Widevine L3 DRM: A British security researcher has broken the L3 protection level of Google's Widevine Digital Rights Management (DRM) technology.
Hack may allow the researcher to decipher content streaming and DRM-protected.
Although the cracking of Google's DRM sounds exciting, it probably will not spark mass waves of piracy. The reason is that the hack works only for streaming protected by Widevine L3, and not for L2 and L1 levels, which are used to protect high-quality video and audio.
So if a user manages to "break" a Widevine L3-protected streaming it will only have access to very low-quality video and audio (lo-fi).
Google designed Widevine DRM technology to operate on three data protection levels (L1, L2 and L3) that can be used in several scenarios. According to Google documents, the differences between the three levels of protection are as follows:
- L1 - all content editing and encryption functions are handled within a CPU that supports a Trusted Execution Environment (TEE).
- L2 - only encryption functions are handled within TEE.
- L3 - the content editing and encryption functions are (intentionally) performed outside of TEE or the device does not support TEE.
So streaming service providers, such as Hulu or Netflix, usually perform a check on the connected device to see what level of Widevine DRM supports before they serve content.
These services provide streaming audio and video with different levels of quality, with the L3 level being the lowest.
Although it was known that the Widevine L3 level of protection was the weakest, no one has ever found a way to decrypt the encrypted content.
Nobody except British security researcher David Buchanan who has he said on Twitter:
Soooo, after a few nights of work, I broke 100% Widevine L3 DRM. The Whitebox AES-128 is vulnerable to a well thought out DFA attack, which can be used to recover the original key and then you can decrypt MPEG-CENC streaming with ffmpeg.
Buchanan has not yet released a PoC, although he would not help anyone if he did.
To obtain the encrypted DRM file he wants to decrypt, an attacker will still need permission to play streaming.
A Netflix pirate may have this right as an account holder, but if he / she already has an account he / she can see videos of higher quality than he / she is served using Widevine L3 DRM protection.
So Buchanan's job became pure for research, as he managed to achieve something that many had not done so far.
The researcher has announced the issue in Google, and referred to it as instability because it seems to be a design flaw rather than a vulnerability.
Google's Widevine is the most popular DRM technology today, used by many companies such as Netflix, Hulu, Disney, HBO, DirectTV, Facebook, Showtime, Jio, Sony and others. Almost all hardware platforms and device manufacturers support it, such as Apple, Samsung, Google, Intel, LG, Roku, Mozilla and others.