Re: Creating effective RansomWare with EME from Aaron Zauner on 2016-06-21 (public-html-media@w3.org from June 2016)

From: Aaron Zauner <azet@azet.org>
Date: Tue, 21 Jun 2016 14:10:53 +0800
To: Mark Watson <watsonm@netflix.com>
Cc: "public-html-media@w3.org" <public-html-media@w3.org>, Tim Berners-Lee <timbl@w3.org>, Daniel Appelquist <dan@torgo.com>, peter.linss@hp.com
Message-Id: <AA1CAB18-3D92-4A4A-9715-BE8E728C5B56@azet.org>

> On 20 Jun 2016, at 23:32, Mark Watson <watsonm@netflix.com> wrote:
> 
> Hi Aaron,
> 
> I do not see any examples in your reference [0] where the attack vector is the audio or video data itself, which is the part that would be relevant for EME. EME does not affect the operation of any of the attributes on the media element (which are cited as examples in your reference). [1] and [2] do not appear to be relevant either.

Modern browser exploits these days usually rely on a chain of exploits in different elements/parts, and I'd rather not spell out some ideas. [1] and [2] are examples that go so far as to breach the sandbox environment and access the OS of the affected user, it should serve as an example of how far you can take this.

Consider a vulnerability within the embedded audio or video content (i.e. https://tools.cisco.com/security/center/viewAlert.x?alertId=36103 - out of bounds write; https://tools.cisco.com/security/center/viewAlert.x?alertId=40466 - buffer overflow,..). This is protected by EME in this case, am I wrong? One may use this to encrypt browser user-data or go as far as chaining with a sandbox escape on vulnerable systems.

...

> 
> If you could provide more details, we could look into this. The W3C work has addressed many of the security (and privacy) criticisms which have traditionally been leveled at DRM, something that would probably not have happened to such an extent had the work been done elsewhere.

See above. I'm really hesitant to lay out a working exploit chain for ransomware. I think the reasons for this are also obvious, this is a public mailing list and there's already more than enough ransomware on the internet that's been copied off GitHub.

In any case: DRM does not work. You'll always have people in the "scene" that get access to one account and rip the material and it eventually ends up as a torrent. Back in the days this used to be done via people working at video stores or directly in hollywood post-production studios, these days the techniques have shifted but as I'm sure Netflix is aware: it's still happening.

Aaron

Received on Tuesday, 21 June 2016 06:11:30 UTC