WIRED reports that Google was notified of the issue on May 24 by David Livshits of the Cyber Security Research Center at Ben-Gurion University in Israel and Alexandra Mikityuk of Telekom Innovation Laboratories in Germany. Over a month later, the serious bug still hasn’t been fixed.
In a proof-of-concept video, the researchers demonstrated how the vulnerability could be exploited to download streaming encrypted video for offline playback. They could illegally save copies of movies from sources like Netflix and Amazon Prime for redistribution on torrent sites.
The bug lies in a technology called Widevine that facilitates the in-place decryption of protected media like streaming films. Widevine works with a counterpart at services like Netflix to verify your subscription lets you access the content you’re viewing. It then decodes the encrypted content that the browser receives.
When you view a protected movie, a Widevine component called CDM requests a license from the service to view it. Once the license has been obtained, Widevine is able to decrypt the video stream for displaying in the browser.
The system isn’t perfect though. The researchers have found a “simple” bug that lets anyone intercept the decrypted movie stream once Widevine has processed it. Usually, the content is sent to the video player for streaming. The researchers could direct it to a file instead, creating an offline and decrypted copy of the film for redistribution and illegal resale.
Google has downplayed the severity of the issue, noting that many other browsers based on its Chromium engine will also have the flaw. It appeared to suggest that there is no hurry to patch the vulnerability because pirates will just switch to a different browser instead.
The researchers haven’t revealed the full details of their exploit yet. They have given Google a three-month window to fix the bug before explaining how their software works. Anybody will then be able to reproduce it, potentially making a pirate’s life much easier.
To fix the bug, Google will need to create a sandbox around Widevine. This would give the DRM decoder its own protected memory space. Software wouldn’t be able to intercept the video stream during decryption because the memory used to store each frame would be isolated from external access.
Widevine was bought by Google in 2010 so it could enforce DRM protection online and on YouTube. The technology is supported by over 2 billion devices and browsers used to play encrypted content, including the Mozilla Firefox and Opera web browsers. The researchers said they may examine its implementation on those browsers in the future. They could also take a look at rival systems including Apple’s FairPlay for Safari and Microsoft’s PlayReady for Internet Explorer and Edge.
For now, the vulnerability remains unfixed in Chrome, giving pirates an easy way to illegally downloaded films. Google may appear uninterested in the exploit but the movie industry is unlikely to take the same approach. Being able to steal protected content using a known exploit could pose a risk to filmmakers and the services that videos are being streamed from.
