Hackers Can Use Subtitles to Take Over Millions of Devices Running VLC, Kodi, Popcorn Time and Strem

posted by Fnord666 on Tuesday May 23, @05:10PM
Security

Check Point researchers revealed a new attack vector threatening millions of users of popular media players, including VLC, Kodi (XBMC), Popcorn Time and Stremio. By crafting malicious subtitle files for films and TV programmes, which are then downloaded by viewers, attackers can potentially take complete control of any device running the vulnerable platforms.

"The supply chain for subtitles is complex, with over 25 different subtitle formats in use, all with unique features and capabilities. This fragmented ecosystem, along with limited security, means there are multiple vulnerabilities that could be exploited, making it a hugely attractive target for attackers," said Omri Herscovici, vulnerability research team leader at Check Point.

The subtitles for films or TV shows are created by a wide range of subtitle writers, and uploaded to shared online repositories, such as OpenSubtitles.org, where they are indexed and ranked. Researchers also demonstrated that by manipulating the repositories' ranking algorithm, malicious subtitles can be automatically downloaded by the media player, allowing a hacker to take complete control over the entire subtitle supply chain without user interaction.

Source: https://www.helpnetsecurity.com/2017/05/23/subtitle-hack/

  • (Score: 2) by DECbot on Tuesday May 23, @05:18PM

    by DECbot (832) on Tuesday May 23, @05:18PM (#514388) Journal

    This is how I imagine the malicious subtitles would sound like if piped to a text to speech vocalizer:

    https://www.youtube.com/watch?v=sKa2tz9CpZk [youtube.com]

  • (Score: 1, Funny) by Anonymous Coward on Tuesday May 23, @05:23PM (4 children)

    by Anonymous Coward on Tuesday May 23, @05:23PM (#514399)

    It's all such horrific nonsense.

    Do yourself a favor, and cut computing out of your life as much as possible. It's just trash, because humans are trash.

    • (Score: 0) by Anonymous Coward on Tuesday May 23, @05:32PM (2 children)

      by Anonymous Coward on Tuesday May 23, @05:32PM (#514405)

      I'm much happier since I stopped talking to people.

      • (Score: 2) by LoRdTAW on Tuesday May 23, @05:36PM

        by LoRdTAW (3755) Subscriber Badge on Tuesday May 23, @05:36PM (#514408)

              _
             ( )
              H
              H
             _H_
          .-'-.-'-.
          /         \
        |           |
        |   .-------'._
        |  / /  '.' '. \
        |  \ \ @   @ / /
        |   '---------'
        |    _______|
        |  .'-+-+-+|
        |  '.-+-+-+|         Kill All Humans
        |    """""" |
        '-.__   __.-'
             """

      • (Score: 0) by Anonymous Coward on Tuesday May 23, @05:37PM

        by Anonymous Coward on Tuesday May 23, @05:37PM (#514410)

        Is it any wonder that the religions of the world tend to involve at some higher level the lone, cloistered monk?

    • (Score: 2) by julian on Tuesday May 23, @05:36PM

      by julian (6003) on Tuesday May 23, @05:36PM (#514409)

      I've almost finished my breadboard computer, which can neither be hacked nor perform practically useful work!

  • (Score: 0) by Anonymous Coward on Tuesday May 23, @05:28PM

    by Anonymous Coward on Tuesday May 23, @05:28PM (#514402)

    And bug numbers or CVEs...

  • (Score: 2) by bob_super on Tuesday May 23, @05:35PM

    by bob_super (1357) on Tuesday May 23, @05:35PM (#514407)

    I smell a copyright rat.

    > The supply chain for subtitles is complex, with over 25 different subtitle formats in use, all with unique features and capabilities.
    > This fragmented ecosystem, (...), making it a hugely attractive target for attackers,

    At last check, a fragmented and complex system, used by a limited and often more technical audience, regularly on dedicated devices, is NOT a hugely attractive target for someone to code attacks.

    Granted, not everyone wants to face MS or Google tech teams. But the odds of return, in both money or hacker recognition, for targeting such a small pool of potential victims, has to equal the terrorism risk in a world of high-speed cars driven by fentanyl-loaded drunk people.

