A team of researchers at Check Point Software Technologies recently announced the disturbing results of a new study that identified media player subtitles as a new avenue of attack for hackers. Cyber hacks typically fall into two broad categories, either: (a) enticing the user to visit a malicious website; or (b) masking a malicious file that the user is conned into running on a device themselves. The latest vulnerability discovered by Check Point falls into the latter category, but is particularly dangerous due to the minimal amount of action required on the part of a user, and the general lack of awareness the public has about the vulnerability.
The study was conducted on four popular video players and services: VLC Media Player, Kodi, Stremio and Popcorn Time. VLC Media Player (VLC) is a free and open-source media player and streaming service written by the VideoLAN project. Researchers were able to use a memory corruption vulnerability to hack into a PC computer through subtitle files. Check Point notified VLC developers of this issue in April, who have since patched four separate vulnerabilities. According to VLC, 170 million users have downloaded the player since June 2016 alone. A total of over 220 million users are estimated to be vulnerable to such attacks across all media players.
Subtitles come from individual writers, who upload them to sites such as OpenSubtitles. Therefore, a user can add subtitles to movies even if they are not available by default. Hackers can deposit malicious code files onto these sites as well, and can manipulate the rankings on such subtitle sites such that those malicious files are automatically presented for download as the default option.
While many users would perhaps avoid clicking a link in a suspicious looking email or download movie files only from websites they trust, they are unlikely to consider the source of the code that supplies the closed captioning for that movie. In addition, movie subtitles are usually considered benign text files and may not be properly vetted by most security software.
The vulnerabilities to subtitle hacks are particularly high due to the fragmented nature of subtitle coding. There are 25 separate formats available, and media players use different formats and sometimes multiple formats, increasing the opportunities for malicious code to be inserted unnoticed and without proper screening. The lack of a centralized or standardized code and format allows for increased side entrances by attackers.
The vulnerabilities in media player subtitle files can be used to gain complete control of any type of device, ranging from laptops to mobile devices and even smart TVs. As soon as the media player has processed the malicious subtitle files, hackers may be granted full control of a user device before the actual subtitles have even been displayed on the screen. The scope of potential damage to a user is dangerously broad.
Other media players not included in the study likely share these vulnerabilities. Some of the media players above, such as VLC, have released updated versions of their program to fix these issues. Users are encouraged to update their media players as soon as possible.