The Devil’s in the Subtitles

Widespread malware affecting media players

On May 23^rd, 2017, Checkpoint found a vulnerability in four popular media players that use a new attack vector by creating malicious subtitle files to infect computers, smartphones, and smart TVs. Once the files are downloaded, an attacker can potentially take complete control over the device. Over 200 million devices currently run this type of software across the world and are vulnerable to this attack.

This attack has a high likelihood of success due to the fact that subtitle repositories, such as OpenSubtitles.org, are typically seen as trusted sources by a user, or a user’s media player where subtitles are indexed and ranked. The subtitle supply train uses over 25 different formats with each one having its own unique features and capabilities. This fragmentation coupled with limited security means that there are multiple vulnerabilities that can be exploited.

How does it work?

The attackers are able to manipulate these repositories to give the malicious subtitles a higher score. Raising the scores can increase the likelihood that compromised subtitles are chosen by the user. This exploit requires little to no user interaction in order to be successful.

Current methods of endpoint protection treat subtitles as benign text files which means security firms, users and anti-virus software agents authorize them without assessing their real nature. This allows the malicious code to be undetected by standard security protocols.

Attackers exploiting this vulnerability are then able to do various amounts of damage.  Potential impact can include but is not limited to:

• Theft of sensitive data
• Personal Identifiable Information (PII)
• Financial information
• Usernames and passwords
• Ransomware
• Distributed Denial of Service activity

What Can Be Done About It?

Checkpoint has notified the developers of each application to the recent vulnerabilities. Each one has reported they patched the flaws and advise users to update their media players as soon as possible.

At this time, it is recommended to download the patches. As more information is gathered around this type of exploit we will update our blog with further details.

Technical Details

Vulnerable Platforms and Updates:

• PopcornTime – Software to watch Movies and TV shows instantly
• VLC – VideoLAN Media Player
• Kodi (XBMC) – Open-Source Media Software
  • Link to the source code fix is available here: https://github.com/xbmc/xbmc/pull/12024
• Stremio – Video Streaming App for Videos, Movies, TV series, and TV channels

The following links contain information about the exploit and fixes:

• Checkpoint Write-Up
  • http://blog.checkpoint.com/2017/05/23/hacked-in-translation/
• The Hacker News
  • http://thehackernews.com/2017/05/movie-subtitles-malware.html