June 24, 2017

CD DRM: Attacks on Installation

Alex and I are working on an academic paper, “Lessons from the Sony CD DRM Episode”, which will analyze several not-yet-discussed aspects of the XCP and MediaMax CD copy protection technologies, and will try to put the Sony CD episode in context and draw lessons for the future. We’ll post the complete paper here later in the week. Until then, we’ll post drafts of a few sections here. We have two reasons for this: we hope the postings will be interesting in themselves, and we hope your comments will help us improve the paper.

Today’s section is part of the technical core of the paper.

Please note that this is a draft and should not be formally quoted or cited. The final version of our entire paper will be posted here when it is ready

Attacks on Installation

Active protection measures cannot begin to operate until the DRM software is installed on the user’s system. In this section we consider attacks that either prevent installation of the DRM software, or try to capture music files from the disc in the interval after the disc has been inserted but before the DRM software is installed on the computer.

Autorun

Both XCP and MediaMax relies on the autorun feature of Windows. Whenever removable media, such as a floppy disc or CD, is inserted into a Windows PC (and autorun is enabled), Windows looks on the disc for a file called autorun.ini; if a file with that name is found, Windows executes commands found in it. Autorun allows a disc to pop up a splash screen or simple menu, for example to offer to install software found on the disc. However, the autorun mechanism will run any program that the disc specifies.

Other popular operating systems, including MacOS and Linux, do not have an autorun feature, so this mechanism does not work on these other systems. XCP ships only Windows code and so has no effect on other operating systems. MediaMax ships with both Windows and MacOS code on the CD, but only the Windows code can autorun. The MacOS code relies on the user to double-click an installer on the CD, which few users will do.

Current versions of Windows ship with autorun enabled by default, but the user can choose to disable it. Many security experts advise users to disable autorun, to protect against disc-borne malware. If autorun is disabled, the XCP or MediaMax active protection software will not load or run.

Even if autorun is enabled, the user can block autorun for a particular disc by holding down the Shift key while inserting the disc. This will prevent the active protection software from running.

Even without disabling autorun, a user can prevent the active protection software from loading by covering up the portion of the disc on which it is stored. Both XCP and MediaMax discs contain two sessions, with the first session containing the music files and the second session containing DRM content, including the active protection
software and the autorun command file. The first session begins at the center of the disc and extends outward; the second session is near the outer edge of the disc.

By covering the outer edge of the disc, the user can cover up the second session’s files, effectively converting the disc back to an ordinary single-session disc. The edge of the disc can be covered with nontransparent material such as masking tape, or by writing over it with a felt-tip marker. Exactly how much of the disc to cover can be determined by iteratively covering more and more until the disc’s behavior changes, or by visually inspecting the disc to look for a difference in appearance of the disc’s surface which is often visible at the boundary between the two sessions.

Temporary Protection

Even if the copy protection software is allowed to autorun, there is a period of time, between when a protected disc is inserted and when the active protection software is installed, when the music is vulnerable to copying. It would be possible to have the discs immediately and automatically install the active protection software, minimizing this window of vulnerability, but legal and ethical requirements should preclude this option. Installing software without first obtaining the user’s consent appears to be illegal in the U.S. under the Computer Fraud and Abuse Act (CFAA) as well as various state anti-spyware laws [citation].

Software vendors conventionally obtain the user’s consent to installation of their software by displaying an End User License Agreement (EULA) and asking the user to agree to it. Only after the user agrees to the EULA is the software installed. The EULA informs the user, in theory at least, of the general scope and purpose of the
software being installed, and the user has the option to withhold consent by declining the EULA, in which case no software is installed. As we will see below, the DRM vendors do not always follow this procedure.

If the discs didn’t use any other protection measures, the music would be vulnerable to copying while the installer waited for the user to accept or reject the EULA. Users could just ignore the installer’s EULA window and switch tasks to a CD ripping or copying application. Both XCP and MediaMax employ temporary protection mechanisms to
protect the music during this time.

