In a result of its research investigation efforts, Security Explorations, a research lab of AG Security Research company, conducted analysis of Microsoft Play Ready content protection technology in the environment of CANAL+ SAT TV operator.
This section of our website presents initial information regarding the project.
Microsoft Security Response Center (MSRC) has been notified and provided with full access to research material for evaluation purposes (communication from Jul 20, 2022 till 11 Aug, 2022). MSRC closed the case on the basis that "this is not a server-side compromise".
Taking into account MS evaluation of the issue along communication problems during report handling process (mails not reaching MS, automated MSRC system not showing MS responses in the message chat, advice to contact "breach" team while this should be MS job to forward any relevant information to proper team such as PlayReady), Security Explorations didn't get into further discussion with Microsoft and did not explain in particular that server side compromise did not matter for the given case as Microsoft Play Ready license server was verified to provide license (and content keys) to any content (not authorized, not rented, not paid, etc.), it was not synced with CDN and had no watermarking in place. The demonstrated technique might potentially constitute a significant risk for content providers as compromise of a single device or presence of the unpatched device is sufficient for a large scale, distributed piracy of a high premium content coming from CANAL+, HBO, FOX, WARNER, etc. (18K+ assets in CANAL+ VOD library). We hope the research triggers further work at Microsoft in order to make PlayReady compromise more challenging, especially that we haven't explored all of the ideas we had on the topic.
Canal+, both in France and Poland were notified of the research. Canal+ France stated that it analyzed the videos, understands the issues and will work on it (Aug 18, 2022).
It is not clear whether the company has a full understanding of the issues affecting their platform (MS PlayReady, STBs, CDN, license server and user's security) as the company:
As of Sep 2022, CANAL+ in Poland is affected (piracy of assets from Canal+ VOD library consisting of 18k+ movies is possible - tests conducted on Sep 1, 2022 at 10:34 for MiniMini+, Canal+ Premiery and HBO movies).
The most recent, automatically generated test result conducted for several randomly selected movies from "not allowed" collections and a fake STB identity can be checked below.