Article written by Thomas Mennecke
The next generation of optical disc technology holds the promise to change the way we interact with and store digital media. Perhaps most the most exciting change is the arrival of High Definition (HD) video, with its glorious 1920x1080 pixel resolution. Itâ€™s a quantum leap forward in terms of watching digital content, as its vast resolution reveals a quality never seen before in such fine detail.
Because of the rapid escalation of digital file-sharing â€“ especially of video files â€“ Hollywood has been working around the clock to protect HD content. This is especially relevant for one of its primary delivery mechanisms â€“ HD DVD and Blu-Ray discs. These next generation discs, with capacities of 30 gigabytes and 50 gigabytes respectively, have their content protected with an array of DRM (Digital Rights Management.) Both are protected with a scheme called AACS, or Advanced Access Content System. This DRM is a great leap forward compared to the weak CSS, or Content Scrambling System, that currently â€œprotectsâ€ DVDs. Thanks to Fox, Blu-Ray has an additional layer of protection, called BD+ - although most discs have yet to support this protection.
Although Hollywood has constructed enough DRM architecture to rival the Pyramid of Giza, it has long been suspected that it would be only a matter of time before HD DVD and Blu-Ray content protection were compromised. Convinced the golden DRM egg had been laid, it seemed that nothing could penetrate the great AACS wall. And to this day, that great wall still stands.
But why crash through the main gates of Constantinople when you can just pick the lock of a long forgotten rear entrance?
On December 26, 2006, a member of the Doom9.com forums named muslix64 introduced himself as circumventing the content protection â€“ not the copy protection â€“ of HD DVD. Additionally, he made available an open source program named BackupHDDDVD. At the time, this program was a command line program that bypassed the content protection â€“ providing the individual successfully obtained the title and volume keys associated with the HD DVD. Once the individual has the keys, the AACS protection can be sidestepped, and the HD movie content can be extracted. According to muslix64, it took all of eight days to successfully circumvent HD DVD content protection.
Much of the more difficult work, such as extracting the keys, has been alleviated as the once encrypted information has proliferated online. To understand where this stunning turn of events is heading, Slyck.com spoke with muslix64, who agreed to a PM (private message) interview.
The mainstream media tends to have many labels for you, i.e. hacker, cracker, pirate, etc., in response to your efforts. What would you call yourself and what would you label your efforts?
I’m just an upset customer. My efforts can be called “fair use enforcement”!
What motivated you to help circumvent the content protection scheme associated with HD DVD and Blu-Ray?
With the HD-DVD, I wasn’t able to play my movie on my non-HDCP HD monitor. Not being able to play a movie that I have paid for, because some executive in Hollywood decided I cannot, made me mad…
After the HD-DVD crack, I realized that things where “unbalanced” by having just one format cracked, so I did Blu-Ray too.
Explain how decrypting the device and volume keys are critical to your success. Could you explain the difference between the two?
The device keys, are the keys associated to the player.
The volume key, is the key associated to the movie.
I don’t care about device keys. I do care about volume keys, because by using volume keys instead of devices keys, I totally bypass the revocation system. There is no “volume key revocation”. There is content revocation, but I really doubt they will ever use it. If you use device keys, they can revoke them. Having the volume key means that you can decrypt title’s keys (or CPS Unit key in the case of Blu-ray) and then you can decrypt the media file without problem.
I was shocked to realize the volume key was not protected in memory!
Explain how a movie studio could prevent the general public from taking advantage of pirated HD movies, such as ones currently available via Usenet and BitTorrent. For example, if an individual were to download “Serenity”, and play it successfully on his or her Power DVD player - and never updated the software - would it be immune from any Hollywood counterattack?
Yes, immune. If the movie is decrypted there is nothing you can do! Or you can use open-source player, like VideoLan, if a player like PowerDVD become more restrictive about playing decrypted movies.
There appears to be some confusion to the extent and specifics of your success. Explain what content protection has been compromised, and what content protection is still intact?
There is no easy answer but, IMHO, AACS is totally busted. The only thing I can see for now to prevent the attack I have described is to put different keys on every disc! It will cost a fortune for the manufacturing, so I’m not sure they will go that way…
People say I have not broken AACS, but players. But players are part of this system! And a system is only as strong as his weakest link. Even if players become more secure, key extraction will always be possible.
I know many people of the industry try to cover up this breach, by saying I have only poked a tiny hole in AACS, but it is more serious than that. Only the future will tell.
The AACS security layer is almost the same for both HD-DVD and Blu-ray, so they are both busted for good.
The only extra security layer is for the Blu-ray format, and it’s called BD+. BD+ is not there yet, and I don’t know when it will be. May be my “exploits” will speed up the adoption of BD+, we will see…
You’ve recently helped defeat Blu-Ray’s content protection as well. What were the similarities/differences in defeating this copy protection scheme?