XCP Temporary Protection

The first time an XCP-protected disc is inserted into a Windows machine, the Windows autorun feature launches the XCP installer, the file go.exe located in the contents folder on the CD. The installer displays a license agreement and prompts the user to accept or decline it. If the user accepts the agreement, the installer installs the XCP active protection software onto the machine; if the user declines, the installer ejects the CD and exits.

While the EULA is being displayed, the XCP installer continuously monitors the list of processes running on the system. It compares the image name of each process to a blacklist of nearly 200 ripping and copying applications hard coded into the go.exe program. If one or more blacklisted applications are running, the installer replaces the EULA display with a warning (shown at right [in the paper version, but not here]) indicating that the applications need to be closed in order for the installation to continue. It also initiates a 30-second countdown timer; if the any of the applications are still running when the countdown reaches zero, the installer ejects the CD and quits. [Footnote: Similar application blacklisting techniques have been used in other security contexts. The client software for World of Warcraft, a massively multiplayer online role playing game, checks running applications against a regularly updated blacklist of programs used to cheat. [citation]]

This technique might prevent some unsophisticated users from copying the disc while the installer is running, but it can be bypassed with a number of widely known techniques. For instance, users might kill the installer process (using the Windows Task Manager) before it could eject the CD, or they might use a ripping or copying application that locks the CD tray, preventing the installer from ejecting the disc.

The greatest limitation of the XCP temporary protection system is the blacklist. Users might find ripping or copying applications that are not on the list, or they might use a blacklisted application but rename its executable file to prevent the installer from recognizing it. Since there is no mechanism for updating the blacklist on existing CDs, they will gradually become easier to rip and copy as new applications not on the blacklist come into widespread use. Application developers may also adapt their software to the blacklisting technique by randomizing their process image names or taking other measures to avoid detection. [Footnote: An extreme extension of this would be to adopt rootkit-like techniques to conceal the copying application’s presence, just as XCP hides its active protection software.]

MediaMax Temporary Protection

The MediaMax system employs a different—and highly controversial, if not illegal—temporary protection measure. It defends the music while the installer is running by installing, and at least temporarily activating, the active protection software before displaying the EULA. The software is installed without obtaining consent, and it remains installed (and in some cases, permanently active) even if the user explicitly denies consent by declining the license agreement. This practice is uncomfortably close to the behavior of spyware and
may be illegal.

Prior to license acceptance, both MediaMax version 3 and version 5 discs install the active protection driver. (At this writing, version 5 is the current version. To our knowledge, there was no version 4.) The driver file sbcphid.sys is copied to the Windows drivers directory, configured as a service in the registry, and launched. Initially, the driver’s startup type is set to “Manual,” so it will not re-launch the next time the computer boots; however, it remains running until the computer is shut down and remains installed permanently. Albums that use MediaMax version 5 additionally install components of the MediaMax player software before displaying a license agreement—almost 12 megabytes of programs and data that are stored in %programfiles%Common FilesSunnComm Shared. These files are not removed if the EULA is declined.

Even more troublingly, under some common circumstances the MediaMax installer will permanently activate the active protection software (by setting its startup type to “Auto,” which causes it to be launched every time the computer boots). This behavior is related to a mechanism in the installer apparently intended to upgrade the active protection software if an older version is already installed. Under the following scenarios, it is triggered even if the user previously declined the EULA:

  • The user inserted a CD-3 (older version of MediaMax) album, then sometime later inserts an MM-5 (current version of MediaMax at this writing) album.
  • The user inserted an MM-5 album, then sometime later inserts a CD-3 album.
  • The user inserted an MM-5 album, reboots, then sometime later inserts the same album or another MM-5 album.

These steps do not have to take place in a single session. They can happen over a period of weeks or months, as users purchase new albums.

We can think of two possible explanations for this behavior. Perhaps the vendor, SunnComm, did not test these scenarios to determine what their software did, and so did not realize that they were activating the software without consent. Or perhaps they did know what would happen in these cases and deliberately chose these behaviors. Either possibility is troubling, indicating either a badly deficient design and testing procedure or a deliberate decision to install software after the user denied permission to do so.

