Google's Widevine L3 DRM cracked by a security researcher

• Security researcher cracked Widevine DRM’s L3 level of encryption which is the lowest level of protection used for low-quality video and audio.
• The hack may not have a big impact as modern devices generally support higher levels of DRM protection.

Digital Rights Management (DRM) technologies are widely used by companies to prevent online piracy by encrypting the content transferred online, especially in the case of multimedia streaming platforms and gaming platforms.

Recently, the L3 protection level of Google’s popular DRM technology, Widevine, was cracked by a security researcher. Using this hack, the researcher could view the multimedia streams which would otherwise be encrypted and would not be viewable without proper authentication through a registered client.

Different levels of protection

Despite the hack, it is to be noted that the researcher only managed to crack the lowest level of authentication available in the Widevine DRM technology. The L3 level cracked by the researcher is used for low-quality video and audio streams only.

Google’s Widevine DRM provides three levels of data protection - L1, L2, and L3. The differences between the three levels are as follows.

• L1 - This is the highest level of protection where all content processing and encryption/decryption operations are done inside the CPU’s Trusted Execution Environment (TEE). For example, Qualcomm’s TrustZone (TZ) solution available in many of its chips, can support this level of protection.
• L2 - In this level, the content processing is done outside the TEE of the CPU.
• L3 - Here, both the content processing and encryption/decryption operations are done outside the TEE or it is used in case the CPU does not have the TEE feature.

Depending on the type of device and the type of content, applications like Netflix or Amazon’s Prime Video choose different levels of protection for sending content. Usually, L3 is only used for the lowest-quality content due to less protection compared to higher levels.

Details on the hack

The British security researcher David Buchanan is the first one to crack the L3 level. He took to Twitter to announce his hack stating, “Soooo, after a few evenings of work, I've 100% broken Widevine L3 DRM. Their Whitebox AES-128 implementation is vulnerable to the well-studied DFA attack, which can be used to recover the original key. Then you can decrypt the MPEG-CENC streams with plain old ffmpeg.”

However, the researcher had not posted any proof-of-concept (PoC). In any case, such a PoC would not be enough to verify his claim as one would first need the permission to receive the DRM-encrypted data from a stream. Only then, one would be able to test the decryption method discovered by the researcher.

What is the impact?

The hack has not received wide acclaim from the security community since it only affects the lowest L3 level of Widevine DRM.

Moreover, most modern smartphones and other devices support high-quality HD streaming which does not rely on L3 level. Thus, this hack would not help anyone commit piracy of high-quality content.

The issue was reported to Google by the researcher. However, according to the researcher, the issue comes from a design flaw and cannot be fixed easily as it is not a direct bug or vulnerability.