Windows DRM: Now An (Unwitting) Ally In Efforts To Expose Anonymous Tor Users
from the press-'play'-to-decloak dept
In case you were wondering what other misery DRM could contribute to, Hacker House security researchers have an answer for you:
HackerHouse have been investigating social engineering attacks performed with Digital Rights Management (DRM) protected media content. Attackers have been performing these attacks in the wild to spread fake codec installers since Microsoft introduced DRM to it’s proprietary media formats.
Improperly-licensed media files will produce a pop-up, asking the user if they want to visit the originating site to obtain the rights to play the file. This popup also warns users that this is great way to pick up malware if they’re not careful. In these cases, computer users will likely be deterred from following through on the risky click.
But that only happens if it’s not licensed properly. If it is — an expensive process that runs about $10,000 — then no warning appears, leaving users open to attack by malicious fake codec installers. What would be the point of these fake installers? One possible use for the exploitation of Windows DRM is the exposure of Tor users’ information.
As these “signed WMV” files do not present any alert to a user before opening them they can be used quite effectively to decloak users of the popular privacy tool TorBrowser with very little warning. For such an attack to work your target candidate must be running TorBrowser on Windows. When opening/downloading files, TorBrowser does warn you that 3rd party files can expose your IP address and should be accessed in tails.
The $10k price tag for proper licensing is a deterrent to small-time malware purveyors. But it would only be a drop in the bucket for a well-funded government agency and/or any NGOs they employ. It’s basically the Network Investigative Technique the FBI deployed in the Playpen cases — only one able to be buried inside media files which could be scattered around like mini-honeypots.
The DRM-based attack certainly wouldn’t be limited to law enforcement agencies. It would also be deployed by spy agencies for use against terrorists (who love to share media files) and, unfortunately, by governments every bit as malicious as the software they’re deploying. The exploit could just as easily be deployed to target dissidents, journalists, and other “enemies of the state” through booby-trapped, DRM-laden files that strip away anonymity while delivering information these entities might find intriguing/useful.
Underneath it all is Microsoft’s apparently misplaced faith in properly-signed media files put together with its development kits. Rather than warn users that the redirect to the codec installer may still be risky despite the proper signature, Windows will automatically open a new browser instance and download the file with no further user interaction.
Here’s Hacker House’s explanation of the whole process:
Comments on “Windows DRM: Now An (Unwitting) Ally In Efforts To Expose Anonymous Tor Users”
Yet another reason...
to not use Microsoft products or any other DRM encumbered anything.
Re: Yet another reason...
Yep, even more confirmation that anyone who wants privacy should be using Tails ( https://tails.boum.org/ )
Re: Re: Yet another reason...
Or Whonix if the user can afford the risks of NOT using Tails but wants privacy & some isolation anyways
Re: Re: Re: Yet another reason...
Or Windows XP if they’ve lost all hope and just want it over with quickly.
Re: Yet another reason...
That advice would extend to Apple and Google products.
And no bad actor could possibly re-use such files once found…
Can it be disabled?
The page says the problem is with the Extended Content Encryption Object, GUID 298AE614-2622-4C17-B935-DAE07EE9289C. Would removing that key from HKEY_CLASSES_ROOT fix it?
TBH ,if you’re using Tor on windows, you probably deserve it.
Re: Re:
Some people (office workers for example) have no choice. I’ve used it for a time, to circumvent corporate proxies.
…which is why you just DON’T allow auto-play / click play on embedded videos whenever you feel like you give a damn about these things – you look at the page source, DOWNLOAD the video file itself, ascertain its extension and play it in a trusted player other than WMP (preferably with its own built-in codecs, preferably with network access denied). Yes, it might fail to play if it has DRM. Oh well…
Most savvy people avoid WMV/WMA files like the plague. I have a few old ones for when there was no other choice, but I only ever play them with third-party players that don’t obey that DRM crap. If I ever downloaded an unlicensed file, it would just refuse to play it.
Re: Re:
VLC doesn’t run the embedded malware.
Re: Re: Re:
WMV?
There are people out there so benighted they STILL use formats like WMV, WMA, the various MS document types that include scripting?
And why would anyone with half a brain play any sort of media file with a player other than VLC?
If you *must* use MS formats (work or the like) there are dozens of converters out there to change the files to safer, non-DRM formats.
WMV & WMA… that still a thing? Seems to me the only thing DRM is really really good at is creating security vulnerabilities and headaches for paying customers. Pirates sail right along.
Microsoft is an abusive spouse. There is a better way. LEAVE.
This is extremely easy to avoid
This is easy avoid, just don’t play ANY media in Windows Media Player. Get VLC instead, there’s a portable version too so you don’t even have to install it. Open the file in that and this fails.
Re: This is extremely easy to avoid
Re: This is extremely easy to avoid
That won’t help when it is the browser loaded codec for web DRM.
DRM isn't to protect the users...
This is a perfect demonstration of how DRM isn’t to protect the users, it’s about who has control.
And DRM enables the vendor, not the user, to have that control.
Re: DRM isn't to protect the users...
And this is why when I was first using computers in the early ’80s it stood for Digital Restrictions Management. It has never been about ‘rights’ and never will be.
WMV Files
WMV files were a nuisance since introduction years ago. I went so far as to associate the WMV ext to be opened with a Hex Editor. And now this…. More reason to avoid the files for the plague that they are.
Yawn...
That’s why you implement TOR at the router level, not PC. While this is a great demonstration of TOR information leakage, it applies to all 3rd party plugins, etc.
I’ll bet that the FBI’s NIT is just a malicious Flash file…
That’s why you don’t use anonymity software on proprietary operating systems.