In a result of its research investigation efforts, Security Explorations, a research lab of AG Security Research company, conducted security analysis of Microsoft Warbird and Protected Media Path technologies.
This section of our website presents initial information regarding the project.
Microsoft Protected Media Path (PMP) is a set of technologies of which goal is to enforce security of content (security of PlayReady DRM) in a Windows OS environment (Wikipedia).
In Windows OS, Protected Media Path is implemented both in kernel and user space. It relies on crypto, code integrity, auth checks, white-box crypto and code obfuscation.
Microsoft Warbird is a compiler technology from Microsoft of which goal is to make reverse engineering (such as static and dynamic analysis) of code components comprising certain Windows OS components hard. More specifically, the goal is to make it hard to extract secrets pertaining to code implementation in an untrusted (under attacker's control) environment.
Binaries produced by Warbird can be encrypted and its code obfuscated. These binaries can execute "encrypted" code too.
As a result of the research several deficiencies have been discovered in various PMP components, which could be exploited to gain access to plaintext content keys guarded by PlayReady (Windows 10 / Windows 11 environment and SW DRM case).
It has been demonstrated that these plaintext keys could be successfully used to decrypt high definition (1080p) movies protected by PlayReady content protection (Canal+ Online VOD platform scenario).
On Windows platforms with HW DRM capability, the attack can still proceed as this feature can be easily disabled. Also, none of the streaming platforms tested enforced HW DRM for Windows (with HW DRM disabled, SW DRM was used and content key extraction could proceed both in Windows 10 and 11).
The root cause of the issue lies in SW DRM implementation used by default on Windows 10 without HW DRM capability. This version of Microsoft OS still (as of Mar 2024) has a 69% market share worldwide, which is partially caused by inability for users to upgrade to Windows 11 as their systems do not meet minimum upgrade requirements, such as having a TPM 2.0 chip. Windows 10 is set to retire on Oct 14, 2025. As such, a potential weak chain is to still persist for 1.5 year (due to the implementation done solely in SW, on a client side and in an environment under attacker's control).
Please, note that this is a different research than our research from 2022 (and different Canal+ VOD service). The results and know-how obtained by this new research make the previous research obsolete in many ways.
DRM technology lies at the core of a security of the industry that is valued at $544 billion.
In that context, content security should not be different than the usual information security safeguarding organizations' trade secrets, IT assets or personal data.
Exposure of the weaknesses, negligence or false security claims in the PayTV / video streaming / content security industry is equally important too.
This research is a continuation of our journey spanning 12 years during which we investigated security of PayTV / content security systems such as DVB chipsets / Conax Conditional Access System, SAT TV Platforms, set-top-boxes / VOD platforms and implementation of a DRM system.
On Apr 12, 2024, Microsoft PlayReady team reached to us with a request to report technical details and POC code through MSRC channel claiming that "by following the MSRC process to report your finding, it may be eligible for a reward" and that "close partnerships with the researcher community make customers more secure and we play an integral role by sharing issues under Coordinated Vulnerability Disclosure").
As a response, we informed Microsoft that we cannot provide the company with additional details / codes pertaining to our PlayReady security research on Windows as this can only happen through a commercial agreement, not MSRC reporting channel (Apr 15, 2024).
The rationale for it is quite simple. The research took us nearly 9 months of work (on top of the 6 months of R&D done in 2022, which has been "consumed" and in some way ignored by the company). One more extra month needs to be added to this too (attacks #2-#4 and crypto proofs investigated due to platforms' avoidance to confirm the initial XOR key attack).
The new research embeds some potentially valuable IP / know-how, which we need to protect too (see "Additional materials" paragraph describing potentially unauthorised, commercial use of our original idea for a rogue subscriber detection / deactivation along Microsoft Bounty Terms and Conditions, which implicate commercial use with unknown payment terms, all non-negotiable and under Microsoft control). Finally, disclosure of our know-how / toolset to Microsoft might jeopardize our future projects targeting Windows OS platform.
If we decide to release any additional details, Microsoft will learn about these from a public source (this page in particular) and completely for free.
We believe the above should not impose any limits for Microsoft when it comes to the work aimed at making PlayReady on Windows more secure (vide details posted and access to all the know-how and engineering resources at company's end).
We also believe the final outcome can be only positive too. Instead of limiting its focus on a single attack, Microsoft needs to conduct a more comprehensive review of Protected Media Path environment. Such an approach usually results in a discovery / fixing of additional issues.
Our tests indicate that the following streaming platforms are affected:
The keys above should constitute a sufficient prove for the platforms mentioned to be able to confirm the attack. Yet, according to the SecurityWeek article, none of the platforms provided clear confirmation or denial of the keys upon inquiry. Amazon Prime Video reported the research to Microsoft for investigation and said that there is currently no evidence of misuse of the technique described in the research against the Prime Video platform. This along no strong denial from the platforms could be perceived as an indirect confirmation that posted keys correspond to real ones.
