20 Jan 2020
Faulty implementation of HDCP by Amazon and Netflix

Faulty implementation of HDCP by Amazon and Netflix

On the regular Xbox, I stream a lot on my PC in a livestream that I was already looking for new series in the Netflix app. Thereupon I stopped the streaming and was irritated. Regularly, the copy protection should already work when opening the Netflix app. Unlike Amazon Prime Video, here the HDCP protection is activated for every single episode. After some tests I noticed that no HDCP is working anymore. I already announced the release at the beginning of December, I told them over 90 days ago. 

It is noticeable because I stream it through a number of devices so that I can use all audio signals in parallel with 5.1. Once I streamed 10 seconds of a series to this device by mistake. Fortunately I noticed it quickly so I was able to stop it. 

Why can I stream on-demand over my entire network and online? HDCP is the copy protection that should prevent this. In the beginning the idea was that I have a Beta/Alpha firmware on the device. After that I tested different devices and was able to identify the product line and noticed that it is not due to my PC or the capture card. It took me about a week to find out what the problem was. A software problem of the on-demand partners, they managed to program their own app incorrectly. I will go into the exact details in a few months. The company that manufactures the apps reported back within 72h including a technical explanation and confirmed my suspicion. 

Since I could send this gap to some of the scene, I could make money with it. Or even become a pirate copier myself, but no, I don’t want to and I can’t do that. Because I don’t want the people who are in front of the camera every day and who are responsible for the infrastructure to suffer any damage.

Critical or trivial

Whether the gap is critical or trivial is relatively simple. The core product of both portals, besides VOD, is in-house production and exclusive content. Of course there are already HD Fury and other converters that either remove the copy protection directly or make it possible by pushing HDCP to 1.4. But with my method the direct recording is possible. For about 100 € I have the direct recording device. 

Trace search

While Microsoft’s Bluray app refused to play, Netflix and Amazon Prime Video continued to work. My Capture Card has an option to enable/disable HDCP permanently, but this setting was set to disabled. So the Xbox shouldn’t have been able to output any HDCP content. Only the Bluray App checks if HDCP works correctly.

The source of error can be hardware-sided thus only at my Capture card of the Avermedia GCE 573 or the Xbox One X – Scorpio Edition with Alpha Updates. After testing with the PS4 and other Xbox consoles in different update stages, it became clear quite quickly that the problem must be on the Xbox.

Console Xbox One X Xbox One S PS4 Pro
Settings HDCP deactivated HDCP activated HDCP deactivated HDCP activated HDCP deactivated HDCP activated
Netflix
Amazon Prime Video
Bluray App
YouTube
Sky Ticket
Disney + N/A N/A N/A N/A N/A N/A
Maxome N/A N/A N/A N/A N/A N/A
HBO N/A N/A N/A N/A N/A N/A
Hulu N/A N/A N/A N/A N/A N/A

Legend: ✔ works compliant ✘ does not work (HDCP protection does not work) 

Amazon and the disclosure policy without bounties

So first you try to contact the app manufacturers. On the search for the security research department or bug bounty department you will be disappointed. On a simple and simple page you have the possibility to report the bug and that’s it. So I asked for information about a reward on 04.07.2019. I want to see my invested time rewarded. I don’t care if it is a shirt, a voucher or something else. It is about the recognition of the work and time you have invested in it. 

The answer regarding the Bugbounty from Amazon came 3 hours later:

Thanks for your email, can you please help us better understand the issue you are observing and the related security risks?

So I am kind enough to describe the bug a little bit. On 07.07.2019 there will be an email, that you are always thankful, but that you can’t give me anything. 

On 09.07.2019 I wrote as reaction: 

The error lies in the inconsistent implementation of the HDCP. Only True / False values are checked. However, some devices are also able to deliver a more specific value or a faulty one.

So I am able to pick up the contents of Amazon Prime in 4K HDR with the Xbox One about the Avermedia Capture Card (https://amzn.to/34yw0So).
The card can output unexpected information about settings and thus cause the Xbox not to deliver HDCP. However, the source of the problem is the app itself, as other media apps can handle these errors.

