October 26, 2020

For the second time in as many years, Google is working to fix a weakness in its Widevine digital rights management (DRM) technology used by online streaming sites like Disney, Hulu and Netflix to prevent their content from being pirated.

The latest cracks in Widevine concern the encryption technology’s protection for L3 streams, which is used for low-quality video and audio streams only. Google says the weakness does not affect L1 and L2 streams, which encompass more high-definition video and audio content.

“As code protection is always evolving to address new threats, we are currently working to update our Widevine software DRM with the latest advancements in code protection to address this issue,” Google said in a written statement provided to KrebsOnSecurity.

In January 2019, researcher David Buchanan tweeted about the L3 weakness he found, but didn’t release any proof-of-concept code that others could use to exploit it before Google fixed the problem.

This latest Widevine hack, however, has been made into an extension for Microsoft Windows users of the Google Chrome web browser and posted for download on the software development platform Github.

Tomer Hadad, the researcher who developed the browser extension, said his proof-of-concept code “was done to further show that code obfuscation, anti-debugging tricks, whitebox cryptography algorithms and other methods of security-by-obscurity will eventually by defeated anyway, and are, in a way, pointless.”

Google called the weakness a circumvention that would be fixed. But Hadad took issue with that characterization.

“It’s not a bug but an inevitable flaw because of the use of software, which is also why L3 does not offer the best quality,” Hadad wrote in an email. “L3 is usually used on desktops because of the lack of hardware trusted zones.”

Media companies that stream video online using Widevine can select different levels of protection for delivering their content, depending on the capabilities of the device requesting access. Most modern smartphones and mobile devices support much more robust L1 and L2 Widevine protections that do not rely on L3.

Further reading: Breaking Content Protection on Streaming Websites

11 thoughts on “Google Mending Another Crack in Widevine

  1. Dennis

    DRM? Is it the stuff that gives a ton of headache for people legally buy a movie? To such a degree that I’d buy it and then torrent it so that I can watch it on multiple devices hassle-free instead of dealing with their DRM. Is that what we are talking about?

    If so, can I shake the hand of the guy who broke it?

  2. JCitizen

    I’m wondering of all DRM schemes are not only futile but actually damage the company using them. When I discuss such issues with friends, they tell me that when buying music or movies at a store, they find that they cannot play the content on their MPAA approved devices, and consequently are forced to go to illegal sites (on TOR for example) and download illegal content to finally enjoy what they already purchased before!!

    Now with that kind of mess, how can you expect anyone to obey the law and only use legitimate protected content? I ran into similar instances when I bought one of the first HDTV entertainment centers that were finally approve by the MPAA for enjoying protected premium content on PCs. The CTO desktop I bought had not only hardware built just for such uses, but from the multi-bay to the back plane it was full of such concentrated hardware; also several software spyware for legal surveillance of users of protected premium content.

    I tore my hair out for three years before I could get any of this to work reliably, and almost gave up. But finally after enough service packs for Windows Ultimate 64 bit, they finally became usable. I really wondered just how many people that bought such machines actually got to enjoy the content they paid for with their hard earned money! If it hadn’t been for my IT troubleshooting skills I never would have made it.

    No wonder people steal premium content – it is the only way that they can enjoy it. The point of the article is much of a similar disaster as far as I’m concerned! I can see why they do it, but you have to ask the question whether it is worth it or not?! Maybe it would be just as well to rotate among such weak methods, to at least harass the violators enough to keep them from effectively absconding with it; I don’t know!

  3. Phil

    Yeah, totally! – “was done to further show that code obfuscation, anti-debugging tricks, whitebox cryptography algorithms and other methods of security-by-obscurity will eventually by defeated anyway, and are, in a way, pointless.”

    1. Andrew

      Whilst we all know that ‘security-through-obscurity’ is weak, it doesn’t mean that it’s pointless. The whole PC gaming industry wouldn’t exist if they couldn’t protect their titles from piracy for at least a few months whilst they make their profits. Similarly, as this article illustrates, we wouldn’t be able to play video on crappy desktop hardware and OS’s without code obfuscation and so there is a very strong point to it even though it’s very much a security compromise.

  4. Random Commenter

    The other levels of Widevine are broken too, or rather not doing their job.

    That is how 4k releases are downloaded/decrypted from the various providers such as Amazon, Netflix, Disney+ etc and put online. Grabbed with devices protected with widevine, getting the full original encoded file rather than screen grabbing.

    All DRM is gives the MPAA and RIAA more control while stuffing consumers. You can thank the same companies behind the media cartel labels for incompatibilities with equipment where they got a kind of DRM in the HDMI/HDCP standard.

    Again, all these things just affect legitimate consumers. Can’t run Netflix or youtube at certain resolutions unless your box it certified.
    Pay for a tv service with a phone streaming app but cant use it because your phone is rooted or has a HDMI output.

    None of it has stopped piracy. In fact it pushes people to piracy so they can watch what they want, where they want and how they want on whatever hardware/software frontend they choose.

    1. NE

      Are you sure most 4k releases are untouched web downloads? I had a quick look, and a lot of recent Netflix stuff are marked as rips not downloads. Amazon stuff did seem to often be downloads.I know untouched 4k has been available from Netflix for a short time on occasion but I think those period didn’t last long. The fact that it’s generally been patched, unlike with 1080P where most releases nowadays are downloads and not rips makes me think the DRM isn’t clearly broken,

      In any case, are you sure it was even Widevine which was broken?Seems to me it could easily be PlayReady or Fairplay or some other DRM (what do all the smart TVs use?). AFAIK, Widevine L1 is mostly on Android devices, if it’s a desktop it’s probably Playready for Windows or Fairplay for Mac OS and iOS. For downloads, release groups intentional keep the details of what they’re doing somewhat secretive precisely because their compromises are often patched.

      Web rip 4k releases are easily possible since HDCP 2.2, as with all previous versions of HDCP, is broken. So it’s trivial with the right hardware to record and re-encode the uncompressed digital output.

  5. JohnIL

    Seems to me if you didn’t protect content online then it probably wouldn’t exist. If companies can’t make money creating and streaming content then they probably won’t make it in the first place. Some sort of DRM is required because too many think they are entitled to free content.

Comments are closed.