Piracy is a major issue and a vulnerability in the system Google uses to stream media through its Chrome browser could be making it worse. A flaw in the Google’s Widevine EME/CDM technology makes it possible to save illegal copies of media from streaming video sites like Netflix and Amazon Prime.
How does the bug work? Google owns but did not create a digital management system called Widevine. Widevine uses encrypted media extensions to allow the content decryption module, or CDM, in your browser to communicate with the content protection systems of streaming services. EME, or encrypted media extensions, manages the license exchange between streaming services and the CDM.
Essentially, your CDM in your browser requests a license through the EME interface, and then receives permission to stream. Customers should only be able to view movies on one browser, however, they could potentially hijack the decrypted movie right after the CDM decrypts the film and is passing it to the player for streaming.
David Livshits from the Cyber Security Research Center at Ben-Gurion University in Israel and Alexandra Mikityuk with Telekom Innovation Laboratories in Berlin, Germany reported the bug on May 24th. Google has yet to issue a patch, but instead issued the following statement:
We appreciate the researchers’ report and we’re examining it closely. Chrome has long been an open-source project and developers have been able to create their own versions of the browser that, for example, may use a different CDM or include modified CDM rendering paths. The Chrome browser, however, is required to protect compressed video and does so.
The spokesman revealed that Google has known about the hijacking report for some time. If Google was to add code that made the CDM act in a different way, other developers could eliminate this code in other browsers. They believe that in the end this could make streaming content just as vulnerable and hijacking even easier.
Livshits and Mikityuk believe that bug could be fixed if Google ran the CDM through a Trusted Execution Environment or TEE. The decrypted content would be written to a protected memory space and be protected from hijacking. They argue that Google should issue a patch as soon as possible. Just because another developer could use Google research to make hijacking easier, does not mean that Google should not fix their own browser.
The researchers will not reveal the bug for at least ninety days after their disclosure to Google. Ninety days is the minimum that Google’s own security researchers in its Project Zero wing give vendors to fix vulnerabilities they uncover before they disclose the bugs publicly.