Breaking Widevine L3 in Android

Created in April 06, 2022

2022   ·   Widevine   Android   Digital Right Management   DRM   OTT

Widevine is a Digital Right Management (DRM) system owned by Google present in web browser, Android Smart TV, Android devices and more. Its purpose is to protect copyrighted media from piracy when received from an Over-The-Top (OTT) platform such as Netflix, Disney+ or PrimeVideo. This protection relies on proprietary code and protocol involving multiple cryptographic operations and obfuscation to hide its internal mechanisms.

Our attack focuses on Widevine in Android devices relying on software for content protection. It can recover the device unique cryptographic key, allowing an attacker to decrypt every future media received from an OTT.

Attack Overview

Widevine can run in two modes: L1 when backed up by hardware protection, and L3 when relying only on software. In Android, the L3 software-only one relies exclusively on obfuscation to protect its cryptographic assets, starting from its Root-Of-Trust (RoT) named the Device Key up to the Content Key used to decrypt a specific media. This implementation lies in the vendor specific Widevine library.

By inspecting the Widevine library in L3 mode, we can observe the obfuscated flow of the program and bypass this protection by recovering the RoT from the process memory based solely on its format due to lack of protection. Indeed, the RoT is embedded in a structure called the Keybox. By reverse engineering its structure and understanding its fields, we were able to search for its pattern containing a magic number. Indeed, due to an insecure storage of sensitive information within the memory of the process, we were able to trivially bypass the obfuscation by dumping the keybox during execution.

With the RoT, it was then possible to monitor and dump exchange messages during execution to recover the device certificate and mimic the complete key ladder leading up to media decryption.

Demo

The demo below shows the recovery of the Content Key starting from the device certificate during media playback.

Full Technical Paper

  • Exploring Widevine for Fun and Profit, Gwendal Patat, Mohamed Sabt and Pierre-Alain Fouque, 16th Workshop on Offensive Technologies (WOOT) 2022, San Francisco, California, USA.

Tools

WideXtractor traces the Media DRM process on Android and hooks the Widevine library in use. The _oeccXX (from _oecc01 to _oecc48) functions are then hooked to dump important buffers, return values, and arguments, for inspection. Once WideXtractor is attached, using an OTT app such as Netflix will start the usage of the Widevine CDM and log the control flow.

Our Proof-of-Concept (PoC) is a Widevine L3 script for Android Keybox Recovery, Content Key dump and Netflix Media Download.

Q&A

What is a DRM?

DRM or Digital Right Management is a technology designed to prevent piracy of digital content. It assures that the protected assets cannot be accessed by unauthorized consumers to avoid illegal use or redistribution.

Where is it?

The Widevine DRM can be found on multiple devices, including but not limited to: Android Smart TV, Android phones, PlayStation consoles, Google Chromecast, and web browsers.

Do OTT DRMs are the same as Video game DRMs?

DRMs used by streaming services do not work in the same way as video game DRMs. Media protection relies merely only on content encryption, while watermarking, traitor tracing and partial encryption can apply to video games.

As a user, am I vulnerable?

Regular users should not worry about this vulnerability. Indeed, here regular users are more likely to be the actual attackers against streaming platforms.

Who is vulnerable?

For the keybox recovery, Android implementation of the Wideine L3 such as in the Nexus 5 are vulnerable but the exhaustive scope is unknown.

Why not just record the screen?

Hardware protections are being used for secure video streams preventing recording. In addition, screen recording is largely slower since an attacker needs 2h to recover a 2h long movie. Using our PoC it is possible to download files and decrypt them in seconds.

Is it easy to reproduce?

Yes, using our PoC if you have a vulnerable rooted device.

Does it work on Widevine L1?

No. Nevertheless, our tool WideXtractor can also be used on Widevine L1 in Android, to monitor the control flow and recover exchange messages.

Does it affect browser implementations?

This PoC mainly focus on Widevine in Android device, therefore it cannot be used on browser.

Yes, the usage of our tools for non-educational purpose is illegal. For instance in the United States, the Digital Millennium Copyright Act (DMCA) with the DMCA’s 1201 clause makes it illegal to circumvent controls preventing access to copyrighted material. Restrictions have been partially lifted recently in October 2018 by the American Library of Congress and the Copyright Office. Therefore, in theory, researchers can now freely investigate and publish security flaws on DRM solutions. In Europe, quite the same law is applied with the European Union Copyright Directive (EUCD).

Have vendors responded to this vulnerability?

Our findings have been timely reported to all concerned parties following their responsible disclosure process. Google assigned the CVE ID ‘CVE-2021-0639’ for us linked to the Android Security Bulletin August 2021.