Digital Rights Management: The Guardian of the Stream

Let’s imagine that a new movie has just been released online. Movie lovers have been waiting for the release for months, and the creators and distributors of the film are expecting to turn a sizable profit. But within hours of the release, people start to make their own copies of the film, flooding the internet with pirated copies and cutting into the creators’ and distributors’ earnings.

Digital rights management (DRM) solutions were created to prevent that kind of scenario. These solutions control who can access and share content and the ways in which that content can be used. However, while DRM solutions can be pretty effective at preventing unauthorized use of media content, they face their own security challenges that can reduce their effectiveness. This post will examine those challenges and a few of the techniques that attackers use to bypass DRM protections.

But first, let’s take a closer look at the use of DRM solutions and the security benefits they provide.

So what exactly is DRM?

An easy way to think about DRM is as a suite of technologies designed to safeguard media content such as movies, music, and e-books. DRM solutions aim to ensure that creators and copyright holders retain their rights and to prevent bad actors from accessing and distributing content. For example, when you attempt to stream a movie on a platform like Netflix, DRM technology ensures that you can watch it only on an authorized device, in a certain region, and for a limited time.

There are two main types of DRM solutions: hardware based and software based. The primary difference between the two types of systems is the environment in which the most sensitive DRM-related processes are executed. In a hardware-based solution, decryption, decoding, and video-processing operations are executed in a secure hardware component, a trusted execution environment isolated from the rest of the system. In a software-based solution, decryption is handled at the software level by a content decryption module (CDM). Hardware-based solutions are generally considered more secure and more resistant to attack. In fact, some streaming platforms limit the playback of high-definition content to devices that offer hardware DRM support or meet certain security requirements.

How does DRM work?

From a user perspective, the process of streaming a DRM-protected movie on a platform like Netflix or Hulu seems pretty simple: You fire up the platform, pick a movie to watch, and hit “play.” But behind the scenes, things are much more complicated. Before you can start your streaming session, the streaming client (that is, the platform) must verify that you’re authorized to watch the content and then decrypt it.

Although all DRM solutions have the same ultimate goal—to prevent unauthorized access to content—the exact techniques they use can vary pretty widely. Nevertheless, the process of streaming DRM-protected content generally goes something like this:

1. The streaming client requests a license from the DRM license server.
2. Assuming the client is authorized to stream the content, the server returns an encrypted license containing the data needed to decrypt that content. This data generally includes at least one content encryption key (CEK) that will be used to decrypt the content and may also be encrypted.
3. The client decrypts the license and, if necessary, the CEK(s) it contains.
4. The client begins fetching the content to be streamed from the content delivery network or streaming server. If the DRM solution uses an adaptive bitrate streaming protocol such as MPEG-DASH or HLS to deliver content, the content will be divided into segments, each of which will be associated with a different CEK.
5. Finally, the content is decrypted and played.

What threats do DRM solutions face?

While DRM plays a crucial role in the protection of digital media content, it’s not without its flaws. Of course, some DRM solutions, such as hardware-based systems, are more secure than others and may be resistant to more basic attacks. However, even if a DRM solution does everything “right,” attackers motivated by the profitability of digital piracy may still be able to find exploitable weaknesses—and compromise the protections that the solution is meant to provide.

Let’s explore some of the common techniques that attackers may use to compromise DRM solutions.

• Exploitation of Weak or Poorly Managed Encryption
  • Encryption is the cornerstone of many technologies designed to protect sensitive data, including DRM solutions. However, the use of an outdated or weak encryption algorithm can make it easier for malicious actors to bypass DRM protections and access restricted media content. If a DRM solution is older, for example, it may use a vulnerable encryption algorithm with known weaknesses (e.g., DES or AES with an insecure mode of operation such as cipher block chaining mode).
  • Even if content is well encrypted, improper management or unsafe storage of the associated encryption keys can leave that content vulnerable to unauthorized access. For example, hard-coding CEKs in application code, checking them in to version control systems, or storing them in configuration files with lax permissions can increase the risk of a key leak. Moreover, if a DRM solution uses the same keys for all streams or does not rotate them, an attacker may be able to compromise the solution by obtaining just one key.
    
    
• Bypass via a Virtual Machine
  • In simple terms, a virtual machine (VM) is a digitized version of a physical computer that uses virtual resources instead of physical components. Using a VM is like creating a computer within a computer—one that can run its own operating system and software just like its host computer.

