Hello All, It's been 1.5 years since Microsoft got a notification about PlayReady issues affecting Canal+ VOD service in Poland [1]. Per information received from Microsoft back then: 1) "to maintain the integrity of the PlayReady ecosystem, the company takes reports such as (ours) very seriously" (Oct 7, 2022), 2) the STB manufacturer committed to mitigate the incident (Nov 18, 2022). However, as of late Mar 2024, no change was observed at Canal+ end as: - our POC from 2022 still worked, - no PlayReady certificate got revoked by Microsoft, no secret got changed (Microsoft claimed that certificate revocation takes place "if a large amount of real-world piracy is occurring and/or the company is getting strong pressure from content owners/providers") - unauthorised license requests could be sill issued with the fake identity (HELLO_MICROSOFT id) and content keys acquired to movies from CANAL+ PREMIUM, HBO and CANAL+ VOD libraries (possibly others, our automatic check focuses on these 3 libraries though) - the movies could be downloaded and decrypted for offline playback and/or Internet distribution (in high definition 1080p). We lost contact with Microsoft more than a year ago. The company neglected to respond to our questions [2]. Microsoft PR agency [3] was not willing to address our inquiry either claiming that they respond to media only. The way Microsoft handled our PlayReady report from 2022 along the retirement of Microsoft Azure Media Services (Microsoft indicated that Azure Media Services as an E2E solution is free of the exposed PlayReady limitation) made us quite suspicious about security of PlayReady in general. It was thus natural to verify the state of PlayReady security on a more widely available platform such as Windows. This is basically how Warbird and PMP project was born: https://security-explorations.com/microsoft-warbird-pmp.html It is worth to mention that back, in 2022, we have indicated to Microsoft that "we have future projects ideas as a follow up and to some extent based on PlayReady stuff". In that context, the new research targeting PlayReady shouldn't come up as a surprise to the company (vide time to prepare / review / improve stuff). As a result of the new research several deficiencies have been discovered in various Protected Media Path components [4], which could be exploited to gain access to plaintext content keys guarded by PlayReady (Windows 10 / Windows 11 environment and SW DRM case). It has been demonstrated that these plaintext keys could be successfully used to decrypt high definition (1080p) movies protected by PlayReady content protection (Canal+ Online VOD platform scenario). Our tests indicate that the following streaming platforms are affected: - Canal+ Online - Netflix - HBO Max - Amazon Prime Video Taking into account the technique used to extract plaintext value of content keys, we assume that key extraction might also work for some other platforms relying on SW Microsoft PlayReady technology in a Windows OS environment (VOD and Live TVs). In Windows OS, Protected Media Path is implemented both in kernel and user space [5]. It relies on crypto, code integrity, auth checks, whitebox crypto and code obfuscation. All of that doesn't matter though. We have come up with an attack scenario that makes it possible to extract plaintext values of content keys from a Protected Media Path process. The attack proceeds by exploiting a time window during which content keys have a XORed form - the plaintext value of such keys can be obtained by the means of a simple XOR operation with a magic 128-bit key sequence. Our tests indicate that there are only two such magic key sequences used across Windows OS versions released since 2022 (one for Windows 10, the other for Windows 11). The above has been confirmed on Windows 10 and 11 x64 systems across various builds from late 2022 till Mar 2024 (systems without and with HW DRM capability). Thank you. Best Regards, Adam Gowdiak ---------------------------------- Security Explorations - AG Security Research Lab https://security-explorations.com ---------------------------------- References: [1] Microsoft PlayReady security research https://security-explorations.com/microsoft-playready.html [2] List of questions pending answer from Microsoft https://security-explorations.com/materials/mspr_questions.pdf [3] WE Communications https://www.we-worldwide.com/ [4] Protected Media Path, Wikipedia https://en.wikipedia.org/wiki/Protected_Media_Path [5] Protected Media Path, Microsoft https://learn.microsoft.com/en-us/windows/win32/medfound/protected-media-path