I hope to be able to help you protect your content.

On January 15th, 2020 I will write about it in my blog, as long as I give them time to fix this problem.

If this bug is intended or if you need more time to solve it, please let me know so that I can publish my contributions later.

Only 7 h later I already had my case ID SI135552466 and waited. And on 11.07.2019 the surprise came. You don’t reward the time and effort, but now you want me to invest even more time: 

Could you please provide us with the details requested below to help us with this investigation:

Please provide a sample rip of some content that you were able to copy.
Are you using the production app, or a development app?
Please provide a complete list of steps to reproduce this with your capture card.

Thanks again for helping us improve our services.

So I was kind enough to send you these instructions on 2019-07-11: 

Hi ******,

    1. Link deleted
    2. I am using the production App.
    3. List of Steep
      1. Connect Xbox One X through Avermedia Capture Card (https://amzn.to/34yw0So) with a Monitor. ( In my Case I cant testing HDR, if you send me a 4K HDR Screen I can test it). But I think is possible, because HDR is only a feature, not a copy protection setting.
      2. Install on your Xbox Amazon Video App
      3. Install on Windows 10 the ReCentral 4 Software
      4. In the Card Settings force the Card to disabled the HDCP. (You can only Force on/off not dynamic. :’( )
      5. The Xbox get now the Information about HDCP is available, but cannot be activated. Here is the bug! The xbox app is not correctly handling hdcp failures and so hdcp is bypassed.
      6. You start the Amazon App, then you can recording the Content
    4. Microsoft MSRC tells me, that the implementation is not correct, because the Bluray App works. You can see it at the end of the Video.
    5. Netflix has the same security issue. I am going to inform them about their own app.
    6. I would be glad to be able to test more devices, e.g. amazon devices. It would be great if you could support me. Please let me know if some kind of reward for finding this security issue is possible.
    7. I also tried another capture card (Terratec Grabster Extreme HD). There it does not happen because it does not produce a hdcp handshake failure.

Regards Sebastian

After that came a thank you email, which looks like a ready-made automatic email and that was it. Apart from the fact that you don’t show much gratitude, the interest was also relatively low and no case update has been done since then. Saving and optimizing is good, but should we at least suggest a little reward to make it tasty for security researchers and bug hunters? Cloudflare gives out a free month and a shirt. 

In another mail on 17.10 I was informed that a bug bounty program would start soon and I was invited to join it. 

Netflix gfys

At the same time I contacted Netflix via the Bugcrowd program and hoped to get at least one free month/year of Netflix or something simple. Registering on the platform was easy, but Bugcrowd requires verification with ID card and all. Netflix has also clearly communicated all rules under which they accept bug bounties. To be on the safe side I read all their rules and felt a bit offended. I understand that you can read out a lot of things directly, but not that you can read out everything that does not affect your core infrastructure. So all apps and third party applications are excluded. So gaps on official Netflix domains and the mobile apps for IOS and Android are honored. But not the operating system Tizen, Linux, Windows or even the consoles Xbox and Playstation.  

Again, I started the conversation very amateurishly with the question whether bugs to circumvent the copy protection are excluded. However I described directly that I am able to record the 4K content with HDR. The only answer was, if I can show recordings and if I can tell you more about it. 

So I described the error in more detail and explained that it is due to the faulty implementation of HDCP protection in the Xbox. Also I asked again whether one would honor my already invested time in any form then. Of course I invest then also gladly more time. 

After more than 2 weeks without any reaction, I sent them on 12.09.2019 the same instructions as Amazon the day before. Immediately after that, reactions followed which I did not expect:

Hey huskynarr,
we are still investigating this and will get back to you asap. Thank you for additional details and proof of concept.
Cheers,

Only 4 hours passed and the status of the bug was changed. The status “Blocker” was removed and changed to “Not accepted”. On 16.09.2019 a further reply was sent:

Hey Huskynarr,
Thanks for your patience. We have discussed this issue with the Netflix team and agree that this is out of scope – playback issue. However, the team is interested in investigating this issue in detail so I am requesting some information from you:
we want to understand the detail (actual served resolution of the captured content), or the account you used to capture content and the approximate date and time of the captured playback. We look forward to hearing from you.

