Microsoft PlayReady

Back to research

{ General info }

In a result of its research investigation efforts, Security Explorations, a research lab of AG Security Research company, conducted analysis of Microsoft Play Ready content protection technology in the environment of CANAL+ SAT TV operator.

This section of our website presents initial information regarding the project.

Demonstration movies

  • "License acqusition, movie download and decryption (allowed access to kids movie)", MP4 movie file, 30MB

  • "License acqusition, movie download and decryption (unauthorized access to HBO asset)", MP4 movie file, 18MB

  • "Complete CANAL+ STB compromise and Microsoft Play Ready secrets theft (box patch from Mar 2022, OTA FW from Jan 2022, vulnerabilities from 2019)", MP4 movie file, 31MB

  • "Automatic license server crawling (unauthorized access to HBO and PREMIERY VOD+ assets)", MP4 movie file, 11MB

Notes

    Microsoft Security Response Center (MSRC) has been notified and provided with full access to research material for evaluation purposes (communication from Jul 20, 2022 till 11 Aug, 2022). MSRC closed the case on the basis that "this is not a server-side compromise".

    Microsoft PlayReady team initiated contact on Oct 07, 2022. Team representative explained that PlayReady does not supply authentication technology to ensure that a given client has access to the PlayReady License Server, it is the responsibility of the service provider to implement this. In that context, the overall attack exposes both a significant PlayReady limitation and a fault at CANAL+ end (no server side auth checks, no watermarking in place, no license server syncing with CDN, etc.).

    By using the research material as a reference, PlayReady team was able to confirm that a security incident below its robustness bar appeared to be present (violation of PlayReady Compliance and/or Robustness Rules).

    Microsoft agreed that PlayReady group certificate used by CANAL+ STB should be considered as compromised (see APPENDIX C of 2019 reseach report for further information). The company decided not to revoke it immediately as a response to the breach. This will be likely done when the STB manufacturer (Advanced Digital Broadcast) fixes the compromise. Company's rationale for this is no implication that a large amount of real-world piracy is occurring and/or no strong pressure from content owners/providers. It is not clear on what basis "little piracy" is concluded as the breach has been available / not fixed for 4+ years and there has not been any watermarking in place (a possibility that content from CANAL+ VOD library has been silently acquired over time cannot be excluded).

    We hope this research:

  • triggers further work at Microsoft and others in order to make PlayReady compromise more challenging, especially that we haven't explored all of the ideas we had on the topic
  • helps PlayReady licensees get a better understanding of Microsoft DRM technology operation and its limitations
  • provides potentially valuable contribution to the field of PayTV security and content protection

Disclosure

    Over the course of a communication with Microsoft on the topic of disclosure, the company agreed that disclosure of this vulnerability is right and proper and helps others avoid it. According to the company, it should be disclosed after resolution.

    We truly appreciate Microsoft stance on the topic - it goes along our initial plan, it also clears some doubts at our end (to disclose or not, to what extent, with whom, etc.).

    Partial disclosure (without the release of source codes for MSPR toolkit, reverse engineering helpers and logs for MSPR operation and PlayReady / STB SSL / device root key secrets in particular) took place on Dec 10, 2022.

PlayReady client certifications / evaluations

    According to Canal+ security referential, DRM [Content Protection System] Client software security testing must be certified by the Agence Nationale pour la Securite des Systemes d'Information (ANSSI), using the methodology of the Certification Securite de Premier Niveau (CSPN).

    Microsoft does not seem to conduct security evaluations / certifications of PlayReady licensees' client environments. The company stated that it is simply infeasible for Microsoft to track and handle the complexities of authentication with several hundred service provider licensees.

Affected platforms and fixing status

    According to Microsoft, the PlayReady Server SDK has several hundred service provider licensees. While Microsoft claims the issue is not a bug, PlayReady licensees might be at risk to the demonstrated content theft whenever PlayReady client compromise occurs. This is due the nature of the attack.

    CANAL+, both in France and Poland were notified of the research. CANAL+ France stated that it analyzed the videos, understands the issues and will work on it (Aug 18, 2022).

    It is not clear whether the company has a full understanding of the issues affecting their platform (MS PlayReady, STBs, CDN, license server and user's security) as the company hasn't asked for access to the research material (offered for free and completely unconditionally), nor provided an e-mail address along PGP key where it could be sent.

    As of Feb 2023, CANAL+ in Poland is affected (piracy of assets from CANAL+ VOD library consisting of 18k+ movies is possible - tests conducted for PREMIERY VOD+, CANAL+ Premium and HBO movies).

    Sample automatically generated test result conducted 5+ months following Microsoft and CANAL+ notification for several randomly selected movies from "not allowed" collections and a fake STB identity can be checked below.

    Per information received from Microsoft (Nov 18, 2022), the STB manufacturer commited to mitigate the incident.

    Regardless of "no bug" at PlayReady end claim, Microsoft could be involved in the development of the mitigation for CANAL+ and other PlayReady licensees ("we expect to be finished with the mitigation in March of 2023" line received on Dec 1, 2022 from the company).

Potential impact of PlayReady license agreements

    Taking into account sample content of Microsoft PlayReady Server agreement, CANAL+ or any other PlayReady licensee might not be able to:

  • discuss any PlayReady related matters with a 3rd party (no response from CANAL+ might have its origin in legal agreements / NDAs signed, not necessarrily company's ignorance to security matters)
  • develop a fix / mitigation for PlayReady vulnerabilities (Microsoft responsibility)
  • conduct an in-depth investigation of PlayReady security (no reverse engineering allowed, etc.)
  • improve PlayReady security (no custom changes to PlayReady protocol, licensing mechanism allowed, etc.). Sample ideas illustrating such possible PlayReady security improvements are described in a document available on the project details page.
  • The licensing implicates Microsoft's ownership and responsibility for any changes to PlayReady. That alone may prohibit any customizations / developments by licensees aimed at improving security of content (such as the use of HW security features present in a target environment, but not supported by PlayReady).

    The licensing also implicates that any updates to PlayReady are at the sole discretion of Microsoft (it is up to Microsoft to fix issues, improve security or implement support for various HW security features present in target STB environments such as SCK key of STMicroelectronics chipsets).

Sygnal Organization and AAPA inquiries

    Below, a copy of an inquiry note sent to Sygnal Organization (fighting illegal distribution of a TV signal, audio, music and video content among others) is provided asking for an official statement of the organization in the context of CANAL+ (its core member) serving premium PayTV content with the use of insecure technological means (likely known to CANAL+ since 2019 or at the time of STB / PlayReady technology choice and ignored / not addressed since then).

  • Sygnal Organization inquiry from Nov 02, 2022 (download)
  • As of Dec 08, 2022, Sygnal hasn't provided any statement (the only response received referred us to CANAL+ regarding any topics concerning the offer or technologies implementing security of content).

    An inquiry of a similar nature was also sent to AudioVisual Anti-Piracy Alliance (AAPA) representing companies involved in the provision of protected audiovisual services, security technology for such services, and the manufacturing of products which facilitate the delivery of such services. AAPA's mission is to lead fight with audiovisual piracy across Europe and the Middle East.

  • AAPA inquiry from Jan 14, 2023 (download)
  • As a response to the inquiry note, AAPA informed that AAPA doesn't discuss any matter relating to its member with a third party (Jan 16, 2023).