Even if poor testing is the explanation for activating the software without consent, it is clear that SunnComm deliberately chose to install the MediaMax software code on the user’s system even if the user did not consent. These decisions are difficult to reconcile with the ethical and legal requirements on software companies. But they are easy to reconcile with the vendor’s platform building strategy, which rewards the vendor for placing its software on as many computers as possible.

Even the activation of temporary protection software before the user consents to anything raises troubling ethical questions. It is hard to argue that the user has consented to loading and running software merely by the act of inserting the disc. Most users do not expect the insertion of a compact disc to load software, and although many (but not all) of the affected discs did contain a statement about protection software being on the discs, the statements generally were confusingly worded, were written in tiny print, and did not say explicitly that software would install or run immediately upon insertion of the disc. Some in the record industry argue that the industry’s need to block potential infringement justifies the short-term execution of the temporary protection software on every user’s computer. We think this issue deserves more ethical and legal debate.

Passive Protection

Another way to prevent copying before active protection software is installed is to use passive protection measures. Passive protection exploits subtle differences between the way computers read CDs and the way ordinary CD players do. By changing the layout of data on the CD, it is sometimes possible to confuse computers without affecting ordinary players. In practice, the distinction between computers and CD players is less precise. Older generations of CD copy protection, which relied entirely on passive protection, proved easy to copy in some computers and impossible to play on some CD players [citation]. Furthermore, computer hardware and software has tended to get better at reading the passive protected CDs over time as it became more robust to all manner of damaged or poorly formatted discs. For these reasons, more recent CD DRM schemes rely mainly on active protection.

XCP uses a mild variety of passive protection as an added layer of security against ripping and copying. This form of passive protection exploits a quirk in the way Windows handle multisession CDs. When CD burners came to market in the early 1990s, the multisession CD format was introduced to allow data to be appended to partially recorded discs. (This was especially desirable at a time when recordable CD media cost tens of dollars per disc.) Each time data is added to the disc, it is written as an independent series of tracks called a session. Multi-session compatible CD drives see all the sessions, but ordinary CD players, which generally do not support the multisession format, recognize only the first session.

Some commercial discs use a variant of the multisession format to combine CD audio and computer accessible on a single CD. These discs adhere to the Blue Book [citation] or “stamped multisession” format. According to the Blue Book specification, stamped multisession discs must contain two sessions: a first session with 1–99 CD audio tracks, and a second session with one data track. The Windows CD audio driver contains special support for Blue Book discs. It presents the CD to playing and ripping applications as if it was a normal audio CD. Windows treats other multisession discs as data-only CDs.

XCP discs deviate from the Blue Book format by adding a second data track in the second session. This causes Windows to treat the disc as a regular multisession data CD, so the primary data track is mounted as a file system, but the audio tracks are invisible to player and ripper applications that use the Windows audio CD driver. This includes Windows Media Player, iTunes, and most other widely used applications.

Using a specialized procedure, it is possible to create discs with this flavor of passive protection with standard CD burning hardware and software [citation].

Limitations

This variety of passive protection provides only limited resistance to ripping and copying. There are a number of well-known methods for defeating it. Advanced ripping and copying applications avoid the Windows CD audio driver altogether and issue MMC commands [citation] directly to the drive. This allows programs such as Nero [citation] and Exact Audio Copy [citation] to recognize and read all the audio tracks. Non-Windows platforms, including Mac and Linux systems, read multisession CD more robustly and don’t suffer from the limitation that causes ripping problems on Windows. The felt-tip marker trick can also defeat this kind of passive protection, as noted above.

Comments

  1. Anonymous says:

    “Even if poor testing is the explanation for activating the software without consent, it is clear that SunnComm deliberately chose to install the MediaMax software code on the user’s system even if the user did not consent. These decisions are difficult to reconcile with the ethical and legal requirements on software companies. But they are easy to reconcile with the vendor’s platform building strategy, which rewards the vendor for placing its software on as many computers as possible.”

    re “These decisions are difficult to reconcile with the ethical and legal requirements on software companies.”

