In a result of its research investigation efforts, Security Explorations, a research lab of AG Security Research company, conducted analysis of Microsoft PlayReady content protection technology in the environment of CANAL+ SAT TV operator.
This section of our website presents initial information regarding the project.
"Microsoft PlayReady content access and protection technology is a set of technologies that can be used to distribute audio/video content more securely over a network, and help prevent the unauthorized use of this content."
"It is the Widest Deployed Content Protection Technology in the World."
"The development of Microsoft PlayReady is the culmination of over 14 years of research and development, with significant patent portfolio and a large R&D investment in content protection technology" (source)
"Since 1999, Microsoft PlayReady Content Protection has been the most trusted DRM technology by studios and content owners" (source)
Microsoft Security Response Center (MSRC) has been notified and provided with full access to research material for evaluation purposes (communication from Jul 20, 2022 till 11 Aug, 2022). MSRC closed the case on the basis that "this is not a server-side compromise".
Microsoft PlayReady team initiated contact on Oct 07, 2022. Team representative explained that PlayReady does not supply authentication technology to ensure that a given client has access to the PlayReady License Server, it is the responsibility of the service provider to implement this. In that context, the overall attack exposes both a significant PlayReady limitation and a fault at CANAL+ end (no server side auth checks, no watermarking in place, no license server syncing with CDN, etc.).
By using the research material as a reference, PlayReady team was able to confirm that a security incident below its robustness bar appeared to be present (violation of PlayReady Compliance and/or Robustness Rules).
Microsoft agreed that PlayReady group certificate used by CANAL+ STB should be considered as compromised (see APPENDIX C of 2019 reseach report for further information). The company decided not to revoke it immediately as a response to the breach. This will be likely done when the STB manufacturer (Advanced Digital Broadcast) fixes the compromise. Company's rationale for this is no implication that a large amount of real-world piracy is occurring and/or no strong pressure from content owners/providers. It is not clear on what basis "little piracy" is concluded as the breach has been available / not fixed for 4+ years and there has not been any watermarking in place (a possibility that content from CANAL+ VOD library has been silently acquired over time cannot be excluded).
We hope this research:
Over the course of a communication with Microsoft on the topic of disclosure, the company agreed that disclosure of this vulnerability is right and proper and helps others avoid it. According to the company, it should be disclosed after resolution.
We truly appreciate Microsoft stance on the topic - it goes along our initial plan, it also clears some doubts at our end (to disclose or not, to what extent, with whom, etc.).
Partial disclosure (without the release of source codes for MSPR toolkit, reverse engineering helpers and logs for MSPR operation and PlayReady / STB SSL / device root key secrets in particular) took place on Dec 10, 2022.
According to Canal+ security referential, DRM [Content Protection System] Client software security testing must be certified by the Agence Nationale pour la Securite des Systemes d'Information (ANSSI), using the methodology of the Certification Securite de Premier Niveau (CSPN).
Microsoft does not seem to conduct security evaluations / certifications of PlayReady licensees' client environments. The company stated that it is simply infeasible for Microsoft to track and handle the complexities of authentication with several hundred service provider licensees.
According to Microsoft, the PlayReady Server SDK has several hundred service provider licensees. While Microsoft claims the issue is not a bug, PlayReady licensees might be at risk to the demonstrated content theft whenever PlayReady client compromise occurs. This is due the nature of the attack.
CANAL+, both in France and Poland were notified of the research. CANAL+ France stated that it analyzed the videos, understands the issues and will work on it (Aug 18, 2022).
It is not clear whether the company has a full understanding of the issues affecting their platform (MS PlayReady, STBs, CDN, license server and user's security) as the company hasn't asked for access to the research material (offered for free and completely unconditionally), nor provided an e-mail address along PGP key where it could be sent (see last message sent to CANAL+ CSO).
As of Apr 2024, CANAL+ in Poland is affected (piracy of assets from CANAL+ VOD library consisting of 18k+ movies is possible - tests conducted for PREMIERY VOD+, CANAL+ Premium and HBO movies).
Sample automatically generated test result conducted 1.5 year following Microsoft and CANAL+ notification for several randomly selected movies from "not allowed" collections and a fake STB identity can be checked below.
Per information received from Microsoft (Nov 18, 2022), the STB manufacturer commited to mitigate the incident.
Regardless of "no bug" at PlayReady end claim, Microsoft could be involved in the development of the mitigation for CANAL+ and other PlayReady licensees ("we expect to be finished with the mitigation in March of 2023" line received on Dec 1, 2022 from the company).
