Experts report that Widevine has a critical problem with the encryption technology’s protection for L3 streams, which is used for low-quality video and audio streams only. According to Google, the security bug does not affect L1 and L2 streams: “We are currently working to update our Widevine software DRM with the latest advancements in code protection to address this issue”, the company’s statement mentioned.
As mentioned by Kerbsonsecurity, at the beginning of 2019 security specialist David Buchanan tweeted about the L3 weakness he found so that Google could launch a fix. This latest Widevine hack has been made into an extension for Microsoft Windows users of the Google Chrome web browser and posted for download on the software development platform Github.
Researcher Tomer Hadad, who developed the browser extension, said his proof-of-concept code was done to further show that code obfuscation, whitebox cryptography algorithms and other methods of security-by-obscurity will eventually by defeated anyway, so the industtry should remain alert.
As per Google, this is a bypass weakness that could be easily fixed. Nonetheless, Hadad thinks this is a way more serious matter: It’s not a bug but an inevitable flaw because of the use of software, which is also why L3 does not offer the best quality,” Hadad wrote in a report. “L3 is usually used on desktops because of the lack of hardware trusted zones”.
Media companies that stream video using Widevine can opt for several protection levels to stream their content depending on their resources’ capacities. Nowadays most smartphones and mobile devices support L1 and L2 protection.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.