    From MediaMax Technology’s last full year annual report

    “CODE OF ETHICS

    The Company has not adopted a Code of Ethics as of the date of this report. Resources and time necessary to adopt written standards reasonably designed to deter wrongdoing have not been available as of the date of this report. ”

    http://www.sec.gov/Archives/edgar/data/1057024/000119983505000517/quiettiger_10ksba-12312004.txt

    What can you expect…..

  2. If you don’t want to deface your disk to block the data tracks, this Christmas I saw something at Radio Shack (and since then, at Staples) that I can only describe as a “CD condom”. It’s a transparent disk of plastic, with a rim that clips to your CD. The intent is to prevent scratches, but you could just as easily use one of these as a removable data track blocker by scribbling on it instead. Are the data tracks always located in the same place? If so, then you could keep one of these handy for snapping on and off of music CDs that might be contaminated with spyware and rootkits.

    It definitely works in a CD tray; I have not yet been brave enough to risk putting one into a slot-feed player.

  3. the zapkitty says:

    Relevant addition:

    “Many security experts advise users to disable autorun, to protect against disc-borne malware.”

    The Sony DRM incident also caused the U.S. Federal Government to issue warnings to users to turn Windows “Autorun” off; these warnings were issued by the Department Of Homeland Security’s Computer Emergency Response Team (US-CERT) (cite:http://www.us-cert.gov/current/archive/2005/11/23/archive.html#xcpdrm)

    (to be trimmed for coherence and brevity no doubt 🙂 )

  4. dr2chase,

    The location differs from disc to disc, so you can’t use a single pre-marked sleeve for all discs. You might be able to get away with a collection of pre-marked sleeves, choosing the appropriate one for each disc.

  5. the zapkitty says:

    So not only do CD’s get condoms… but the condoms can help to prevent “infections”…

    … ain’t technology fun? 🙂

  6. Given the high rotational speed of CD-ROM drives, I wouldn’t recommend masking tape as a method of covering the second session. Mythbusters showed in Season 1, Episode 2, that it was plausible to shatter a damaged CD in a high-speed CD-ROM drive. Adding tape that causes the CD to not be balanced qualifies as potential damage in my book. See:
    http://en.wikipedia.org/wiki/MythBusters_episodes:_Season_1

  7. “It is hard to argue that the user has consented to loading and running software merely by the act of inserting the disc. Most users do not expect the insertion of a compact disc to load software…”

    Perhaps this is intended to refer to music CDs? Windows users are generally familiar with data CDs loading and running something via autorun.

  8. @Scott: “Mythbusters showed … that it was plausible to shatter a damaged CD in a high-speed CD-ROM drive.”

    Not really. They weren’t able to get a consumer-grade CD ROM drive to shatter CDs (it wouldn’t go faster than 20k RPM), so they constructed a “special” drive that used a router motor that successfully shattered disks. If your own drive doesn’t use a router motor, this “warning” is really non sequitur.

  9. @Brian: yes, I did see the episode. You’re right that to get a non-damaged CD to shatter, they had to resort to a “special” drive. I recall that they even used a variac to boost the voltage to the router to increase the rotational speed beyond the router’s specifications. My take was that putting masking tape on a CD and then putting it in a modern CD-ROM drive could be asking for trouble. If one was careful to keep the layer thin (so it wouldn’t “catch” on anything) and balanced so that wobble was minimized, you would be less likely to damage your drive or media. I can imagine that someone might put the tape around the edge and then fold it over the top and bottom leading to thicker folds/creases that could cause trouble. I think it’s worth a “do this at your own risk” footnote in the published paper.

  10. Ed, Alex,

    Keep up the great work, you guys are doing an amazing job of not only understanding & documenting the behaviour of these DRM techniques, but also in describing the implications (real and potential).

    Even my 65 year old mother now reads this site regularly! (There is hope yet…)

  11. In case anyone’s interested:

    Over at BoingBoing, I just heard about another anti-copying protection scheme called “StarForce” that is used on dozens of video games.

    Apparently it can practically cripple your computer, not to mention the doors it opens for viruses and trojans.

    Link is here: http://www.glop.org/starforce/

    I did a quick search here at FTT for Starforce & it didn’t find anything, so I just thought I’d mention it because it’s probably of interest to anyone on this site.

