Google Mending Another Crack in Widevine Krebs on Security – Krebs on Security

For the second time in as many years, Google is working to fix a weakness in its Widevine digital rights management (DRM) technology used by online streaming sites like Disney, Hulu and Netflix to prevent their content from being pirated.

The latest cracks in Widevine concern the encryption technologys protection for L3 streams, which is used for low-quality video and audio streams only. Google says the weakness does not affect L1 and L2 streams, which encompass more high-definition video and audio content.

As code protection is always evolving to address new threats, we are currently working to update our Widevine software DRM with the latest advancements in code protection to address this issue, Google said in a written statement provided to KrebsOnSecurity.

In January 2019, researcher David Buchanan tweeted about the L3 weakness he found, but didnt release any proof-of-concept code that others could use to exploit it before Google fixed the problem.

This latest Widevine hack, however, has been made into an extension for Microsoft Windows users of the Google Chrome web browser and posted for download on the software development platform Github.

Tomer Hadad, the researcher who developed the browser extension, said his proof-of-concept code was done to further show that code obfuscation, anti-debugging tricks, whitebox cryptography algorithms and other methods of security-by-obscurity will eventually by defeated anyway, and are, in a way, pointless.

Google called the weakness a circumvention that would be fixed. But Hadad took issue with that characterization.

Its not a bug but an inevitable flaw because of the use of software, which is also why L3 does not offer the best quality, Hadad wrote in an email. L3 is usually used on desktops because of the lack of hardware trusted zones.

Media companies that stream video online using Widevine can select different levels of protection for delivering their content, depending on the capabilities of the device requesting access. Most modern smartphones and mobile devices support much more robust L1 and L2 Widevine protections that do not rely on L3.

Further reading: Breaking Content Protection on Streaming Websites

Tags: David Buchanan, digital rights management, DRM, Google Widevine, L3, Tomer Hadad

This entry was posted on Monday, October 26th, 2020 at 7:54 pmand is filed under A Little Sunshine.You can follow any comments to this entry through the RSS 2.0 feed.You can skip to the end and leave a comment. Pinging is currently not allowed.

See the rest here:
Google Mending Another Crack in Widevine Krebs on Security - Krebs on Security