SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
24 May 2017

Subtitles can hack your PC every time you watch a movie

Watching a film with subtitles this week? It might contain a nasty surprise that leaves your PC or TV under the control of cybercriminals, researchers from security firm Check Point warned Tuesday.

They found a way to insert malicious code into subtitle files used by popular media players, including VLC, Kodi, Popcorn Time and Stremio. As soon as the player parses those evil files before displaying the actual subtitles on the screen, the attacker is granted control of the computers and TVs on which they ran, Check Point said.

And, as such subtitles are typically downloaded automatically from online repositories that can be gamed, hackers can easily force media players to download their malicious subtitles rather than legitimate ones, the researchers discovered. They were able to test their attacks on a variety of Windows PCs, right up to Windows 10. While they didn’t run their hacks on a real life smart TV, or on mobile platforms like Apple’s iOS and Google’s Android, they believe they pose a threat to any operating system. Thanks to the popularity of the media players, many millions could be affected.

The video below shows what’s possible on a Windows PC, where the hidden malicious code runs once the movie Frozen is played inside Popcorn Time. The hackers then move on to the other platforms. On the right hand side of the screen is the attacker’s computer, running the hacker operating system, Kali Linux.

For now, all four media players have created fixes for the vulnerabilities, though not all have been automatically updated. It should perhaps be no surprise hackers can exploit media players. In March, Wikileaks files published documents detailing Central Intelligence Agency (CIA) tools that targeted both Samsung smart TVs and players including VLC. At the time, VLC said there was no indication the hacks of its software were remotely exploitable and the CIA appeared to use a non-official, modified version of its video player.

U.S. law enforcement have also been keen to use the data collected by smart TVs, as shown in a search warrant found by experts targeting a Samsung device earlier this year.

Exploits via subtitles

As for how an attack would go down, Yaniv Balmas, malware research team leader at Check Point, explained his team was able to find a novel way to force the media players to run malicious subtitle files. Each media player, he said, used public repositories of subtitle files, such as OpenSubtitles.org, which Popcorn Time confirmed it was using. The players will typically download and run the most popular file for the chosen movie. That meant Balmas’ team could game the OpenSubtitles.org system to ensure its malicious files would be ranked top and therefore run ahead of others.

With just two minutes of effort, the researchers were able to get their OpenSubtitles.org profiles labelled as trusted Gold Members and with tweaks to file names, they could force their subtitles up to the number one ranking for whatever films they chose (though without doing anything actually criminal). OpenSubtitles.org hadn’t responded to a request for comment at the time of publication.

That was all possible in the first place due to the open nature of such repositories, said Balmas. “Anyone is allowed to access these, you just need a username and you’re free to go,” he told. “These media players, you don’t know where they’re connecting to, they’re doing it automatically. “I don’t think this has been seen before… This thing is dangerous.”

He said there were different vulnerabilities in each media player, but they would not be fully disclosed until all vendors had released patches and they were widely deployed. The weaknesses were likely a result of the complexities of each subtitle file parser, and the same vulnerabilities would likely be present across any platform using similar methods for subtitles, Balmas added.

A Stremio spokesperson said the flaws were fixed shortly after Check Point’s disclosure, adding that both available versions of the app – 3.6.7. and 4.0 (beta) – have been patched. Users should receive an automatic update, but they can head to the company’s site to get version 4.0 manually. Kodi developer, Martijn Kaijser, said users could get a fixed version online via this link, while the official v17.2 release would arrive later this week. Popcorn Time said a patch had been released and was available at this link. And VLC added that major issues were addressed in VLC 2.2.5 that’s been out for two weeks, with more fixes coming later this week.

As always, the advice to user is simple: get the updates and patch up. But it might be wise for media players to look at how they handle subtitles too. In particular, Balmas said that if just one standardized program for managing subtitles was used across each media player, it’d likely reduce the complexity and therefore the number of bugs. “That’ll be the real fix,” he added.


Download SafeUM — communicate privately, without advertising and spam.

Tags:
information leaks
Source:
Forbes
Author:
Thomas Fox-Brewster
1747
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015