Microsoft PlayReady

Back to research

{ General info }

In a result of its research investigation efforts, Security Explorations, a research lab of AG Security Research company, conducted analysis of Microsoft Play Ready content protection technology in the environment of CANAL+ SAT TV operator.

This section of our website presents initial information regarding the project.

Demonstration movies

  • "License acqusition, movie download and decryption (allowed access to kids movie)", MP4 movie file, 30MB

  • "License acqusition, movie download and decryption (unauthorized access to HBO asset)", MP4 movie file, 18MB

  • "Complete CANAL+ STB compromise and Microsoft Play Ready secrets theft (box patch from Mar 2022, OTA FW from Jan 2022, vulnerabilities from 2019)", MP4 movie file, 31MB

Notes

    Microsoft Security Response Center (MSRC) has been notified and provided with full access to research material for evaluation purposes (communication from Jul 20, 2022 till 11 Aug, 2022). MSRC closed the case on the basis that "this is not a server-side compromise".

    Microsoft PlayReady team initiated contact on Oct 07, 2022. Team representative explained that PlayReady does not supply authentication technology to ensure that a given client has access to the PlayReady License Server, it is the responsibility of the service provider to implement this. In that context, the overall attack exposes both PlayReady limitation and a fault at CANAL+ end (no server side auth checks).

    PlayReady team was able to confirm that a security incident below its robustness bar appeared to be present.

Affected platform and fixing status

    Canal+, both in France and Poland were notified of the research. Canal+ France stated that it analyzed the videos, understands the issues and will work on it (Aug 18, 2022).

    It is not clear whether the company has a full understanding of the issues affecting their platform (MS PlayReady, STBs, CDN, license server and user's security) as the company:

  • neither asked for access to the research material (offered for free and completely unconditionally), nor provided an e-mail address along PGP key where it could be sent
  • hasn't fixed the issues that has been known for 3 years, hasn't changed (or revoked) STB SSL and PlayReady certs
  • As of Nov 2022, CANAL+ in Poland is affected (piracy of assets from Canal+ VOD library consisting of 18k+ movies is possible - tests conducted for PREMIERY VOD+, CANAL+ Premium and HBO movies).

    Sample automatically generated test result conducted 3 months following Canal+ notification for several randomly selected movies from "not allowed" collections and a fake STB identity can be checked below.

    Per information received from Microsoft (Nov 18, 2022), the STB manufacturer commited to mitigate the incident.