Google’s less secure Widevine L3 digital rights management (DRM) technology has been cracked by a British security researcher, named David Buchanan. The researcher asserts that he has cracked the L3 protection level of DRM tech, which is being used by companies such as Netflix, HBO, Hulu, and other content providers. Thus, the researcher will be able to decrypt content transferred through DRM-protected multimedia streams.
The researcher tweeted that the Whitebox AES-128 cryptography used by the Widevine L3 platform “is vulnerable to the well-studied DFA attack, which can be used to recover the original key. Then you can decrypt the MPEG-CENC streams with plain old ffmpeg.”
Watch: Google Go: All you need to know
He also asserted that to crack that, it took him just a few evenings. The information regarding how this was actually accomplished is scarce as the researcher has not mentioned any other details. However, he did mention that he took the help of Philippe Teuwen and the Side-Channel Marvels project for making this attack scarily trivial to pull off.
As of now, it is unknown whether the researcher has disclosed about the vulnerability to Google before making it public. Also, it remains to be seen what the search giant might do next on this particular now-cracked L3 implementation. Additionally, David Buchanan also stated that he ‘does not consider this a bug, and DRM is flawed by design, hence incapable of being fixed. The DRM could be made more DFA-resistant, but that “would slow down performance,” says Buchanan.