CD DRM & SONY-BMG:a case study

Muhammed Afzal HussainDigital Rights Management Seminar

17th May, 2006

Sony-BMG is the worlds second largest record company.

Fall 2005, problems discovered in two Sony-BMG CD copy protection systems: XCP & MediaMax

These two systems made the user’s computers more vulnerable to attacks

Had other DRM issues

As a result…

Created public uproar Recall of millions of discs Compensation to the users (both in monetary

form and others) Class action lawsuits Severe damage of company goodwill

Contents

CD DRM overview How XCP and MediaMax work Security threat caused by them Their weaknesses Requirements of a good CD DRM system Conclusion

CD DRM

A system to protect CD contents from being copied

Should protect an audio CD from disc to disc copy, converting to mp3, copying single track etc.

Purely economic Goals can be divided in two categories:

Record Label Goal and DRM Vendor Goal

Record Label Goals

CD DRM can not stop P2P file-sharing To stop disc to disc copy and other local copying

and use of the music If Alice cannot copy a CD to give to Bob, Bob might buy the

CD himself Portable audio player version

Show advertisement and other promotional values Increase market power for parent company

DRM Vendor Goals

Create value for the record label DRM Vendors have higher risk tolerance More aggressive to create a wider user base Record labels have imperfect knowledge

about DRM technology used Sometime acts against record labels interest XCP was developed by First4Internet MediaMax was developed by SunnComm

CD DRM Requirements

CD should be playable in ordinary CD players

CD must be unreadable by almost all computer programs to avoid copying

CD must be recognizable as a protected disc DRM vendor’s own software must be able to

read it and give controlled access

CD DRM - How it works

Two types of protections: Passive Protection Active Protection

Passive measure changes the disc’s contents to confuse computer

Active protection uses software for scanning and restrict access to a protected disc

Passive Protection

Exploits subtle difference in the way computer and ordinary CD Players read CDs

The distinctions between these two are imprecise

Computer hardware and software has became more robust reading poorly formatted discs

Recent CD DRM mainly rely on active protection

Passive Protection (cont…) XCP (Extended Copy Protection) deviates from

Bluebook specification to create passive protection Bluebook contains one audio session with multiple

tracks and another session with one data track XCP has one session with audio tracks and another

session with two data tracks Windows assumes it’s a data-only CD Audio tracks become invisible Ordinary CD players do not support multi-session

CD and recognizes only the first session

XCP Passive Protection

Provides limited protection only: Advanced ripping and copying Non-Windows platforms The felt-tip marker trick

Felt-tip marker trick: Hide the second session using felt-tip marker or masking

tape The second session is near the outer edge of the disc Can be done using trial and error method, or visually

analyzing the disc

Active Protection

Active protection requires a software to be installed Both XCP and MediaMax rely on the autorun feature

of Windows. MacOS X and Linux do not have autorun. XCP has only Windows code. MediaMax has MacOS code but the user must

execute the installer (intentionally or unintentionally) to install it. Usually users don’t do that

Temporary Protection Protection for the time while the installer is running

but not yet installed When the EULA is being displayed

XCP checks for about 200 ripping and copying application Names are hard coded

If any of these application is found running in the system, it asks the user to close it in order to continue the installation

If the ripping or copying application is not closed within 30 seconds, the installer ejects the CD and quits

XCP Temporary protection – Screen Shot

MediaMax Temporary Protection

It installs the software and activates it at least temporarily while the EULA is still displayed

The software remains installed even if the user explicitly denies consent by declining the EULA

In cases the software even remains active while the user denies consent

Temporary Protection

Installation of software by MediaMax before consent is highly controversial

Temporary activation of the DRM software without consent raises ethical questions

Most user do not expect the insertion of a music CD to load a software

Some discs contained statements about software being on the disk, but were written in tiny font and did not mention anything explicitly

Active Protection basics

Depends on background process This process checks whether access should be

restricted to a disc For any recognized protected disc, monitors CD

access and corrupts returned audio data to any other application other than its own player

XCP replaces audio with random noise MediaMax adds large random jitter Requires mechanism to recognize protected discs

Disc Recognition

XCP stores a marker in the data track MediaMax uses more sophisticated method It puts a watermark The watermark is created after about 4

second from the start of an audio track to avoid audible noise in silence

Modifies the audio track according to a special algorithm

CD DRM Players Provides rudimentary playback interface to the

protected discs Allows bonus contents

Album arts, lyrics, notes, links to websites Allows integrated burning application to copy the

disc three times Subsequent copies can not be made

Supports ripping the tracks only in DRM-protected formats so can only be run in the same computer. Uses Windows Media DRM

What Went Wrong? Controversial temporary protection schemes XCP infringes copyrights of open source software

projects Contains code from the project DRMS, licensed under GPL Uses this code to create FairPlay protected file for playing

in iPod Although this functionality is hidden to user

Performs phoning home Sends information about listening habit. Allows to log user’s IP, date, time and album name. Receives images or banner ads to display Fits to consensus definition of spyware.

Rootkit behavior of XCP

XCP shows rootkit behavior Rootkits are software designed to hide processes,

files, or system data Used to hide intrusion

XCP’s rootkit is used to hide its main installation directory, registry keys, files and processes So they can not be removed, modified or even noticed by

the user Conceals any file, process or registry key whose

name begins with $Sys$

XCP as a Security Threat

Any malware can use XCP’s rootkit behavior to hide its existence in the system

Modifies Windows kernel Modifies system functions for creating file, list

running process etc. Modified kernel is not as stable as the original

kernel Can be used to crash the computer

MediaMax as a Security Threat MediaMax sets file permission that allows anybody

to modify contents of its installation directory Any user can replace its own code with malicious

code Next time any other user will insert a MediaMax

disc, the malicious code will be executed with his user privileges MediaMax requires Administrator privileges

Resets permission every time MediaMax is run Manually correcting the errant permission is not very

effective

MediaMax as a Security Threat (cont…)

Installs MediaMax.dll even if the user denies the EULA

Next time a MediaMax disc is inserted, it checks the version of MediaMax by calling the DLL

Attacker can place hostile code in this DLL so next time a MediaMax disc is inserted, the malicious code will run with that user’s privilege

Sony-BMG released patch to solve this problem Initial patch did not solve the problem

Uninstall

Initially neither of the DRM systems contained uninstaller

After public demand, they provided uninstaller, but was very hard to acquire Had to fill up a sequence of forms and wait few days.

The uninstaller was customized for the user Worked only in the PC where the forms were filled.

Worked for a limited number of times Later unrestricted uninstaller were published

But they had their own vulnerabilities

MediaMax Uninstaller Vulnerability

Uses proprietary ActiveX control Users had to install it to uninstall MediaMax Has a “Remove” method which takes an URL A HTTP Get to this URL returns a second URL A DLL file is downloaded from the second URL and

executed to uninstall MediaMax The ActiveX control itself remains installed Any web page can invoke the “Remove” method of

the ActiveX control with an arbitrary first URL to execute a malicious DLL without warning

XCP Uninstaller Vulnerability

Has the same flaw, only a little harder to exploit

Instead of downloading a DLL, it downloads an archive file made using a proprietary algorithm

The DLL is extracted from this archive Using reverse engineering, a valid archive

can be made

As a result… Sony-BMG had to recall all discs containing XCP or

MediaMax XCP was deployed on 52 CD titles representing about 4.7

million CD’s MediaMax was deployed on 37 titles representing about 20

million CD’s Compensation to the buyers

Lawsuits were filed in New York, California and Texas

“It's your intellectual property but it's not your computer” Department of Homeland Security, USA

Was it enough?

With so many aggressive strategies and controversial methods, are the XCP and MediaMax sufficient to protect the audio CD in all situation? NO

We have already discussed the weaknesses of passive protections

Weaknesses

Autorun can be disabled or avoided Felt-tip marker method can be used XCP’s temporary protection: Uses constant

scanning for ripper application Users can kill the application Can use application that locks CD tray The hard coded lists of application will get

obsolete and the ripper applications may use randomize process name to avoid such protections.

Weaknesses (cont...)

XCP disc recognition: Uses a marker in data session: once ripped, it has no effect

MediaMax disc recognition: Uses watermark in the audio track: lossy compression

removes such watermark Both Players allows limited number of copies to be

burned Vulnerable to rollback attacks User can modify the saved states to burn unlimited number

of discs

Ideal Disc Recognition Requirement

Uniqueness: Identify protected discs without accidentally triggering protection on an unprotected disc.

Detectability: It should be quickly detectable Indelibility: The feature should be hard to

remove Unforgeability: Should be hard to forge.

Other requirements of a good CD DRM software

Audio CD has longer shelf life Deactivating old software

Old software should deactivate themselves Updating the software

User cooperate with updates that help them Download and CD delivery

Forcing updates Making the non-updated system painful to use

Conclusion

DRM Vendors goal differs from Label’s goal DRM of even major Label’s can cause security and

privacy risks. Efficacy of DRM are sometimes inversely related to

user’s ability to defend his system. CD DRM systems are mostly ineffective DRM systems not always focus on copyright law The stakes are high.

Questions?

Thank You