Almost the same. I use the same known-plaintext attack for both formats. But media format and encryption are slightly different. Because I already had experience with the HD-DVD, it was really easy for Blu-Ray.
What are your ultimate goals? Do you feel that most - if not all - of the content protect will be ultimately defeated?
If you can play it, you can decrypt it! There is nothing you can do about it. The only thing they can try is to slow people down.
To what extent do you feel you can bring your efforts to the mainstream? Do you believe Hollywood’s content protect will rendered so impotent that HDDVD Backup (or a similar device) will be utilized to the same extent as DVD Decrypter or DVD Shrink?
Probably. There are multiple scenarios here. You can write a fully automated decrypter with stolen player keys, but they will revoke the keys.
Anyways, even if they do key revocation, the revocation process will be very slow. It would take at least one month (or more) between revoking the player and new version of movies with the revocation in stores.
The reaction time of the community will be way faster than the reaction time of the industry.
Explain the differences between DeCSS and your efforts.
I really respect the work of DVD Jon and his friends (he was not alone!) They do more than me. They had to reverse a cipher! I didn’t have to reverse anything. So technically speaking, it was easier to bypass AACS than CSS.
To what extent is your work a community effort? Do you feel that without the community’s input, we would be having this conversation today?
I was pretty much alone to do the HD-DVD exploit. But I receive a lot of help with the Blu-ray, thanks Janvitos!
My 2 programs are only “proof of concept” software. Right now, the community’s contribution is vital. They will bring this software to higher level. I just tell people it was possible and I made the demonstration.
What PC based DVD players are currently compatible with defeated HD movies (please distinguish which players are compatible with HD DVD and/or Blu-Ray)?
I don’t want to give specific names but I can tell you they are all vulnerable [to a] different extent.
Let’s look into the crystal ball. When would you say people will be able to decrypt, burn, and play HD movies (whether HD DVD or Blu-Ray) on their stand alone player?
I think they are already doing it right now! I have seen post of people claiming they did that on both format…But I cannot confirm it.
Do you see Microsoft Vista’s implementation of HDCP being an obstacle to playing compromised HD movies in high definition?
No. To my understanding, this limitation is enforced in the player! So if you use an open-source player, like VideoLan, there is no problem. Also, a decrypted movie [doesnâ€™t] have this limitation if you have disabled the security flags.
The limitation with Vista seems more on the process and memory protection. But I cannot comment on that, I don’t know Vista.
Do you see AACS encryption being defeated in the near future?
If youâ€™re talking about AES itself (the crypto algorithm), I don’t think it will be cracked anytime soon, but we never know. May be someone will find another hole, or another way to attack AACS. You cannot attack the crypto itself, you have to attack the protocol or the procedure. When will we find another way around AACS? No idea…
If studios begin revoking encryption keys, do you believe this will pose a significant threat to your progress or overall goals?
Players will become more and more secure. It will slow me down, but it won’t prevent key extraction in the long term.
Does the defeat of HD DVD automatically mean a victory for Blu-Ray in the marketplace, or will Blu-Ray be just as vulnerable to the community’s efforts?
The less secure the format, the more people will buy. I know a lot of people will disagree with that, but that’s my opinion. Right now, both format are equally vulnerable. We have to wait the introduction of BD+ to see if it is really that secure…
In the long run, Blu-ray seems more secure (because of BD+) and now is more expensive. So HD-DVD wins!
Describe a potential Hollywood counterattack, and how the community would repulse such an offensive?
Making the keys unique per disc will be the perfect counterattack. So we have to start another attack by stealing playerâ€™s key and doing the whole AACS decryption. Then the community will win because they have a faster response time to the revocation than the industry.
Who do you feel most benefits from your work, and who stands to lose the most?
The consumers will benefit. I hope it will enforce fair use, not piracy. Of course pirates will use this technique, and they already did…
Studios will lose more money with mass counterfeiting than file or key exchange on the net.
Considering the legal problems Jon Lech Johansen endured, are you at all concerned about the repercussions of your work?
I’m really concern about that. So I will stay put for a while, and watch the show. When the first BD+ movie [comes] out, I will wake up!
Is there anything you would like to add?
I don’t think I’m the first who did it. They are probably a lot of people who did that before me, but they keep it secret.
I was disappointed to realize, that BD+ (the other security layer of Blu-ray) was not there yet. It would have been a great challenge! AACS was not a challenge at all…
I’m not the smart guy around; they are just careless about security.
Editor’s note: One of the more important lessons muslix64 probably best exemplifies is the enormous delayed reaction of the entertainment industry. Napster was released in 1999, and to this day the music industry continues to struggle against free file-sharing. There are indications now that DRM is being considered for obsolescence. With muslix64’s work, the amount of work required to keep up with the community oriented efforts may simply be impossible to maintain.