VMs present unique security challenges for DRM systems because they can enable attackers to control execution environments in ways that aren’t possible on physical machines. For example, an attacker running a VM can modify and inspect every aspect of the system, including its memory, the behavior of its processor(s), and its system calls. Thus, by running a DRM-protected application in a VM, an attacker could gain the ability to bypass checks that would otherwise prevent the attacker from tampering with the DRM solution. If successful, the attacker could then attempt to slow down the execution of the DRM solution’s processes and carefully analyze its decryption functionality, which could assist the attacker in reverse-engineering or debugging the DRM solution.

Modern DRM systems often attempt to prevent VM-based attacks by implementing virtualization detection mechanisms such as checks for hypervisors (a.k.a. VM monitors). However, those mechanisms are not foolproof, and some VMs can be configured to evade detection.

• Screen Recording and Stream Ripping
  • Screen recording refers to the process of using a software tool to capture media output directly from a screen or audio device. This process is relatively straightforward because it does not directly target or bypass DRM functionality. However, many DRM solutions block screen-recording attempts. (Apple’s Fairplay solution, for example, blocks Mac users from using the QuickTime Player to record Netflix content; attempts to record a Netflix show or movie result in a recording of a black screen.)
    
    
  • Stream ripping, on the other hand, is a technique that directly targets media streams through the interception and capture of raw media data being streamed over a network. Stream ripping allows attackers to save media content in its unencrypted form, without any DRM protections, and to later redistribute or reuse it.

In 2016, two Ben-Gurion University cybersecurity researchers announced that they had discovered a stream-ripping vulnerability in Google Chrome’s implementation of the Widevine DRM solution, which Google owns. Widevine offers three levels of security: In level 1, its highest security level, “all operations involving video rendering, hardware-level decryption, and content decoding” are executed in a trusted execution environment. By contrast, its level 3 offering is a “software-only security solution” in which decryption operations are carried out in a CDM. Currently, level 3 is the only level supported by the Chrome desktop browser.

The vulnerability allowed the researchers to capture and copy decrypted content in transit from the Widevine CDM to the Chrome media player and to then save that content. In other words, it allowed them to engage in stream ripping. (See Wired’s post on the vulnerability to learn more and to view the proof-of-concept exploit developed by the researchers.)

• Memory Scraping
  • Content protected by software DRM solutions is usually stored in memory (in RAM) and decrypted there before it is rendered, creating an opportunity for attackers to extract that unencrypted content from memory. For example, an attacker could use a memory analysis tool to scan the system memory during the decryption or playback of DRM-protected content. Attackers may also attempt to exploit the buffering of media content, or the process of preloading media data into a reserved area of memory—a buffer—to ensure smoother playback. Because buffers typically contain unencrypted data, attackers may be able to obtain high-quality copies of media content by scraping that content from memory.
    
    
• Reverse Engineering
  • Attackers often attempt to reverse-engineer DRM systems to gain an understanding of how they work and find ways to bypass or disable the protections they provide. To reverse-engineer a DRM solution, an attacker would first need to inspect the application streaming the DRM-protected media content. The attacker could analyze the application’s HTTP/HTTPS traffic or accessible JavaScript code, for example, to gain an understanding of how it implements DRM functionality or how it requests, delivers, and plays back media content. The attacker could also capture the requests and responses exchanged in the licensing process—and manipulate those requests to obtain sensitive information. Then, after that analysis, the attacker could attempt to exploit vulnerabilities in the client-side implementation. For example, the attacker could attempt to bypass DRM checks by modifying the client-side JavaScript code, to locate unencrypted media data by using memory analysis tools, or to access media content by replaying valid licenses.

Conclusion

So what’s the solution to the challenges that DRM technologies face?

Is it even possible to safeguard content and stay one step ahead of attackers?

Fortunately, the answer is yes—but not through DRM alone. Organizations that use DRM must take a holistic approach to security and assess their DRM implementations from the perspective of attackers. They need to remain alert to emerging threats and view DRM as just one of the many tools in their security toolbox.

Otherwise, they may find their valuable creations lost in a sea of pirated content.

At ISE, we understand how attackers think—and we know how to stop them. To learn more about the attacker mindset and the cybersecurity services that we offer, get in touch with one of our security experts today.