Vulnerabilities in various media players enable hackers to use subtitle files to control devices. How is this possible,...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
and have the media player vulnerabilities been patched?
In order to control a device via subtitle files, an attacker crafts a malicious subtitle file that opens the door to remote control of a victim's PC, smart TV or mobile device.
With a couple of clicks, an attacker can upload the malicious file in any subtitle file format to an online repository. The ranking algorithm is then manipulated to ensure that the malicious files get higher ratings than the legitimate files, which are then downloaded to a media player.
As soon as the media player opens, the victim unknowingly loads subtitle files from a repository that is treated as a trusted source. Before displaying the subtitles on the screen, the media player parses the infected files. While this is common, the method of downloading subtitle files varies from one media player to another.
For example, Popcorn Time lets a victim choose a movie over the internet and, while playing the movie, the victim unknowingly loads malicious subtitles. The attacker then remotely opens the command prompt screen and waits for the connection to occur. Upon a successful connection, the attacker gains full control of the victim's endpoint device.
Another approach is exhibited through Kodi, as it lets the user select a movie from a given library. If the library is maliciously or legitimately empty, the victim is asked to populate it with personal media. After playing the media, the player then asks the victim to choose and download subtitles from OpenSubtitles.org. After waiting a certain amount of time, the attacker takes over the victim's device.
In addition to running on popular platforms, Kodi can be installed on a Raspberry Pi or Amazon Fire TV Stick. Likewise, VLC can capture DirectShow body-worn camera videos, and Stremio can run YouTube and Twitch.TV media.
While the newer software versions for these four players have fixed the known vulnerabilities, the risk with lesser known media players in unknown, and users should check to see if similar security holes exist.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Learn how to protect sensitive data with mobile encryption
Discover what encryption tools can secure data for internet of things devices
Read more about securing your connected devices
Dig Deeper on Web server threats and application attacks
Related Q&A from Judith Myerson
The NIST published guidance on building up platform firmware resiliency. Expert Judith Myerson looks at the NIST guidelines and the major takeaways ...continue reading
With a port swapping attack, hackers can bypass two-factor authentication and control a victim's mobile device. Judith Myerson explains how the ...continue reading
Knowing what ransomware recovery methods are available is important as the threat continues to grow. Expert Judith Myerson outlines what the NIST ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.