The title of this article is "Security researcher cracks Google's Widevine DRM (L3 only)". That it affects only their L3 streams is an important distinction I think. The article goes on to explain that, "the hack works only against Widevine L3 streams, and not L2 and L1, which are the ones that carry high-quality audio and video data.
Any user who cracks a Widevine L3 stream would only gain access to grainy low-quality video and lo-fi audio."
Right, and it's also worth highlighting here the meaning of these "protection" levels:
L1 - all content processing and cryptography operations are handled inside a CPU that supports a Trusted Execution Environment (TEE).
L2 - only cryptography operations are handled inside a TEE.
L3 - content processing and cryptography operations are (intentionally) handled outside of a TEE, or the device doesn't support a TEE.
This suggests that the media industry only trust you to receive their content if they have some degree of control over what your device is doing. There's an obvious logic to them setting such a requirement, but it does mean rolling out a world wide system where critical security components underpinning our digital societies are resistant to inspection and transparency, by design (and, in many cases, with the full force of the law).
I feel that ultimately this will create a precarious situation and introduce risks that are not justified.
> a world wide system where critical security components [...] are resistant to inspection and transparency, by design (and, in many cases, with the full force of the law).
Fun sci-fi exercise: what happens when you mandate legal backdoors for general-purpose crypto, but lock down content so tight that it's NSA-resistant?
I can imagine some cypherpunks in this sci-fi world creating a crypto-system where the keying data is sent as media files (possibly requiring a new movie studio to be created as a cover story).
Unfortunately I can also imagine that the NSA give themselves backdoors that can even get past the legally-mandated DRM, and the media industries would accept this.
Chrome and Firefox use Widevine DRM at L3 (software implementation). Edge and IE use PlayReady (which has support for hardware DRM, optinally selectable by the app/website).
On a Dell Inspiron 2 in 1 manufactured earlier this year, I was amused (but pleased) to see that the firmware was shipping with SGX disabled by default.
Netflix has capped software DRM devices to 720p, although possibly they make exceptions depending on platform. Pretty sure PC is still at 720p cap, though (I don't use Netflix, cannot confirm).
Also, it's a 10 year old DRM system at this point. Anything encoded for on-demand distribution across networks 10 years ago was probably done at poor qualities in general. Source: Used to work in the industry.
No. There are two entirely different DRM systems named Widevine. Up to version 6.0 was old legacy DRM from way back. Widevine 7.0 is the current version, published only a few years back, also called Widevine Modular. This is a modern cutting-edge DRM equivalent to Microsoft PlayReady and Apple FairPlay. Together, these 3 make up the big DRMs in the industry.
Oh OK, stopped following DRM after that job! :) Fun tidbit: We did the first commercial deployment globally of PlayReady for Samsung's galaxy devices US launch. MS paid Samsung to use it.
In 2017 I was able to decrypt the video (for test only) too, but without breaking Arxan's whitebox implementation. I was able to retrieve all the state needeed to regenerate the keystream, then patched google's shaka packager to use this keystream instead of the one derived from the original key (which I didn't have) and the decryption was successful. But that was a manual process just for test - you'd need to load a special kernel module, launch chromium, then start the video, and so on... But that was in 2017, I guess it'd be harder to do now
Widevine hasn't stopped piracy. No DRM ever does. It only inconveniences the people who want to pay. Trying to watch Netflix on a phone or desktop is needlessly complicated. Grabbing a torrent is easy.
This is DRM that has to be baked into the hardware. It is amusing buying a brand new smartphone that defaults to 480p because it doesn't implement some DRM scheme.
On desktop you have to use the windows 10 app- again solely because of DRM.
On my Linux desktops, laptops, and HTPC, Netflix refuses to give me anything better than 720p by design (DRM not good enough to be trusted with better quality). Netflix is 'good enough' for some light viewing, but any quality film I'll (hypothetically) download from a source that doesn't bother with DRM. With a fibreglass connection at home this takes a couple of minutes.
I am not running a custom ROM in my smartphone, it is a fairly popular device (Xiaomi Mi A2) and I still can't get high quality streams on Netflix because my device only has Widevine L3.
Meanwhile I can get high quality streams in an anime streaming service called Crunchyroll in all my devices (including every browser in any OS I want), most because they don't care about DRM.
: It is interesting that for default they still require Flash for viewing video browsers (they have a HTML5 video player in beta, though). To think that HTML5 reduced our freedom compared to Flash is ironic, to say at least.
How dare we run an operating system of our own choosing, or expect control over our own hardware. Why can't we just submit to using a sensible proprietary operating system on our most personal devices?
DRM hurts honest consumers and doesn't prevent piracy — at all. So why are we being pushed to accept this level of outside control over our computing devices?
Press play and get “error <random number>”. Google for fix, deduce from talks of drm that headphone amp may be culprit. Plug headphones directly into phone instead. Press play, now it works.
It really bothers me how rarely the average person I interact with seems to comprehend this. It isn't about stopping piracy. It's about controlling how you do things so that content can be part and parceled up for maximum profit while collecting analytics. Or in the case of devices, to tie you to a specific distribution platform while collecting analytics. Referring to it as "stopping piracy" is just an easier way to sell it - it's the equivalent of lawmakers saying "think of the children".
Funny story. On old Samsung devices there was Microsoft PlayReady DRM. However, it was a random .so library file, with exports defined clear as day and a completely unguarded API. So you could take a Samsung Note 2, for example, and if you know the right parameters to give to this API, you could simply use its DecryptBytes() call to decrypt your movie into any file you wanted.
Buchanan tweeted he cracked something. It's been hinted that pirates have cracked widevine for Netflix already. Why is there half a dozen articles on it? Anyone can tweet claims, show some proof.
I actually looked at the widevine DLL at some point out of curiosity. It didn't seem obfuscated in any way. Honestly I think getting the keys to the encrypted streams out of there is at the difficulty level of an average CTF challenge.
The reason you don't see PoCs, is because it's strictly illegal to distribute such code. Even the act of reversing this DLL is illegal.
Reversing a DLL is maybe illegal in US, but in other countries not necessarily.
E.g. in Poland (maybe even whole EU) one can reverse engineer anything in order to make it work on their OS, hardware etc. - this is the law, it overrides any kind of EULA.
In 2017 it was obfuscated using Arxan's "ProtectIT" (you can view the patent) and did use whitebox cryptography. I didn't look at the dll, but at the .so file for linux (for fun). I guess it should be harder now
EDIT: If reversing this DLL/so is illegal, how I am supposed to be able to test for a potential security vulnerability? Not that I can do this, just wondering...
>how I am supposed to be able to test for a potential security vulnerability?
You aren't. There were some amendments made to DMCA recently that added a few more narrow provisions (mainly repairing tractors and such), but I don't think reverse engineering closed libraries was one of them. In particular, things close to DRM were not granted. For example, request for exemptions for tinkering with HDCP or optical drives were denied.
The article claims he informed them but in the original tweet thread it was the opposite and he said it wasn't even an exploit so didnt bother disclosing.
I think the guy is awesome and very likely he did what he claimed, but do get annoyed about low effort Twitter journalism. Prove it or don't write it. It's very simple.
Any user who cracks a Widevine L3 stream would only gain access to grainy low-quality video and lo-fi audio."