Google Takes Down Repositories That Circumvent its Widevine DRM

[shamu726]

GitHub has removed several repositories that helped to bypass Google's Widevine DRM, which is used by popular streaming services such as Netflix and Amazon. Google requested the code to be removed as it would violate the DMCA. The company also sent a sensitive data takedown request for the associated RSA key which, ironically, remains easy to find through Google.

 

 

With more ways to stream online video than ever before, protecting video continues to be a key issue for copyright holders.

 

This is often achieved through Digital Rights Management, which is often referred to by the initials DRM. In a nutshell, DRM is an anti-piracy tool that dictates when and where digital content can be accessed.

 

Google is an important player in this area. The company owns the Widevine DRM technology which is used by many of the largest streaming services including Amazon, Netflix and Disney+. As such, keeping it secure is vital.

Widevine DRM

Widevine DRM comes in different levels. The L1 variant is the most secure, followed by L2 and L3. While the latter still protects content from being easily downloaded, it’s certainly not impossible to bypass, as pirates have repeatedly shown.

 

Despite its vulnerabilities, Google doesn’t want to make it too easy for the public at large. This became apparent a few hours ago when the company asked the developer platform GitHub to remove dozens of “Widevine L3 Decryptor” repositories.

 

The code, originally published by security researcher Tomer Hadad, is a proof-of-concept code Chrome extension that shows how easy it is to bypass the low-security DRM. Google was aware of this vulnerability and previously informed Krebs Security that it would address the issue.

Google Targets Widevine L3 Decryptor Code

One option would be to patch the security flaw but, for now, Google appears to be focusing on the takedown route. In a DMCA notice sent to GitHub, the company requests the immediate takedown of dozens of “Widevine L3 Decryptor” copies.

 

“The following git repository [sic] contain circumvention technology that enables users to illegally access video and audio works protected by copyright,” Google writes.

 

“This Chrome extension demonstrates how it’s possible to bypass Widevine DRM by hijacking calls to the browser’s Encrypted Media Extensions (EME) and decrypting all Widevine content keys transferred – effectively turning it into a clearkey DRM,” Google adds.

 

Google sees the code, which was explicitly published for educational purposes only, as a circumvention tool. As such, it allegedly violates section 1201 of the DMCA, an allegation that was also made against the youtube-dl code last month.

 

 

The takedown notice includes a long list of repositories that were all made unavailable by GitHub. This doesn’t cover the original code from Tomer Hadad, who already removed his version in late October, citing “legal reasons.”

 

Google views this vulnerability as a serious matter and the company says that it has also filed a Sensitive Data takedown request to prevent the Widevine’s ‘secret’ private key from being publicly shared.

Sensitive Data Request

“In addition to this request, we have filed a separate Sensitive Data takedown request of this file: /widevine-l3-decryptor as it contains the secret Widevine RSA private key, which was extracted from the Widevine CDM and can be used in other circumvention technologies.”

 

That last mention is interesting as private keys, which are simply a string of characters, are not seen as copyrighted or private content by everyone.

 

“If you distribute your key with the software, then whatever form it is in, I would not consider it “private” at all,” a commenter on Hacker News points out.

Googling the AACS Key

This ‘key controversy’ is reminiscent of an issue that was widely debated thirteen years ago. At the time, a hacker leaked the AACS cryptographic key “09 F9” online which prompted the MPAA and AACS LA to issue DMCA takedown requests to sites where it surfaced.

 

This escalated into a censorship debate when sites started removing articles that referenced the leak, triggering a massive backlash.

 

At the time, the controversial AACS key was still readily available through Google’s search engine. In that regard very little has changed. Despite Google’s sensitive data takedown request, the Widevine RSA key is easy to find through its own search engine.

 

 

Source: TorrentFreak

[zanderthunder]

I bet many more repo's out there posting about the decryptor there, GitHub is not just the only one.

[steven36]

it was  more  or less  just to  prove  a point  the scene  has cracked L1 they use Android TV  Boxes  so they even a bigger hole in google's OS to do theirs and even the FBI can't stop them  .They try but  in vain  only some of the team name change they on full rebound now like nothing ever happened .

 

Quote

This PoC was done to further show that code obfuscation, anti-debugging tricks, whitebox cryptography algorithms and other methods of security-by-obscurity will eventually by defeated anyway, and are, in a way, pointless.

Stuff like this  is why they have reverse engineer forums were coders can work without worrying  about whackamole  and Kerbs  is full of shit Google has  not plugged no holes instead of patching  the public key  Google decided to play wackamole on the www  were you can upload  it anywhere  even TPB lol. 

 

Every version of DRM  gets defeated  When i 1st came on the  internet  they was free software to decrypt DVD  ,then latter Bluray , then  Apple's  video DRM and now Google's  . This is Google playing  both sides of copyright  they make DRM  but won't even add it to most videos  on there YouTube  site they  don't try and protect the music industry  they only try to protect the movie industry .That's not counting the Games , Music and  Software  DRM . At lest in Games and Software they  update the protection and give the reverse engineers a challenge.

 

 

 Today's pirates are so stupid they  be pirating  Windows  , movies  , music ,games ,software and defending the very cancerous Big Tech  that wants to profit of  everything you do on the internet  and even in the privacy of your own home . DRM , Walled Gardens and spyware.   Then they go on sites owned  by these cancers  instead of warez  forums  to try and release it and post about it on social media and cry when they take it down they lost the dang plot.   They defeat themselves by posting  on these sites with a big please kick me  sign on there backs.  That what private sites are  for.