Microsoft PlayReady

Back to research

{ General info }

In a result of its research investigation efforts, Security Explorations, a research lab of AG Security Research company, conducted analysis of Microsoft Play Ready content protection technology in the environment of CANAL+ SAT TV operator.

This section of our website presents initial information regarding the project.

Demonstration movies

  • "License acqusition, movie download and decryption (allowed access to kids movie)", MP4 movie file, 30MB

  • "License acqusition, movie download and decryption (unauthorized access to HBO asset)", MP4 movie file, 18MB

  • "Complete CANAL+ STB compromise and Microsoft Play Ready secrets theft (box patch from Mar 2022, OTA FW from Jan 2022, vulnerabilities from 2019)", MP4 movie file, 31MB

Notes

    Microsoft Security Response Center (MSRC) has been notified and provided with full access to research material for evaluation purposes (communication from Jul 20, 2022 till 11 Aug, 2022). MSRC closed the case on the basis that "this is not a server-side compromise".

    Taking into account MS evaluation of the issue along communication problems during report handling process (mails not reaching MS, automated MSRC system not showing MS responses in the message chat, advice to contact "breach" team while this should be MS job to forward any relevant information to proper team such as PlayReady), Security Explorations didn't get into further discussion with Microsoft and did not explain in particular that server side compromise did not matter for the given case as Microsoft Play Ready license server was verified to provide license (and content keys) to any content (not authorized, not rented, not paid, etc.), it was not synced with CDN and had no watermarking in place. The demonstrated technique might potentially constitute a significant risk for content providers as compromise of a single device or presence of the unpatched device is sufficient for a large scale, distributed piracy of a high premium content coming from CANAL+, HBO, FOX, WARNER, etc. (18K+ assets in CANAL+ VOD library). We hope the research triggers further work at Microsoft in order to make PlayReady compromise more challenging, especially that we haven't explored all of the ideas we had on the topic.

Affected platform and fixing status

    Canal+, both in France and Poland were notified of the research. Canal+ France stated that it analyzed the videos, understands the issues and will work on it (Aug 18, 2022).

    It is not clear whether the company has a full understanding of the issues affecting their platform (MS PlayReady, STBs, CDN, license server and user's security) as the company:

  • neither asked for access to the research material (offered for free and completely unconditionally), nor provided an e-mail address along PGP key where it could be sent
  • hasn't fixed the issues that has been known for 3 years, hasn't changed (or revoked) STB SSL and PlayReady certs
  • As of Sep 2022, CANAL+ in Poland is affected (piracy of assets from Canal+ VOD library consisting of 18k+ movies is possible - tests conducted on Sep 1, 2022 at 10:34 for MiniMini+, Canal+ Premiery and HBO movies).

    The most recent, automatically generated test result conducted for several randomly selected movies from "not allowed" collections and a fake STB identity can be checked below.