Chrome vulnerability lets attackers steal movies from streaming services

A significant security vulnerability in Google technology that is supposed to protect videos streamed via Google Chrome has been discovered by researchers from the Ben-Gurion University of the Negev Cyber Security Research Center (CSRC) in collaboration with a security researcher from Telekom Innovation Laboratories in Berlin, Germany.

The video below shows how easily content can be stolen from a protected video:

The vulnerability in the encryption technology, Widevine EME/CDM, opens an easy way for attackers to hijack protected content delivered via different popular streaming services, making the unprotected content available for illegal distribution.

David Livshits, a security researcher at the CSRC under the direction of Dr. Asaf Shabtai, has developed an attack proof-of-concept that is able to save a decrypted version of any streamed content protected by Google Widevine DRM and played via Google Chrome on a computer’s disk drive.

The proof-of-concept has been tested successfully and consistently on different recent versions of Google Chrome in combination with Netflix streaming services as well as Amazon TV.

“The simplicity of stealing protected content with our approach poses a serious risk for Hollywood, which relies on such technologies to protect their assets,” says Livshits.

The attack proof-of-concept can be bundled in an executable file and can be installed on any computer with Google Chrome to achieve its goals. The proof-of-concept as well as the vulnerability details have been reported to Google’s security team, and the researchers are assisting in the process to plug the vulnerability and make sure the problem is solved as soon as possible.

“A CDM that uses the TEE, Trusted Execution Environment, is a new approach for protecting content and this is another step in making it more secure,” says Alexandra Mikityuk of Telekom Innovation Labs in Berlin, who also serves as Security in Telecommunications (SECT) chair at the Technical University of Munich.

The researchers are adhering to Google’s Project Zero responsible disclosure policy and will release the details of the vulnerability when a fix will be provided to users, in order to prevent malicious usage of the POC prior to the availability of proper protection.

“We hope that disclosure of this vulnerability will urge other DRM vendors to re-evaluate the security of their products and provide additional layers of defense,” says Dr. Rami Puzis, a researcher at the BGU CSRC and a lecturer in the Department of Information Systems Engineering.

The BGU CSRC is managed by Prof. Yuval Elovici, a member of Ben-Gurion University’s Department of Information Systems Engineering and director of the Deutsche Telekom Laboratories at Ben-Gurion University of the Negev. The CSRC is a collaboration between the University and Israel’s National Cyber Bureau, focusing on advanced cyber security topics.

“Evaluating the security of content protection technologies, as well as devising proper defense strategies is a core competency at the BGU CSRC,” says Dudu Mimran, CTO.