Microsoft PlayReady deficiencies / content key sniffing on Windows

From seclists.org

It’s been 1.5 years since Microsoft got a notification about PlayReady issues affecting Canal+ VOD service in Poland [1]. Per information received from Microsoft back then: 1) “to maintain the integrity of the PlayReady ecosystem, the company takes reports such as (ours) very seriously” (Oct 7, 2022), 2) the STB manufacturer committed to mitigate the incident (Nov 18, 2022). However, as of late Mar 2024, no change was observed at Canal+ end as: – our POC from 2022 still worked, – no PlayReady certificate got revoked by Microsoft, no secret got changed (Microsoft claimed that certificate revocation takes place “if a large amount of real-world piracy is occurring and/or the company is getting strong pressure from content owners/providers”) – unauthorised license requests could be sill issued with the fake identity (HELLO_MICROSOFT id) and content keys acquired to movies from CANAL+ PREMIUM, HBO and CANAL+ VOD libraries (possibly others, our automatic check focuses on these 3 libraries though) – the movies could be downloaded and decrypted for offline playback and/or Internet distribution (in high definition 1080p). We lost contact with Microsoft more than a year ago. The company neglected to respond to our questions [2]. Microsoft PR agency [3] was not willing to address our inquiry either claiming that they respond to media only. The way Microsoft handled our PlayReady report from 2022 along the retirement of Microsoft Azure Media Services (Microsoft indicated that Azure Media Services as an E2E solution is free of the exposed PlayReady limitation) made us quite suspicious about security of PlayReady in general. It was thus natural to verify the state of PlayReady security on a more widely available platform such as Windows. This is basically how Warbird and PMP project was born: https://security-explorations.com/microsoft-warbird-pmp.html It is worth to mention that back, in 2022, we have indicated to Microsoft that “we have future projects ideas as a follow up and to some extent based on PlayReady stuff”. In that context, the new research targeting PlayReady shouldn’t come up as a surprise to the company (vide time to prepare / review / improve stuff).

Read more…