Watching a film with subtitles, it might contain a nasty surprise that leaves your PC or TV under the control of cybercriminals, researchers from security firm Check Point warned.
They found a way to insert malicious code into subtitle files used by popular media players, including VLC, Kodi, Popcorn Time and Stremio. As soon as the player parses those evil files before displaying the actual subtitles on the screen, the attacker is granted control of the computers and TVs on which they ran, Check Point said. And, as such subtitles are typically downloaded automatically from online repositories that can be gamed, hackers can easily force media players to download their malicious subtitles rather than legitimate ones, the researchers discovered.
They were able to test their attacks on a variety of Windows PCs, right up to Windows 10. While they didn’t run their hacks on a real life smart TV, or on mobile platforms like Apple’s iOS and Google’s Android, they believe they pose a threat to any operating system. Thanks to the popularity of the media players, many millions could be affected.
The video below shows what’s possible on a Windows PC, where the hidden malicious code runs once the movie Frozen is played inside Popcorn Time. The hackers then move on to the other platforms. On the right hand side of the screen is the attacker’s computer, running the hacker operating system, Kali Linux.
For now, all four media players have created fixes for the vulnerabilities, though not all have been automatically updated.
It should perhaps be no surprise hackers can exploit media players. In March, Wikileaks files published documents detailing Central Intelligence Agency (CIA) tools that targeted both Samsung smart TVs and players including VLC. At the time, VLC said there was no indication the hacks of its software were remotely exploitable and the CIA appeared to use a non-official, modified version of its video player.
U.S. law enforcement have also been keen to use the data collected by smart TVs, as shown in a search warrant found by Forbes targeting a Samsung device earlier this year.
Exploits via subtitles
As for how an attack would go down, Yaniv Balmas, malware research team leader at Check Point, explained his team was able to find a novel way to force the media players to run malicious subtitle files. Each media player, he said, used public repositories of subtitle files, such as OpenSubtitles.org, which Popcorn Time confirmed it was using. The players will typically download and run the most popular file for the chosen movie. That meant Balmas’ team could game the OpenSubtitles.org system to ensure its malicious files would be ranked top and therefore run ahead of others.
With just two minutes of effort, the researchers were able to get their OpenSubtitles.org profiles labelled as trusted Gold Members and with tweaks to file names, they could force their subtitles up to the number one ranking for whatever films they chose (though without doing anything actually criminal). OpenSubtitles.org hadn’t responded to a request for comment at the time of publication.
That was all possible in the first place due to the open nature of such repositories, said Balmas. “Anyone is allowed to access these, you just need a username and you’re free to go,” he told Forbes. “These media players, you don’t know where they’re connecting to, they’re doing it automatically.
“I don’t think this has been seen before… This thing is dangerous.”
He said there were different vulnerabilities in each media player, but they would not be fully disclosed until all vendors had released patches and they were widely deployed. The weaknesses were likely a result of the complexities of each subtitle file parser, and the same vulnerabilities would likely be present across any platform using similar methods for subtitles, Balmas added.
A Stremio spokesperson said the flaws were fixed shortly after Check Point’s disclosure, adding that both available versions of the app – 3.6.7. and 4.0 (beta) – have been patched. Users should receive an automatic update, but they can head to the company’s site to get version 4.0 manually. Kodi developer, Martijn Kaijser, said users could get a fixed version online via this link, while the official v17.2 release would arrive later this week. Popcorn Time said a patch had been released and was available at this link. And VLC added that major issues were addressed in VLC 2.2.5 that’s been out for two weeks, with more fixes coming later this week.
As always, the advice to user is simple: get the updates and patch up. But it might be wise for media players to look at how they handle subtitles too. In particular, Balmas said that if just one standardized program for managing subtitles was used across each media player, it’d likely reduce the complexity and therefore the number of bugs. “That’ll be the real fix,” he added.