Windows DRM: Now An (Unwitting) Ally In Efforts To Expose Anonymous Tor Users

from the press-'play'-to-decloak dept

Tue, Feb 7th 2017 9:29am — Tim Cushing

In case you were wondering what other misery DRM could contribute to, Hacker House security researchers have an answer for you:

HackerHouse have been investigating social engineering attacks performed with Digital Rights Management (DRM) protected media content. Attackers have been performing these attacks in the wild to spread fake codec installers since Microsoft introduced DRM to it’s proprietary media formats.

Improperly-licensed media files will produce a pop-up, asking the user if they want to visit the originating site to obtain the rights to play the file. This popup also warns users that this is great way to pick up malware if they're not careful. In these cases, computer users will likely be deterred from following through on the risky click.

But that only happens if it's not licensed properly. If it is -- an expensive process that runs about $10,000 -- then no warning appears, leaving users open to attack by malicious fake codec installers. What would be the point of these fake installers? One possible use for the exploitation of Windows DRM is the exposure of Tor users' information.

As these “signed WMV” files do not present any alert to a user before opening them they can be used quite effectively to decloak users of the popular privacy tool TorBrowser with very little warning. For such an attack to work your target candidate must be running TorBrowser on Windows. When opening/downloading files, TorBrowser does warn you that 3rd party files can expose your IP address and should be accessed in tails.

The $10k price tag for proper licensing is a deterrent to small-time malware purveyors. But it would only be a drop in the bucket for a well-funded government agency and/or any NGOs they employ. It's basically the Network Investigative Technique the FBI deployed in the Playpen cases -- only one able to be buried inside media files which could be scattered around like mini-honeypots.

The DRM-based attack certainly wouldn't be limited to law enforcement agencies. It would also be deployed by spy agencies for use against terrorists (who love to share media files) and, unfortunately, by governments every bit as malicious as the software they're deploying. The exploit could just as easily be deployed to target dissidents, journalists, and other "enemies of the state" through booby-trapped, DRM-laden files that strip away anonymity while delivering information these entities might find intriguing/useful.

Underneath it all is Microsoft's apparently misplaced faith in properly-signed media files put together with its development kits. Rather than warn users that the redirect to the codec installer may still be risky despite the proper signature, Windows will automatically open a new browser instance and download the file with no further user interaction.

Here's Hacker House's explanation of the whole process:

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: anonymity, drm, tor, windows

24 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Anonymous Coward (profile), 7 Feb 2017 @ 9:40am

Yet another reason...
to not use Microsoft products or any other DRM encumbered anything.
[ link to this | view in chronology ]
- Designerfx (profile), 7 Feb 2017 @ 9:57am
  
  Re: Yet another reason...
  Yep, even more confirmation that anyone who wants privacy should be using Tails ( https://tails.boum.org/ )
  [ link to this | view in chronology ]
  - Anonymous Coward, 7 Feb 2017 @ 12:10pm
    
    Re: Re: Yet another reason...
    Or Whonix if the user can afford the risks of NOT using Tails but wants privacy & some isolation anyways
    [ link to this | view in chronology ]
    - Roger Strong (profile), 7 Feb 2017 @ 1:03pm
      
      Re: Re: Re: Yet another reason...
      Or Windows XP if they've lost all hope and just want it over with quickly.
      [ link to this | view in chronology ]
- Roger Strong (profile), 7 Feb 2017 @ 10:00am
  
  Re: Yet another reason...
  That advice would extend to Apple and Google products.
  [ link to this | view in chronology ]
orbitalinsertion (profile), 7 Feb 2017 @ 9:43am

And no bad actor could possibly re-use such files once found...
[ link to this | view in chronology ]
Anonymous Coward, 7 Feb 2017 @ 9:45am

Can it be disabled?
The page says the problem is with the Extended Content Encryption Object, GUID 298AE614-2622-4C17-B935-DAE07EE9289C. Would removing that key from HKEY_CLASSES_ROOT fix it?
[ link to this | view in chronology ]
Anonymous Coward, 7 Feb 2017 @ 10:08am

TBH ,if you're using Tor on windows, you probably deserve it.
[ link to this | view in chronology ]
- Cowardly Lion, 8 Feb 2017 @ 3:50am
  