All licenses received during testing were issued with SL2000 security level, which indicate the default presence of "Software-DRM Clients" on Windows 10 and 11 (clients backed mostly with software means, secrets protected through software or hardware means).
Taking into account the technique used to extract plaintext value of content keys, we assume that key extraction might also work for some other platforms relying on SW Microsoft PlayReady technology in a Windows OS environment (VOD and Live TV services). We verified it to work for Canal+ Live TV services and the following 6 sample live TV channels available through it:
In general, the ability to extract plaintext value of a content key from a DRM system constitutes a base for considering it to be compromised. This is especially valid taking into account the amount of efforts at Microsoft end (vide 10 years of innovation and more than $1B invested) to make it hard to conduct static and dynamic analysis of PlayReady operation on Windows platform.
A successful cryptographic check proving that extracted key values correspond to real keys has been conducted for Canal+ Online, Netflix, HBO Max, Amazon Prime Video and Sky Showtime.
The check relies on a digital cryptographic signature verification. Such a signature is appended at the end of each license issued by PlayReady license server.
The crypto check works as following:
The above mechanism is also used by Microsoft to verify the correctness of decrypted content keys received from a license server. It relies on the fact that signature key is part of the same encrypted license blob as content key. Thus, successful extraction of a signature key implicates successful extraction of a content key.
In the context of no confirmation / denial from the platforms indicated above as being affected, the crypto check should constitute sufficient proof to support that claim alone.
Private encryption keys (obtained through attack #4 depicted below) provided additional confirmation for the validity of the keys extracted for each of the affected platform. In all cases content and signature keys decrypted with the use of a private ECC key matched the keys extracted by the sniffer tool.
The attack scenario makes it possible to extract plaintext values of content keys from a Protected Media Path process. The attack proceeds by exploiting a time window during which content keys have a XORed form - the plaintext value of such keys can be obtained by the means of a simple XOR operation with a magic 128-bit key sequence.
Our tests indicate that there are only two such magic key sequences used across Windows OS versions released since 2022 (one for Windows 10, the other for Windows 11).
The above has been confirmed on Windows 10 / 11 x64 systems across various builds from late 2022 till May 2024 (systems without and with HW DRM capability):
There is yet another attack possible against Protected Media Path process that may result in the extraction of a plaintext content key value.
The attack has its origin in a white-box cryptography implementation. More specifically, one can devise plaintext content key from white-box crypto data structures of which goal is to make such a reconstruction difficult / not possible. This alone breaks one of the main security objective of white-box cryptography which is to protect the secret key (unbreakability).
Contrary to the initial (XOR key) attack, the white-box crypto attack is not limited to the narrow time window (white-box data structures need to be present for the time of a movie decryption / playback). Fixing it might require a completely new approach / implementation (current one is obviously flawed). In that context, white-box crypto attack seems to be more severe than the XOR key one.
We have come up with two attack scenarios that make it possible to extract private ECC keys used by a PlayReady client (Windows SW DRM scenario) for the communication with a license server and for the identity purposes.
More specifically, we successfully demonstrated the extraction of the following keys:
While PlayReady security is primary about security of content keys, ECC keys that make up client identity are even more important. Upon compromise, these keys can be used to mimic a PlayReady client outside of a Protected Media Path environment and regardless of the imposed security restrictions.
In that context, extraction of ECC keys used as part of a PlayReady client identity constitute an ultimate compromise of a PlayReady client on Windows ("escape" of the PMP environment, ability to request licenses and decrypt content keys).
The impact of a PlayReady client identity compromise has been already demonstrated by our research from 2022 (vide standalone toolkit mimicking STB device for license acquisition, movie download and decryption).
A proof for a successful extraction of a private ECC encryption key from a PlayReady identity file is shown in this log file.
It's also worth to mention that neither Microsoft, nor streaming platforms have any means to detect a compromised client identity.
The use of non-persistent licenses (licenses that are only present in memory, not stored on a disk) do not prevent this attack either.
Due to the open / developer nature of the Windows platform, a web browser alone (or its custom plugin) is completely sufficient for the exploitation of a compromised PlayReady identity (attack #4).
Sample decryption of a license server response acquired with the use of a web browser (its built-in network monitoring functionality / developer console) is illustrated in this log file (HBO Max and Wonka movie case, May 11 2024).
Successful use of a web browser as an exploit tool has been verified for all affected platforms and Live TV channels depicted above. This includes Netflix, which uses additional encryption mechanism for a communication with a license server. This does not prevent the attacker from acquiring PlayReady license server responses from the browser in clear as illustrated by the screenshot below:
Netflix license decryption with the use of a compromised identity is illustrated by the following screenshot, which yet again reveals same key as in posted crypto proof / sample keys files:
We verified that content key extraction can be also performed in an offline manner. What is needed for that purpose are the encrypted license blobs and a client identity file.
In that context, a theft of a client identity and accompanying license store files from a user system does constitute a potential risk too (Windows 10 / 11 and SW DRM scenario).
