With more ways to stream online video than ever before, protecting video continues to be a key issue for copyright holders.
This is often achieved through Digital Rights Management, which is often referred to by the initials DRM. In a nutshell, DRM is an anti-piracy tool that dictates when and where digital content can be accessed.
Google is an important player in this area. The company owns the Widevine DRM technology which is used by many of the largest streaming services including Amazon, Netflix and Disney+. As such, keeping it secure is vital.
Widevine DRM comes in different levels. The L1 variant is the most secure, followed by L2 and L3. While the latter still protects content from being easily downloaded, it’s certainly not impossible to bypass, as pirates have repeatedly shown.
Despite its vulnerabilities, Google doesn’t want to make it too easy for the public at large. This became apparent a few hours ago when the company asked the developer platform GitHub to remove dozens of “Widevine L3 Decryptor” repositories.
The code, originally published by security researcher Tomer Hadad, is a proof-of-concept code Chrome extension that shows how easy it is to bypass the low-security DRM. Google was aware of this vulnerability and previously informed Krebs Security that it would address the issue.
Google Targets Widevine L3 Decryptor Code
One option would be to patch the security flaw but, for now, Google appears to be focusing on the takedown route. In a DMCA notice sent to GitHub, the company requests the immediate takedown of dozens of “Widevine L3 Decryptor” copies.
“The following git repository [sic] contain circumvention technology that enables users to illegally access video and audio works protected by copyright,” Google writes.
“This Chrome extension demonstrates how it’s possible to bypass Widevine DRM by hijacking calls to the browser’s Encrypted Media Extensions (EME) and decrypting all Widevine content keys transferred – effectively turning it into a clearkey DRM,” Google adds.
Google sees the code, which was explicitly published for educational purposes only, as a circumvention tool. As such, it allegedly violates section 1201 of the DMCA, an allegation that was also made against the youtube-dl code last month.
The takedown notice includes a long list of repositories that were all made unavailable by GitHub. This doesn’t cover the original code from Tomer Hadad, who already removed his version in late October, citing “legal reasons.”
Google views this vulnerability as a serious matter and the company says that it has also filed a Sensitive Data takedown request to prevent the Widevine’s ‘secret’ private key from being publicly shared.
Sensitive Data Request
“In addition to this request, we have filed a separate Sensitive Data takedown request of this file: /widevine-l3-decryptor as it contains the secret Widevine RSA private key, which was extracted from the Widevine CDM and can be used in other circumvention technologies.”
That last mention is interesting as private keys, which are simply a string of characters, are not seen as copyrighted or private content by everyone.
“If you distribute your key with the software, then whatever form it is in, I would not consider it “private” at all,” a commenter on Hacker News points out.
Googling the AACS Key
This ‘key controversy’ is reminiscent of an issue that was widely debated thirteen years ago. At the time, a hacker leaked the AACS cryptographic key “09 F9” online which prompted the MPAA and AACS LA to issue DMCA takedown requests to sites where it surfaced.
This escalated into a censorship debate when sites started removing articles that referenced the leak, triggering a massive backlash.
At the time, the controversial AACS key was still readily available through Google’s search engine. In that regard very little has changed. Despite Google’s sensitive data takedown request, the Widevine RSA key is easy to find through its own search engine.