I do not give away the account I use. Because, as you are used to, you share the account with your best friend and don’t want to involve him. Above all, shouldn’t it be so difficult as a security team to organize an Xbox or this capture card? An Xbox should be available in the department anyway. Not because I’m an Xbox fan, but because they ship an application on it. Or the QA department should have one that you borrow for a short time.

In two other communications I then announced that I had no further interest. They have all the details they need and the notice that I will publish the article. 

 

Role model Microsoft

Even though there is no obvious bug bounty explicitly for Xbox, I contacted MSRC, as well as a contact from Azure Stack at Devcom 2019, where I received a shirt in advance as a small thank you for my efforts.

On 11.07.2019 I wrote 

Hi ******,

    1. Link deleted
    2. I am using the production App.
    3. List of Steep
      1. Connect Xbox One X through Avermedia Capture Card (https://amzn.to/34yw0So) with a Monitor. ( In my Case I cant testing HDR, if you send me a 4K HDR Screen I can test it). But I think is possible, because HDR is only a feature, not a copy protection setting.
      2. Install on your Xbox Amazon Video App
      3. Install on Windows 10 the ReCentral 4 Software
      4. In the Card Settings force the Card to disabled the HDCP. (You can only Force on/off not dynamic. :’( )
      5. The Xbox get now the Information about HDCP is available, but cannot be activated. Here is the bug! The xbox app is not correctly handling hdcp failures and so hdcp is bypassed.
      6. You start the Amazon App, then you can recording the Content
    4. Microsoft MSRC tells me, that the implementation is not correct, because the Bluray App works. You can see it at the end of the Video.
    5. Netflix has the same security issue. I am going to inform them about their own app.
    6. I would be glad to be able to test more devices, e.g. amazon devices. It would be great if you could support me. Please let me know if some kind of reward for finding this security issue is possible.
    7. I also tried another capture card (Terratec Grabster Extreme HD). There it does not happen because it does not produce a hdcp handshake failure.

Regards Sebastian

On 17.07.2019 an answer from Microsoft already followed. The employees of the security department confirmed the initial suspicion that it was App Bugs. So because of a faulty implementation of the HDCP. 

Hello Huskynarr,

Thank you for reaching out and submitting this issue to Microsoft. We determined that this behavior is considered to be by design.

HDCP works fine on the console.  Movies & TV prevents media playback when routed through an HDMI capture card.  It is up to the app as to how they want to handle HDCP failures (if at all).  Netflix is currently not handling HDCP failures.

There is no issue with the Xbox platform, this is an application issue with Netflix, but only if they intend to limit playback when an HDCP isn’t available.
We have therefore closed this case.   

If you have any questions, or additional information related to this report, please reply on this case thread.  

Thank you very much for working with us.

Regards,
MSRC

The problem in detail

Netflix and Amazon have implemented HDCP, but they have only addressed the issue of whether HDCP is available or not. The Avermedia card probably gives the information that HDCP is available but cannot be activated. So no True or False worth. The apps can’t handle this and continue to output the content. Youtube, Sky and Twitch have implemented this function correctly. 

Over 90 days later

Amazon sent out a newsletter at the beginning of last month that they are working on a bug bounty program. I haven’t heard from Amazon since then. Netflix has never contacted me again. I am surprised how both companies want to nip hope in the bud and have the problem chewed up and served. And that without any motivation whatsoever. 

The problem is still there on 20.01.2020 and I am still able to record the content from Netflix and Amazon Prime Video in 4K. 

Update: In the meantime, the bug has been fixed, but without communication to the outside.

Werbung

Downloads

Netzwerk

Social Media