Digital Rights Management (DRM) technologies are widely used by companies to prevent online piracy by encrypting the content transferred online, especially in the case of multimedia streaming platforms and gaming platforms.
Recently, the L3 protection level of Google’s popular DRM technology, Widevine, was cracked by a security researcher. Using this hack, the researcher could view the multimedia streams which would otherwise be encrypted and would not be viewable without proper authentication through a registered client.
Different levels of protection
Despite the hack, it is to be noted that the researcher only managed to crack the lowest level of authentication available in the Widevine DRM technology. The L3 level cracked by the researcher is used for low-quality video and audio streams only.
Google’s Widevine DRM provides three levels of data protection - L1, L2, and L3. The differences between the three levels are as follows.
Depending on the type of device and the type of content, applications like Netflix or Amazon’s Prime Video choose different levels of protection for sending content. Usually, L3 is only used for the lowest-quality content due to less protection compared to higher levels.
Details on the hack
The British security researcher David Buchanan is the first one to crack the L3 level. He took to Twitter to announce his hack stating, “Soooo, after a few evenings of work, I've 100% broken Widevine L3 DRM. Their Whitebox AES-128 implementation is vulnerable to the well-studied DFA attack, which can be used to recover the original key. Then you can decrypt the MPEG-CENC streams with plain old ffmpeg.”
However, the researcher had not posted any proof-of-concept (PoC). In any case, such a PoC would not be enough to verify his claim as one would first need the permission to receive the DRM-encrypted data from a stream. Only then, one would be able to test the decryption method discovered by the researcher.
What is the impact?
The hack has not received wide acclaim from the security community since it only affects the lowest L3 level of Widevine DRM.
Moreover, most modern smartphones and other devices support high-quality HD streaming which does not rely on L3 level. Thus, this hack would not help anyone commit piracy of high-quality content.
The issue was reported to Google by the researcher. However, according to the researcher, the issue comes from a design flaw and cannot be fixed easily as it is not a direct bug or vulnerability.