UNINNOVATE / Engineering At Its Finest

The movie industry spent years developing a new copy protection format for HD-DVD and Blu-ray discs called AACS. After the complete failure of the CSS copy protection system embedded in the original DVD format, the industry wanted to make sure it “got it right” this time. It appears that they have not even come close.

October, 1999:
DeCSS is released, which breaks DVD copy protection and allows DVDs to be copied freely by anyone. The movie industry responds with lawsuits, but is unable to prevent widespread copying. The DVD format become a textbook case of how the trusted client problem shows that DRM systems are insecure.

July, 2004:
Eight major electronics and media corporations join together to create a new, more secure copy protection method for next-generation high-definition movie discs. They seem convinced that this new system will actually be able to prevent unauthorized copying.

“We wouldn’t be investing our time otherwise” - Michael Ripley, Chairman of the AACS Technical Working Group

April, 2005:
The AACS specification is formally released with support from Disney, Intel, Microsoft, Matsushita, Warner Brothers, IBM, Toshiba, and Sony. This system as adopted as the basis for copy protection in the new HD-DVD and Blu-ray formats.

January, 2005:
Despite the confidence of the AACS group in the security of their new protection scheme, the IEEE Spectrum, a highly respected technical journal, names AACS as one of the future technologies most likely to fail.

April, 2006:
The first HD-DVD players that employ AACS for copy protection are released in the United States. The movie industry seems satisfied that the mistakes of the DVD platform have been avoided and that movies will be safe from unauthorized copying.

July, 2006:
Hackers discover that the “Print Screen” key can be used to save images from AACS protected movies.

December, 2006:
A hacker named Muslix64 releases a program that can decrypt HD-DVD movies when supplied with an AACS title key. He also claims that the required keys can be extracted from software HD-DVD players. Details of how to extract the title keys are later revealed.

January, 2007:
A hacker named LordSloth discovers how to extract full volume encryption keys from a software player HD-DVD player called WinDVD. The first publicly pirated HD-DVD movie is the sci-fi movie “Serenity”.
Muslix64 follows up his HD-DVD decrypter with a new application that can decrypt Blu-ray movies.

Feburary, 2007:
By watching the USB traffic between his computer and an Xbox 360 HD-DVD drive, a hacker named Arnezami is able to obtain an AACS processing key. This encryption key allows the full decryption of all HD-DVD and Blu-ray discs published up to Feb, 2007.

A few days later, another hacker using the name “ATARI Vampire” is able to extract the player key from WinDVD 8, which provides another way to fully decrypt any movie released until that point.

April, 2007:
The AACS group responds to the hacks by revoking the encryption keys that have been discovered. This will not protect previously released movies, but it will prevent the existing hacks from working on future titles. All legitimate users of the affected movie playing software are forced to either update their software or lose the ability to watch any movie at all.

The ability to revoke compromised keys is the much-touted advantage of AACS over DVD’s CSS and the main reason the industry had faith in the protection scheme.

April 11, 2007:
In the midst of forced software updates to upgrade the players with revoked keys, hackers discover a way to use the XBox 360 HD-DVD drive to extract AACS volume keys. Once again, all current movies can be copied. However, this hack does not require any software and only requires the actual HD-DVD drive. This potentially presents a huge problem for AACS. The encryption key stored in the drive cannot be revoked without causing issues for thousands of XBox 360 HD-DVD owners.

At this point, every released movie can be copied. The only way to address that issue in the future appears to be constant and significant hassles for legitimate customers.

Wow, AACS really worked out great, huh?

Let’s recap:

• Not one single movie was successfully protected
• A significant percentage of honest customers will face issues playing movies they bought in good faith

No, really… great job on that, guys.

Update (4/16/2007): Ars technical has picked up the story of the latest hack. They are reporting that not only is the latest hack not possible to patch, it may open the door to fully defeating the system:

In addition to being irrevocable, the hack has the potential to make future decryption even easier. “This hack/technique enables us to figure out how the Volume ID is stored on the disc,” arnezami explained. “It’s very possible we would figure out […] how the KCD is stored on the disc. Knowing that and being able to teach a PC drive how to read a KCD will open the door for what I called third-generation decryption.”

Ars Technica: New AACS cracks cannot be revoked, says hacker

2 comments

While sites such as eMusic.com have been successfully selling DRM-free music online for years, these sites have been limited to selling tracks from independent record labels. The major labels have all been unwilling to offer content without DRM.

Today, Apple and EMI announced the first deal between a major record label and an online music store to sell DRM-free music. This represents a sea change in the online music business and will have highly disruptive effects on other online music stores and the other major labels who insist on DRM.

Here are the details:

• The unprotected files offered on Apple’s iTunes Store will be in AAC format and encoded at twice the bit-rate (256kbps) of current iTunes Store offerings.
• The higher-quality tracks will be slightly more expensive ($1.29 each) when purchased by themselves. The lower-quality DRM-protected files will still be available for $0.99.
• Full albums will be automatically provided in the higher-quality, DRM-free format with no price increase.
• DRM-protected files purchased previously can be upgraded to non-DRMed tracks for an additional $.30 per track.

No comments