In Oct 2023, some media outlets reported that CANAL+ VOD service has been already permanently shut down (turned off) for some of its STB devices (ADB ITI-2851S, Sagemcom DSI83 / DSI87) and that it will also affect Sagemcom DSIW74 device in Nov 2023. Similar shutdown of CANAL+ VOD service was apparently planned in the future for ADB ITI-5720SX, ADB ITI-3740SX and ADB NCP-4740SF STBs.
According to the news reports, the basis for the permanent VOD service shutdown across CANAL+ STB devices was "the work at CANAL+ end aimed at the improvement of the security of content on its devices".
It looks CANAL+ decided to implement the "fix" for insecure content at its end through a complete shut down of the insecure VOD service and change of STB devices. It is worth to note that it took place 1.5 year for CANAL+ to "figure out" / "deploy" the fix, which is not complete yet (as of Apr 2024 and according to the content security check above).
More information about security of PlayReady implementation on Windows platform can be found at our project page dedicated to Microsoft Warbird and PMP.
Taking into account sample content of Microsoft PlayReady Server agreement, CANAL+ or any other PlayReady licensee might not be able to:
The licensing implicates Microsoft's ownership and responsibility for any changes to PlayReady. That alone may prohibit any customizations / developments by licensees aimed at improving security of content (such as the use of HW security features present in a target environment, but not supported by PlayReady).
The licensing also implicates that any updates to PlayReady are at the sole discretion of Microsoft (it is up to Microsoft to fix issues, improve security or implement support for various HW security features present in target STB environments such as SCK key of STMicroelectronics chipsets).
In Oct 2022, in an e-mail exchange with Microsoft, the company indicated that Azure Media Services as an E2E solution is free of the exposed PlayReady limitation:
"if customers want a full end-to-end secure system provided by Microsoft, they can use Microsoft Azure Media Services (AMS), which is built on top of PlayReady. It does provide an E2E solution, including authorization, authentication, CDN support, etc. However, the several hundred content providers who are licensees of the PlayReady Server SDK choose to implement their own E2E solution using the PlayReady Server SDK without taking advantage of AMS, i.e. they’ve chosen not to use Microsoft-provided authentication. For such customers, you are correct – if they fail to correctly implement authentication themselves, then a client-side secret theft is game over."
As part of our response, we pointed out to Microsoft that the E2E advantage of AMS over PlayReady didn't matter:
"the research was about PlayReady, not AMS...several hundred content providers who are licensees of the PlayReady Server SDK choose to implement their own E2E solution using PlayReady Server SDK without taking advantage of AMS."
It is worth to note that in July 2023, Microsoft announced that Azure Media Services is being retired and will not be supported after 30 June 2024. As a result, the core services will disappear with AMS such as content protection workflows.
AMS retirement makes its security features (and Microsoft argument emphasizing AMS advantages over PlayReady) not relevant for the demonstrated attack.
We wanted to learn from Microsoft whether the company considers PlayReady to be providing any security of content in the context of a demonstrated STB compromise, if the company can still support the claim that PlayReady can be used to "help prevent the unauthorized use of content", if there are any legal obstacles that prohibit CANAL+ to discuss any PlayReady related matters with 3rd parties and whether Microsoft took any action aimed at making PlayReady hacking more challenging.
We haven't received a response to these and some other questions.
Below, a copy of an inquiry note sent to Sygnal Organization (fighting illegal distribution of a TV signal, audio, music and video content among others) is provided asking for an official statement of the organization in the context of CANAL+ (its core member) serving premium PayTV content with the use of insecure technological means (likely known to CANAL+ since 2019 or at the time of STB / PlayReady technology choice and ignored / not addressed since then).
As of Dec 08, 2022, Sygnal hasn't provided any statement (the only response received referred us to CANAL+ regarding any topics concerning the offer or technologies implementing security of content).
An inquiry of a similar nature was also sent to AudioVisual Anti-Piracy Alliance (AAPA) representing companies involved in the provision of protected audiovisual services, security technology for such services, and the manufacturing of products which facilitate the delivery of such services. AAPA's mission is to lead fight with audiovisual piracy across Europe and the Middle East.
As a response to the inquiry note, AAPA informed that AAPA doesn't discuss any matter relating to its member with a third party (Jan 16, 2023).
The following technical materials are available with respect to the security analysis conducted for Microsoft PlayReady content protection technology in the environment of CANAL+ SAT TV operator.
As in the case of our original idea from 2017 for a rougue subscriber detection / deactivation at content distribution level (public sources such as [1] and [2] indicate that it might be used by some companies / vendors for commercial purposes), below several security improvement ideas mentioned in a document accompanying our PlayReady research are described in a more detail: