Windows DRM: Now An (Unwitting) Ally In Efforts To Expose Anonymous Tor Users

from the press-'play'-to-decloak dept

In case you were wondering what other misery DRM could contribute to, Hacker House security researchers have an answer for you:

HackerHouse have been investigating social engineering attacks performed with Digital Rights Management (DRM) protected media content. Attackers have been performing these attacks in the wild to spread fake codec installers since Microsoft introduced DRM to it’s proprietary media formats.

Improperly-licensed media files will produce a pop-up, asking the user if they want to visit the originating site to obtain the rights to play the file. This popup also warns users that this is great way to pick up malware if they're not careful. In these cases, computer users will likely be deterred from following through on the risky click.

But that only happens if it's not licensed properly. If it is -- an expensive process that runs about $10,000 -- then no warning appears, leaving users open to attack by malicious fake codec installers. What would be the point of these fake installers? One possible use for the exploitation of Windows DRM is the exposure of Tor users' information.

As these “signed WMV” files do not present any alert to a user before opening them they can be used quite effectively to decloak users of the popular privacy tool TorBrowser with very little warning. For such an attack to work your target candidate must be running TorBrowser on Windows. When opening/downloading files, TorBrowser does warn you that 3rd party files can expose your IP address and should be accessed in tails.

The $10k price tag for proper licensing is a deterrent to small-time malware purveyors. But it would only be a drop in the bucket for a well-funded government agency and/or any NGOs they employ. It's basically the Network Investigative Technique the FBI deployed in the Playpen cases -- only one able to be buried inside media files which could be scattered around like mini-honeypots.

The DRM-based attack certainly wouldn't be limited to law enforcement agencies. It would also be deployed by spy agencies for use against terrorists (who love to share media files) and, unfortunately, by governments every bit as malicious as the software they're deploying. The exploit could just as easily be deployed to target dissidents, journalists, and other "enemies of the state" through booby-trapped, DRM-laden files that strip away anonymity while delivering information these entities might find intriguing/useful.

Underneath it all is Microsoft's apparently misplaced faith in properly-signed media files put together with its development kits. Rather than warn users that the redirect to the codec installer may still be risky despite the proper signature, Windows will automatically open a new browser instance and download the file with no further user interaction.

Here's Hacker House's explanation of the whole process:


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Anonymous Anonymous Coward (profile), 7 Feb 2017 @ 9:40am

    Yet another reason...

    to not use Microsoft products or any other DRM encumbered anything.

    reply to this | link to this | view in chronology ]

  • icon
    orbitalinsertion (profile), 7 Feb 2017 @ 9:43am

    And no bad actor could possibly re-use such files once found...

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Feb 2017 @ 9:45am

    Can it be disabled?

    The page says the problem is with the Extended Content Encryption Object, GUID 298AE614-2622-4C17-B935-DAE07EE9289C. Would removing that key from HKEY_CLASSES_ROOT fix it?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Feb 2017 @ 10:08am

    TBH ,if you're using Tor on windows, you probably deserve it.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Feb 2017 @ 10:29am

    ...which is why you just DON'T allow auto-play / click play on embedded videos whenever you feel like you give a damn about these things - you look at the page source, DOWNLOAD the video file itself, ascertain its extension and play it in a trusted player other than WMP (preferably with its own built-in codecs, preferably with network access denied). Yes, it might fail to play if it has DRM. Oh well...

    reply to this | link to this | view in chronology ]

  • identicon
    Rekrul, 7 Feb 2017 @ 10:30am

    Most savvy people avoid WMV/WMA files like the plague. I have a few old ones for when there was no other choice, but I only ever play them with third-party players that don't obey that DRM crap. If I ever downloaded an unlicensed file, it would just refuse to play it.

    reply to this | link to this | view in chronology ]

  • icon
    Bamboo Harvester (profile), 7 Feb 2017 @ 10:49am

    WMV?

    There are people out there so benighted they STILL use formats like WMV, WMA, the various MS document types that include scripting?

    And why would anyone with half a brain play any sort of media file with a player other than VLC?

    If you *must* use MS formats (work or the like) there are dozens of converters out there to change the files to safer, non-DRM formats.

    reply to this | link to this | view in chronology ]

  • identicon
    I.T. Guy, 7 Feb 2017 @ 12:22pm

    WMV & WMA... that still a thing? Seems to me the only thing DRM is really really good at is creating security vulnerabilities and headaches for paying customers. Pirates sail right along.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Feb 2017 @ 1:14pm

    Microsoft is an abusive spouse. There is a better way. LEAVE.

    reply to this | link to this | view in chronology ]

  • icon
    Manabi (profile), 7 Feb 2017 @ 3:21pm

    This is extremely easy to avoid

    This is easy avoid, just don't play ANY media in Windows Media Player. Get VLC instead, there's a portable version too so you don't even have to install it. Open the file in that and this fails.

    reply to this | link to this | view in chronology ]

  • icon
    Eldakka (profile), 7 Feb 2017 @ 4:06pm

    DRM isn't to protect the users...

    This is a perfect demonstration of how DRM isn't to protect the users, it's about who has control.

    And DRM enables the vendor, not the user, to have that control.

    reply to this | link to this | view in chronology ]

    • icon
      discordian_eris (profile), 7 Feb 2017 @ 6:56pm

      Re: DRM isn't to protect the users...

      And this is why when I was first using computers in the early '80s it stood for Digital Restrictions Management. It has never been about 'rights' and never will be.

      reply to this | link to this | view in chronology ]

  • icon
    afn29129 (profile), 7 Feb 2017 @ 7:25pm

    WMV Files

    WMV files were a nuisance since introduction years ago. I went so far as to associate the WMV ext to be opened with a Hex Editor. And now this.... More reason to avoid the files for the plague that they are.

    reply to this | link to this | view in chronology ]

  • identicon
    pegr, 8 Feb 2017 @ 7:19am

    Yawn...

    That's why you implement TOR at the router level, not PC. While this is a great demonstration of TOR information leakage, it applies to all 3rd party plugins, etc.

    I'll bet that the FBI's NIT is just a malicious Flash file...

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 11 Feb 2017 @ 2:59pm

    That's why you don't use anonymity software on proprietary operating systems.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Special Affiliate Offer

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.