CD DRM & SONY-BMG: a case study Muhammed Afzal Hussain Digital Rights Management Seminar 17 th May, 2006
Sony-BMG is the worlds second largest record company. Fall 2005, problems discovered in two Sony-BMG CD copy protection systems: XCP & MediaMax These two systems made the user’s computers more vulnerable to attacks Had other DRM issues
As a result… Created public uproar Recall of millions of discs Compensation to the users (both in monetary form and others) Class action lawsuits Severe damage of company goodwill
Contents CD DRM overview How XCP and MediaMax work Security threat caused by them Their weaknesses Requirements of a good CD DRM system Conclusion
CD DRM A system to protect CD contents from being copied Should protect an audio CD from disc to disc copy, converting to mp3, copying single track etc. Purely economic Goals can be divided in two categories: Record Label Goal and DRM Vendor Goal
Record Label Goals CD DRM can not stop P2P file-sharing To stop disc to disc copy and other local copying and use of the music If Alice cannot copy a CD to give to Bob, Bob might buy the CD himself Portable audio player version Show advertisement and other promotional values Increase market power for parent company
DRM Vendor Goals Create value for the record label DRM Vendors have higher risk tolerance More aggressive to create a wider user base Record labels have imperfect knowledge about DRM technology used Sometime acts against record labels interest XCP was developed by First4Internet MediaMax was developed by SunnComm
CD DRM Requirements CD should be playable in ordinary CD players CD must be unreadable by almost all computer programs to avoid copying CD must be recognizable as a protected disc DRM vendor’s own software must be able to read it and give controlled access
CD DRM - How it works Two types of protections: Passive Protection Active Protection Passive measure changes the disc’s contents to confuse computer Active protection uses software for scanning and restrict access to a protected disc
Passive Protection Exploits subtle difference in the way computer and ordinary CD Players read CDs The distinctions between these two are imprecise Computer hardware and software has became more robust reading poorly formatted discs Recent CD DRM mainly rely on active protection
Passive Protection (cont…) XCP (Extended Copy Protection) deviates from Bluebook specification to create passive protection Bluebook contains one audio session with multiple tracks and another session with one data track XCP has one session with audio tracks and another session with two data tracks Windows assumes it’s a data-only CD Audio tracks become invisible Ordinary CD players do not support multi-session CD and recognizes only the first session
XCP Passive Protection Provides limited protection only: Advanced ripping and copying Non-Windows platforms The felt-tip marker trick Felt-tip marker trick: Hide the second session using felt-tip marker or masking tape The second session is near the outer edge of the disc Can be done using trial and error method, or visually analyzing the disc
Active Protection Active protection requires a software to be installed Both XCP and MediaMax rely on the autorun feature of Windows. MacOS X and Linux do not have autorun. XCP has only Windows code. MediaMax has MacOS code but the user must execute the installer (intentionally or unintentionally) to install it. Usually users don’t do that
Temporary Protection Protection for the time while the installer is running but not yet installed When the EULA is being displayed XCP checks for about 200 ripping and copying application Names are hard coded If any of these application is found running in the system, it asks the user to close it in order to continue the installation If the ripping or copying application is not closed within 30 seconds, the installer ejects the CD and quits
XCP Temporary protection – Screen Shot
MediaMax Temporary Protection It installs the software and activates it at least temporarily while the EULA is still displayed The software remains installed even if the user explicitly denies consent by declining the EULA In cases the software even remains active while the user denies consent
Temporary Protection Installation of software by MediaMax before consent is highly controversial Temporary activation of the DRM software without consent raises ethical questions Most user do not expect the insertion of a music CD to load a software Some discs contained statements about software being on the disk, but were written in tiny font and did not mention anything explicitly
Active Protection basics Depends on background process This process checks whether access should be restricted to a disc For any recognized protected disc, monitors CD access and corrupts returned audio data to any other application other than its own player XCP replaces audio with random noise MediaMax adds large random jitter Requires mechanism to recognize protected discs
Disc Recognition XCP stores a marker in the data track MediaMax uses more sophisticated method It puts a watermark The watermark is created after about 4 second from the start of an audio track to avoid audible noise in silence Modifies the audio track according to a special algorithm
CD DRM Players Provides rudimentary playback interface to the protected discs Allows bonus contents Album arts, lyrics, notes, links to websites Allows integrated burning application to copy the disc three times Subsequent copies can not be made Supports ripping the tracks only in DRM-protected formats so can only be run in the same computer. Uses Windows Media DRM
What Went Wrong? Controversial temporary protection schemes XCP infringes copyrights of open source software projects Contains code from the project DRMS, licensed under GPL Uses this code to create FairPlay protected file for playing in iPod Although this functionality is hidden to user Performs phoning home Sends information about listening habit. Allows to log user’s IP, date, time and album name. Receives images or banner ads to display Fits to consensus definition of spyware.
