Hello All,

It's been 1.5 years since Microsoft got a notification about PlayReady issues
affecting Canal+ VOD service in Poland [1].

Per information received from Microsoft back then:
1) "to maintain the integrity of the PlayReady ecosystem, the company takes
    reports such as (ours) very seriously" (Oct 7, 2022),
2) the STB manufacturer committed to mitigate the incident (Nov 18, 2022).

However, as of late Mar 2024, no change was observed at Canal+ end as:
- our POC from 2022 still worked,
- no PlayReady certificate got revoked by Microsoft, no secret got changed
  (Microsoft claimed that certificate revocation takes place "if a large
  amount of real-world piracy is occurring and/or the company is getting
  strong pressure from content owners/providers")
- unauthorised license requests could be sill issued with the fake identity
  (HELLO_MICROSOFT id) and content keys acquired to movies from CANAL+ PREMIUM,
  HBO and CANAL+ VOD libraries (possibly others, our automatic check focuses
  on these 3 libraries though)
- the movies could be downloaded and decrypted for offline playback and/or
  Internet distribution (in high definition 1080p).

We lost contact with Microsoft more than a year ago. The company neglected to
respond to our questions [2]. Microsoft PR agency [3] was not willing to address
our inquiry either claiming that they respond to media only.

The way Microsoft handled our PlayReady report from 2022 along the retirement
of Microsoft Azure Media Services (Microsoft indicated that Azure Media Services
as an E2E solution is free of the exposed PlayReady limitation) made us quite
suspicious about security of PlayReady in general. It was thus natural to verify
the state of PlayReady security on a more widely available platform such as
Windows. This is basically how Warbird and PMP project was born:

https://security-explorations.com/microsoft-warbird-pmp.html

It is worth to mention that back, in 2022, we have indicated to Microsoft that
"we have future projects ideas as a follow up and to some extent based
on PlayReady
stuff". In that context, the new research targeting PlayReady shouldn't come up
as a surprise to the company (vide time to prepare / review / improve stuff).

As a result of the new research several deficiencies have been discovered in
various Protected Media Path components [4], which could be exploited to gain
access to plaintext content keys guarded by PlayReady (Windows 10 / Windows 11
environment and SW DRM case).

It has been demonstrated that these plaintext keys could be successfully used to
decrypt high definition (1080p) movies protected by PlayReady content protection
(Canal+ Online VOD platform scenario).

Our tests indicate that the following streaming platforms are affected:
- Canal+ Online
- Netflix
- HBO Max
- Amazon Prime Video

Taking into account the technique used to extract plaintext value of
content keys,
we assume that key extraction might also work for some other platforms relying
on SW Microsoft PlayReady technology in a Windows OS environment (VOD and
Live TVs).

In Windows OS, Protected Media Path is implemented both in kernel and user space
[5]. It relies on crypto, code integrity, auth checks, whitebox crypto and code
obfuscation.

All of that doesn't matter though. We have come up with an attack scenario that
makes it possible to extract plaintext values of content keys from a Protected
Media Path process. The attack proceeds by exploiting a time window during which
content keys have a XORed form - the plaintext value of such keys can
be obtained
by the means of a simple XOR operation with a magic 128-bit key sequence.

Our tests indicate that there are only two such magic key sequences used across
Windows OS versions released since 2022 (one for Windows 10, the other
for Windows
11).

The above has been confirmed on Windows 10 and 11 x64 systems across
various builds
from late 2022 till Mar 2024 (systems without and with HW DRM capability).

Thank you.

Best Regards,
Adam Gowdiak

----------------------------------
Security Explorations -
AG Security Research Lab
https://security-explorations.com
----------------------------------

References:
[1] Microsoft PlayReady security research
    https://security-explorations.com/microsoft-playready.html
[2] List of questions pending answer from Microsoft
    https://security-explorations.com/materials/mspr_questions.pdf
[3] WE Communications
    https://www.we-worldwide.com/
[4] Protected Media Path, Wikipedia
    https://en.wikipedia.org/wiki/Protected_Media_Path
[5] Protected Media Path, Microsoft
    https://learn.microsoft.com/en-us/windows/win32/medfound/protected-media-path