The risk related to unauthenticated Content Delivery Network (CDN) has been signalled by us at the time of 2022 research. Yet, we noticed that some providers still rely on publicly available CDN (Canal+ and Orange Web Cache scenario).
Public CDN makes it difficult to detect anomalous and/or unauthorised download behaviours.
Even though the content is encrypted, it does carry valuable information. A leak or extraction of a content key (such as demonstrated through this research) may result in the information to become immediately decrypted and compromised.
The above makes protection of content keys even more important (and content keys extraction even more severe).
It's worth to note that validity of content keys issued for tested VOD content was set as following:
All live TV channels tested (Canal+ Online service) had key validity set to 8 hours.
These validity times are far longer than the validity of the decryption key (the so called Control Word key) used in a digital satellite TV (valid for 10 seconds only). Yet, sharing of the keys has been a significant problem for SAT TV providers.
Validity times implicate the exploitation window in case of content keys leak or extraction (how frequently the keys would need to be extracted by attackers for sharing before they get changed).
In general, it is questionable whether VOD and LiveTV content keys get changed at all. Our tests indicate this might not be the case. For instance, license data for "Boska Florence" movie available through Canal+ Online service carried the same content key on Mar 21, 2024 and May 11, 2024. This implicates key validity beyond initially granted license period (1 month). Similarly, same content keys were issued on Apr 24 and May 11, 2024 (beyond the designated 8 hours license period) for all previously mentioned (tested) Live TV channels. FInally, same results were obtained for other platforms too (no key change for content accessed on Apr 04 and Apr 28, 2024, this is visible in posted crypto proof / sample keys files).
Custom DRM system products or services such as multi-drm or cloud-drm ones are usually offered by Microsoft's license service and system integration partners. These products support Microsoft PlayReady among other major DRM systems. They might not be able to detect or prevent the attacks either if they are built on-top of Microsoft PlayReady (if they act as wrappers / proxies for the PlayReady protocol and original Microsoft PlayReady Windows client is not replaced, which could be the case for compatibility / integration reasons).
Public sources and/or data acquired by our end implicates that watermarking might be implemented by some streaming platforms.
It is important to state that watermarking is a forensic mechanism though. As such, it cannot protect against attacks aimed at DRM systems such as content key or identity compromise. Watermarking can facilitate tracking source of a leaked content though.
While watermarking is far beyond the scope of this research, one should be aware of its limits too. Watermarking operation requires that content gets leaked at some point of time or that attribution is always possible at the time of a CDN access (or other watermarking application location). This is not usually the case. Just to mention content access solely for online viewing (through content key sharing), public CDN (with no auth) or several rogue subscribers working together with the aim to both discover the operation of a watermark and to break it (by removing watermarks from A/V segments and/or combining the segments in the order that would not reveal or confuse the identity of the user, such a theoretical attack scenario might work against some watermarking solutions).
Streaming / VOD platforms that are either dissatisfied with PlayReady security or would like to implement a temporary mitigation might consider transition to / enforcement of other widely supported (by web browsers applications) content protection technologies.
The research shows that the underlying technology such as Microsoft PlayReady can constitute a significant weak point. As such, it should not be ignored if streaming platforms are concerned about security of content.
The research also serves as a reminder that PlayReady content protection implemented in software and on a client side has little chances of a "survival" (understood as a state of not being successfully reverse engineered and compromised). In that context, this is vendor’s responsibility to constantly increase the bar and with the use of all available technological means.
One needs to keep in mind that a cost for a streaming platform subscription is in the range of 10-15 EUR (Poland). But, streaming platforms need to secure assets, which in some cases can generate nearly a billion in profits alone (vide Oppenheimer movie Box Office data, of which key is part of the posted key samples).
The attack that is able to extract content keys to premium movies for an arbitrary streaming platform requires just one rogue subscriber.
Content key extraction is also one of the worst things that can happen from a content security point of view as extracted keys can be shared online, they can be used to access premium video content without paying a subscription fee or decrypt and distribute movies over the Internet. Content key extraction and its impact is further explained in this blog post.
Some changes have been observed and information received with respect to "Terms of Use" service agreements of some streaming platforms / video services.
On 23 Apr 2024, a message has been received from Sky Showtime (to e-mail subscription address), which informs about changes to the terms of use of the service. The new terms seem to free Sky Showtime from a responsibility (liability) related to no reception of the programming (service) and no support for old applications versions (users might need to apply latest application / OS upgrades in order to be able to continue using Sky Showtime streaming services).
It's also worth to mention that Sky Terms and Conditions have a separate "Microsoft PlayReady Notice" stating that "if the PlayReady technology fails to protect the content, content owners may require the service to restrict or prevent the delivery of protected content to specified devices or PC software applications".
The above could implicate potential disruptions in some streaming services reception occurring as a result of a delivery of a fix / mitigation for this (or future) DRM hack or a switch off of the affected content protection technology.
The following technical materials are available with respect to the security analysis conducted for Microsoft Warbird and PMP technologies.