Rootkit behavior of XCP XCP shows rootkit behavior Rootkits are software designed to hide processes, files, or system data Used to hide intrusion XCP’s rootkit is used to hide its main installation directory, registry keys, files and processes So they can not be removed, modified or even noticed by the user Conceals any file, process or registry key whose name begins with $Sys$
XCP as a Security Threat Any malware can use XCP’s rootkit behavior to hide its existence in the system Modifies Windows kernel Modifies system functions for creating file, list running process etc. Modified kernel is not as stable as the original kernel Can be used to crash the computer
MediaMax as a Security Threat MediaMax sets file permission that allows anybody to modify contents of its installation directory Any user can replace its own code with malicious code Next time any other user will insert a MediaMax disc, the malicious code will be executed with his user privileges MediaMax requires Administrator privileges Resets permission every time MediaMax is run Manually correcting the errant permission is not very effective
MediaMax as a Security Threat (cont…) Installs MediaMax.dll even if the user denies the EULA Next time a MediaMax disc is inserted, it checks the version of MediaMax by calling the DLL Attacker can place hostile code in this DLL so next time a MediaMax disc is inserted, the malicious code will run with that user’s privilege Sony-BMG released patch to solve this problem Initial patch did not solve the problem
Uninstall Initially neither of the DRM systems contained uninstaller After public demand, they provided uninstaller, but was very hard to acquire Had to fill up a sequence of forms and wait few days. The uninstaller was customized for the user Worked only in the PC where the forms were filled. Worked for a limited number of times Later unrestricted uninstaller were published But they had their own vulnerabilities
MediaMax Uninstaller Vulnerability Uses proprietary ActiveX control Users had to install it to uninstall MediaMax Has a “Remove” method which takes an URL A HTTP Get to this URL returns a second URL A DLL file is downloaded from the second URL and executed to uninstall MediaMax The ActiveX control itself remains installed Any web page can invoke the “Remove” method of the ActiveX control with an arbitrary first URL to execute a malicious DLL without warning
XCP Uninstaller Vulnerability Has the same flaw, only a little harder to exploit Instead of downloading a DLL, it downloads an archive file made using a proprietary algorithm The DLL is extracted from this archive Using reverse engineering, a valid archive can be made
As a result… Sony-BMG had to recall all discs containing XCP or MediaMax XCP was deployed on 52 CD titles representing about 4.7 million CD’s MediaMax was deployed on 37 titles representing about 20 million CD’s Compensation to the buyers Lawsuits were filed in New York, California and Texas “It's your intellectual property but it's not your computer” Department of Homeland Security, USA
Was it enough? With so many aggressive strategies and controversial methods, are the XCP and MediaMax sufficient to protect the audio CD in all situation? NO We have already discussed the weaknesses of passive protections
Weaknesses Autorun can be disabled or avoided Felt-tip marker method can be used XCP’s temporary protection: Uses constant scanning for ripper application Users can kill the application Can use application that locks CD tray The hard coded lists of application will get obsolete and the ripper applications may use randomize process name to avoid such protections.
Weaknesses (cont...) XCP disc recognition: Uses a marker in data session: once ripped, it has no effect MediaMax disc recognition: Uses watermark in the audio track: lossy compression removes such watermark Both Players allows limited number of copies to be burned Vulnerable to rollback attacks User can modify the saved states to burn unlimited number of discs
Ideal Disc Recognition Requirement Uniqueness: Identify protected discs without accidentally triggering protection on an unprotected disc. Detectability: It should be quickly detectable Indelibility: The feature should be hard to remove Unforgeability: Should be hard to forge.
Other requirements of a good CD DRM software Audio CD has longer shelf life Deactivating old software Old software should deactivate themselves Updating the software User cooperate with updates that help them Download and CD delivery Forcing updates Making the non-updated system painful to use
Conclusion DRM Vendors goal differs from Label’s goal DRM of even major Label’s can cause security and privacy risks. Efficacy of DRM are sometimes inversely related to user’s ability to defend his system. CD DRM systems are mostly ineffective DRM systems not always focus on copyright law The stakes are high.
Questions?
Thank You