30-90 seconds of buffer to cover for glitches' the software attack is likely to be faster as well: analog hole or HDCP strip attacks are usually real-time at best(sometimes slower if re encoding is computationally expensive) unless the target can be coaxed to play back at greater than 1x speed and your capture device can cope with it

      Probably not going to set the world on fire in the Bluray rip scene; but could be very popular indeed for services that forbid or tightly restrict offline use in favor of streaming only and people who want access to that media when out and about without burning tons of cell data. Small screen makes resolution less of a concern and the fact that most phones don't exactly support simultaneous HDMI output and HDMI capture and encoding makes a pure software attack attractive.

    4. Re:Yawn ... by swillden · · Score: 1

      Widevine exists only to satisfy contract demands by content providers to protect the streams. Lot$ spent (and passed on to the consumer) to do nothing.

      This. I'm not a fan of DRM.

      Though at least the cost isn't large, because AFAIK there is no license fee for Widevine. It does add some complexity to the device manufacturing process because keys have to be injected, but on a per-unit basis that's negligible.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    5. Re:Yawn ... by Wrath0fb0b · · Score: 1

      Widevine exists only to satisfy contract demands by content providers to protect the streams. Lot$ spent (and passed on to the consumer) to do nothing.

      It might be lots of money in absolute terms, but it's peanuts on the scale of Netflix. Since they are a public company, we can look at their financial filings and take a look. The entirely of R&D spending is less than 10% of their total operating expenses, which is dominated by buying/creating content and continuing operating expenses (servers, bandwidth). Then there's marketing, and only below that is R&D. Even assuming pessimistically that a whopping 5% of all R&D spending related to DRM (which is crazy), that still amounts to a half percent of total expenses. Dividing it over the subscriber base makes it about a $0.50/yr charge.

      I'm not saying it's necessarily money well spent (although if the content owners require it, you should just roll it into the cost of paying them rather than put it in R&D) but it's really not a ton of money. They probably spend more on one failed new series than the total spent on all DRM related R&D activities for a decade.

    6. Re:Yawn ... by dogsbreath · · Score: 1

      Though at least the cost isn't large, because AFAIK there is no license fee for Widevine. It does add some complexity to the device manufacturing process because keys have to be injected, but on a per-unit basis that's negligible.

      True this. Last time I had anything to do with Widevine was before Google. Still becomes part of the streaming infrastructure and is both an implementation cost and ongoing expense.

    7. Re: Yawn ... by dogsbreath · · Score: 1

      RE: desire to use raw stream vs hdmi output

      True enough from the viewpoint of a purist.

      With respect to piracy, inability to grab the raw stream is of almost zero significance as long as there is a hackable end point.

  4. Re:DRM is fundamentally broken by Opportunist · · Score: 1

    Be honest. If you got paid to develop something you KNOW cannot work and are not required to make it work... would you refuse?

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  5. Widewhatnow? by Opportunist · · Score: 1

    Did anyone even know about this before now?

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  6. Re:DRM is fundamentally broken by TheDarkMaster · · Score: 1

    The key to Netflix's success: Ease to use (even my mother can find and watch the series she likes, without my help) and reasonable price. Is it so hard to put it in the minds of executives from content companies?

    --
    Religion: The greatest weapon of mass destruction of all time
  7. Firefox has a widevine NPAPI Plug-in by williamyf · · Score: 4, Informative

    Yup. For all those 5 of us still using firefox post-52 Quantum, the old NPAPI plug-in architecture/plumbing is still inthere, alive and well. It is used to support certain "strategic" plug-ins. Only by "invite".

    Flash is the one which garnered the most publicity, but a few others still exist, and Google's SandVine is among them. In my install, the other one is Cisco's H264 decoder Plug in. Others may exist. Please notice that this has nothing to do with your previous install. If your plug-in is in the white list, it will be installed. If not, firefox will refuse to run it, even if all the plumbing is still there because "Quantum" and "Reasons"...

    --
    *** Suerte a todos y Feliz dia!
  8. Re:Low res is fine for phones by ledow · · Score: 1

    I pity people who think they "need" to buy HD / 4K / 8K. I've literally never looked at a movie and thought "Oh, that needs more resolution". Not in 1980's VHS, not now.

    Now, computer desktops may be different - that requires per-pixel accuracy in some cases - but you'll find that those people who do 4K desktops also have anti-aliasing and all kinds of other shit enabled too.

    It's a pissing contest. I pity them if they honestly cannot watch SD without flinching. First, because it's just in their heads, second, it's because they're looking for flaws rather than watching the movie, third, because they are never going to be satisfied, fourth because it costs them more to get the same level of satisfaction as I get from SD.

    SD. Stereo. 44Khz audio. 128Kbit MP3. Non-HDR. I'd be happy if we'd never gone past SVGA.

    Think to yourself: When was the last time you had the VERY LATEST tech and said "Oh, that's still pixellated?" Never. So why would you then need to replace that technology a few years later for something "better"?
      Because when you had SD it was an improvement over analogue video, when you got HD it was an improvement over SD, etc. etc... and you only cared if you sat there counting dots.

  9. Re:DRM is fundamentally broken by MightyYar · · Score: 1

    I would until I found a job that was more personally fulfilling. I once worked on a doomed project, and it was demotivating as hell. I was weeks away from quitting when the guy in charge got canned.

    --
    W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
  10. Re:Every hour spent watching Netflix by MightyYar · · Score: 1

    Ooo! That's exactly what Mr. Robot said!

    --
    W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
  11. Re:Low res is fine for phones by ledow · · Score: 1

    Vision checked regularly.

    95" diagonal projected display, capable of 1080p.

    Literally, I stopped pressing the HD channels as they do nothing. I never bought films in HD (unless they were the same price as the SD version), because they do nothing. I watch Netflix, Amazon Prime, DVB-T2, and everything else in SD.

    At the distances involved, even at a huge screen size, it makes no difference. None. Sure, if you projected my Windows desktop there, I'd notice straight away if it wasn't even in the original rez, and I could spot a stray dot on the screen at 20 paces.

    But watching moving video content, even animations? No. I can't notice it. Nor can most people.

    I've literally challenged people who give me this shit at parties to tell me whether the screen is on BBC One or BBC One HD, etc. They can't, no more than random chance.

    P.S. I've watched 2001 in both formats. a) It's a dire movie filled with nothing but music and endless slow-motion space scenes with no dialogue - you have all the time in the world to spot a pixel, so any encoding of it is going to have a real easy time removing edges and anything you do spot will be MPEG artifacts. b) I wouldn't be able to tell the difference, unless challenged, and allowed to get right up close to the screen.

    Play it under VLC, with the right aliasing and deinterlacing options etc. and I guarantee you can't tell the difference. In which case, I'd rather pay for the SD version and turn on such options.

  12. Now we dont have streaming by Angeluffy · · Score: 1

    He cracked this bs and now Google and Netflix cut access to streaming of people with L3 devices. Even if you pay HD, you are now restricted to 480p.