Uncloaking Tor Browser users with DRM-protected files

Digital Rights Management (DRM)-protected media files can be used to reveal Tor Browser users’ actual IP address and therefore possibly reveal their identity, HackerHouse researchers have demonstrated.

For those who don’t know, DRM is a licensing technology aimed at preventing the unauthorized distribution of media files. Video and audio files are encrypted, and the only way to open them is to request a license (i.e. the decryption key) from a network server.

Attackers who want to uncloak Windows users can encode a file and make it so that the authorization URL points to a page controlled by the attackers.

But, if they want the downloading and opening of the file to be performed without a security alert and the target having to approve the action, they must make sure that the DRM license has been signed correctly, and the Digital Signature Object, Content Encryption Object and Extended Content Encryption Object contain the appropriate cryptographic signing performed by an authorised Microsoft License Server profile.

“The objects are used with a Microsoft license server, configured via a DRM profile, when encoding objects using an SDK,” the researchers explained.

“Unless you use the SDK to develop your own application you will likely need to make use of a license provider to encrypt your WMV files using these tools and also for signing purposes. If you want to build your own Microsoft DRM signing solution the price-tag is around $10,000.”

$10,000 might be considerable sum, but not for law enforcement, intelligence agencies or state-sponsored attackers who might want to take advantage of this tactic.

The researchers made sure to point out that this attack is limited to Windows users who run Tor Browser, and that it does not take advantage of a vulnerability in the actual browser. “TorBrowser does warn you that 3rd party files can expose your IP address and should be accessed in Tails,” they noted.