Microsoft’s PlayReady content access and protection technology is affected by vulnerabilities that could allow rogue subscribers to illegally download movies from popular streaming services, according to Poland-based cybersecurity research company AG Security Research.
The research was conducted over a period of several months by Adam Gowdiak, founder and CEO of AG Security Research, formerly known as Security Explorations, which is now the name of the firm’s research lab. Gowdiak is best known for his Java and TV/streaming platform security research, which has made many headlines over the past 16 years.
While his earlier research focused on satellite TV platforms, set-top boxes, and digital video broadcasting (DVB) chipsets, his more recent work has focused on digital content protection security and impact on streaming platforms.
In 2022, Gowdiak informed Microsoft that he was able to download content that should have been protected by PlayReady from Canal+, a premium video-on-demand (VOD) platform in Poland. That research involved hacking set-top boxes to obtain the keys needed to access protected content.
Canal+ at the time ignored the researcher’s attempts to get the vulnerability fixed, and after more than one year the company reportedly said it would shut down the impacted platform. While content security improvement was cited by local news reports announcing the shutdown, the company never acknowledged Gowdiak’s work.
Microsoft told SecurityWeek in 2022 in response to Gowdiak’s research that “the reported issues concern settings controlled by the service provider and the security of a third-party client”, noting that it was not a vulnerability in a Microsoft service or client.
Gowdiak has since continued to look into the security of Microsoft PlayReady and turned his attention to internationally used streaming services that rely on PlayReady for content protection.
PlayReady is a media file copying prevention technology that features encryption, output prevention and digital rights management (DRM). Microsoft says it’s “the most widely deployed content protection technology in the world”.
Gowdiak’s recent work does not require hacking into set-top boxes. Instead, it targets the Protected Media Path (PMP) technologies, which enforce content security in Windows environments, as well as Microsoft’s Warbird compiler technology, which is designed to make reverse engineering Windows components more difficult.
The researcher claims that the vulnerabilities he found in PMP components can be exploited to gain access to plaintext content keys guarded by PlayReady. These keys may then allow a logged-in user to decrypt content from popular streaming services.
“The attack proceeds by exploiting a time window during which content keys have a XORed form – the plaintext value of such keys can be obtained by the means of a simple XOR operation with a magic 128-bit key sequence,” reads a brief explanation provided in a blog post on the Security Explorations website. “Our tests indicate that there are only two such magic key sequences used across Windows OS versions released since 2022 (one for Windows 10, the other for Windows 11).”
The same blog post includes videos showing movies being downloaded from Canal+ and a content key for a Netflix movie being obtained using this technique. However, the technique may also work against other platforms, such as HBO Max, Amazon Prime Video and Sky Showtime.
The keys obtained during testing for each potentially impacted platform – each key associated with a specific movie offered by the platform – have been made public on the Security Explorations website, which should allow the streaming services to verify the impact of the research.
Some streaming platforms do allow their users to download content and view it when they don’t have an internet connection. However, the downloaded content is only available within the app for a limited period of time. Gowdiak claims he was able to download movies in HD quality to his device’s local storage drive and view them with Windows Media Player.
“An attacker needs just the Windows OS and access (subscription) to the streaming platform,” Gowdiak told SecurityWeek. “Any Windows user could extract keys for the movies from streaming platforms that use affected Microsoft PlayReady technology for content security.”
If confirmed, the vulnerability could be highly valuable to services offering pirated media content. One rogue subscriber would be enough to download high-quality protected content from streaming services.
However, Gowdiak has not made any technical details public and noted that exploitation is not easy – the research took nine months to complete, in addition to the six months spent analyzing PlayReady in 2022.
On the other hand, Gowdiak has not provided the technical details of his findings to Microsoft. The researcher is displeased with the way the tech giant handled his previous PlayReady vulnerability report, saying that his work was mostly ignored.
Gowdiak claims Microsoft has now requested additional information on the findings, informing him that the research may be eligible for a bug bounty reward, but the researcher says at this point he is only willing to share the information with the vendor through a commercial agreement.
“The new research embeds some potentially valuable IP / know-how, which we need to protect too,” Gowdiak said. “Finally, disclosure of our know-how / toolset to Microsoft might jeopardize our future projects targeting the Windows OS platform.”
As part of this research project, Gowdiak has developed several tools, including a Warbird reverse engineering toolkit for analyzing Warbird-protected binary files, and a sniffer for extracting content keys from a PMP process.
Contacted by SecurityWeek, a Microsoft spokesperson said, “We are aware of an issue impacting a subset of content that uses a software backed digital rights media solution and we are working with our partners to address it.”
SecurityWeek also reached out to the potentially impacted streaming platforms, but only Amazon Prime Video representatives responded. The company did not confirm whether the key made public by Security Explorations is valid, but said it reported the research to Microsoft to investigate the claims. Amazon said there is currently no evidence of misuse of the technique described in this research against the Prime Video platform.
Related: Research Shows How Attackers Can Abuse EDR Security Products
Related: Remote Stuxnet-Style Attack Possible With Web-Based PLC Malware