Photographee.eu - Fotolia
Vulnerabilities in various media players enable hackers to use subtitle files to control devices. How is this possible, and have the media player vulnerabilities been patched?
In order to control a device via subtitle files, an attacker crafts a malicious subtitle file that opens the door to remote control of a victim's PC, smart TV or mobile device.
With a couple of clicks, an attacker can upload the malicious file in any subtitle file format to an online repository. The ranking algorithm is then manipulated to ensure that the malicious files get higher ratings than the legitimate files, which are then downloaded to a media player.
As soon as the media player opens, the victim unknowingly loads subtitle files from a repository that is treated as a trusted source. Before displaying the subtitles on the screen, the media player parses the infected files. While this is common, the method of downloading subtitle files varies from one media player to another.
For example, Popcorn Time lets a victim choose a movie over the internet and, while playing the movie, the victim unknowingly loads malicious subtitles. The attacker then remotely opens the command prompt screen and waits for the connection to occur. Upon a successful connection, the attacker gains full control of the victim's endpoint device.
Another approach is exhibited through Kodi, as it lets the user select a movie from a given library. If the library is maliciously or legitimately empty, the victim is asked to populate it with personal media. After playing the media, the player then asks the victim to choose and download subtitles from OpenSubtitles.org. After waiting a certain amount of time, the attacker takes over the victim's device.
In addition to running on popular platforms, Kodi can be installed on a Raspberry Pi or Amazon Fire TV Stick. Likewise, VLC can capture DirectShow body-worn camera videos, and Stremio can run YouTube and Twitch.TV media.
While the newer software versions for these four players have fixed the known vulnerabilities, the risk with lesser known media players in unknown, and users should check to see if similar security holes exist.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Learn how to protect sensitive data with mobile encryption
Discover what encryption tools can secure data for internet of things devices
Read more about securing your connected devices
Dig Deeper on Web server threats and application attacks
Related Q&A from Judith Myerson
The Constrained Application Protocol underpins IoT networks. But the protocol could allow a threat actor to launch an attack. Continue Reading
Dutch researchers discovered flaws in ATA security and TCG Opal affecting self-encrypting drives. What steps can you take to guard data stored on ... Continue Reading
The Signal Desktop application was found to be making decryption keys available in plaintext. Learn how the SQLite database and plaintext passwords ... Continue Reading