  Re:
  Some people (office workers for example) have no choice. I've used it for a time, to circumvent corporate proxies.
  [ link to this | view in chronology ]
Anonymous Coward, 7 Feb 2017 @ 10:29am

...which is why you just DON'T allow auto-play / click play on embedded videos whenever you feel like you give a damn about these things - you look at the page source, DOWNLOAD the video file itself, ascertain its extension and play it in a trusted player other than WMP (preferably with its own built-in codecs, preferably with network access denied). Yes, it might fail to play if it has DRM. Oh well...
[ link to this | view in chronology ]
Rekrul, 7 Feb 2017 @ 10:30am

Most savvy people avoid WMV/WMA files like the plague. I have a few old ones for when there was no other choice, but I only ever play them with third-party players that don't obey that DRM crap. If I ever downloaded an unlicensed file, it would just refuse to play it.
[ link to this | view in chronology ]
- Anonymous Coward, 7 Feb 2017 @ 1:13pm
  
  Re:
  VLC doesn't run the embedded malware.
  [ link to this | view in chronology ]
  - Anonymous Coward, 7 Feb 2017 @ 3:38pm
    
    Re: Re:
    > VLC doesn't run the embedded malware.
    
    Or play the file.
    [ link to this | view in chronology ]
Bamboo Harvester (profile), 7 Feb 2017 @ 10:49am

WMV?
There are people out there so benighted they STILL use formats like WMV, WMA, the various MS document types that include scripting?

And why would anyone with half a brain play any sort of media file with a player other than VLC?

If you *must* use MS formats (work or the like) there are dozens of converters out there to change the files to safer, non-DRM formats.
[ link to this | view in chronology ]
I.T. Guy, 7 Feb 2017 @ 12:22pm

WMV & WMA... that still a thing? Seems to me the only thing DRM is really really good at is creating security vulnerabilities and headaches for paying customers. Pirates sail right along.
[ link to this | view in chronology ]
Anonymous Coward, 7 Feb 2017 @ 1:14pm

Microsoft is an abusive spouse. There is a better way. LEAVE.
[ link to this | view in chronology ]
Manabi (profile), 7 Feb 2017 @ 3:21pm

This is extremely easy to avoid
This is easy avoid, just don't play ANY media in Windows Media Player. Get VLC instead, there's a portable version too so you don't even have to install it. Open the file in that and this fails.
[ link to this | view in chronology ]
- Anonymous Coward, 7 Feb 2017 @ 3:37pm
  
  Re: This is extremely easy to avoid
  > Open the file in that and this fails.
  
  So does playing of the file.
  [ link to this | view in chronology ]
- Anonymous Coward, 8 Feb 2017 @ 12:41am
  
  Re: This is extremely easy to avoid
  That won't help when it is the browser loaded codec for web DRM.
  [ link to this | view in chronology ]
Eldakka (profile), 7 Feb 2017 @ 4:06pm

DRM isn't to protect the users...
This is a perfect demonstration of how DRM isn't to protect the users, it's about who has control.

And DRM enables the vendor, not the user, to have that control.
[ link to this | view in chronology ]
- discordian_eris (profile), 7 Feb 2017 @ 6:56pm
  
  Re: DRM isn't to protect the users...
  And this is why when I was first using computers in the early '80s it stood for Digital Restrictions Management. It has never been about 'rights' and never will be.
  [ link to this | view in chronology ]
afn29129 (profile), 7 Feb 2017 @ 7:25pm

WMV Files
WMV files were a nuisance since introduction years ago. I went so far as to associate the WMV ext to be opened with a Hex Editor. And now this.... More reason to avoid the files for the plague that they are.
[ link to this | view in chronology ]
pegr, 8 Feb 2017 @ 7:19am

Yawn...
That's why you implement TOR at the router level, not PC. While this is a great demonstration of TOR information leakage, it applies to all 3rd party plugins, etc.

I'll bet that the FBI's NIT is just a malicious Flash file...
[ link to this | view in chronology ]
Anonymous Coward, 11 Feb 2017 @ 2:59pm

That's why you don't use anonymity software on proprietary operating systems.
[ link to this | view in chronology ]