  12. After having read many statements here and elsewhere I have also discovered an anti-copying protection scheme called “Total-Play” but I haven’t seen anything about it here.

    It also apparently can infect your computer and practically cripple it as it is hard to play on your computer but is easily bypassed. Is that what they call “passive protection”

    Anyone know who distributes this scheme and why it is not analyzed here?

  13. Ned Ulbricht says:

    Installing software without first obtaining the user’s consent appears to be illegal in the U.S. under the Computer Fraud and Abuse Act (CFAA) as well as various state anti-spyware laws [citation].

    Installing software without first obtaining authorization from the computer’s owner may be punishable in the U.S. under….

    Better yet, get someone like Jennifer Granick to help with the phrasing here.

  14. Leaving “active” security measures installed even when protected content is not being accessed does nothing to enhance the security of a DRM system against any reasonably-competant attacker.

    If the system leaves content stored in unencryped in any medium while it’s not being accessed, the content may be accessed by removing that medium from the computer where it’s stored and mounting it with a computer that doesn’t have any DRM garbage installed.

    If the system does not leave any content stored in unencrypted form in any medium except while its being accessed, and if the encryption is good enough that a knowledgeable person mounting media with encrypted content on another machine wouldn’t be able perform any useful but unauthroized actions with it, then such a person wouldn’t be able to do such actions on the machine where the data was stored even if there weren’t any “active” DRM running to prevent him.

    Setting aside the question of whether record companies have the right to install their DRM junk, what benefit to they gain aside from the harassment of paying customers?

  15. TotalPlay is the new Macrovision DRM, the companies description can be found at http://www.macrovision.com/products/activereach_cd/totalplaycd/index.shtml Believe it or not, Macrovision is touting it as “The most effective
    music CD copy management solution” and “consumer-
    focused solution”. From the description I read, it sounds to me like iTunes with “advanced” DRM built-in. However, I have not yet found any information on the possible security or system stability risks as of yet. (hint hint)

  16. That is pretty scary based on the “FACT” that no one has yet analyzed it yet under the pretense of what the gauntlet that has been laid down here.

    Why is that?

    Are the “Professors” lacking in their abilities on this “Paper” they perceive to write?

    Doesn’t “Total Play” deserve to be analyzed? Or is this a “selective” analysis?

    Never mind Eddie and Johnny this is not about analytical evaluation it is something else with a disguise, Nothing has changed has it?

    Good luck with you and your lackeys, DRM is here to stay, get used to it!

  17. Why is protecting one’s system from malware called an “Attack on Installation”?

  18. the zapkitty says:

    Daniel W Says:

    “TotalPlay is the new Macrovision DRM…”

    Believe me, Daniel… the SuncMax shill you are responding to knows what TotalPlay is.

    Having gotten their collective asses handed to them in their previous excursions into deception on this forum, the SuncMax shills now try the ever-so-obvious tactic of new ‘nyms and trying to divert attention from their sorry mess of a company and product to something else, anything else, that is even remotely similar.

    You can be assured that it’s the same shill, “anonymous the 1473rd”, by their characteristic retreat into hysterical rants about the inevitability of their malware-style DRM.

    (One imagines them in a bunker somewhere deep under the smoldering ruins of Sunncomm/Mediamax, blithering away into a microphone hooked up to not much of anything, little toothbrush moustache twitching… 🙂 )

    As for Macrovision, it has been said here that their DRM products will have their turn under the microscope, and I find that quite believable from what I’ve seen here 🙂

    But the “Sony Incident” was F4I and XCP, Sunncomm and Mediamax… and it’s their turn under bright lights. Though undoubtedly they wish that it were not.

    One further thing, as well: with the EFF having tossed down the gauntlet to DRM, via the open letter to EMI on the “immune to scrutiny” DMCA tactic… http://www.eff.org/news/archives/2006_01.php
    … it’s unlikely that publication of analysis would proceed before EMi answers yea, nay or tries to obfuscate.

    But will Macrovision analysis proceed here after EMI answers for better or worse?

    I believe so… “Freedom To Tinker” has illustrated that, unlike SuncMax, they have a habit of telling the truth. and of trying to follow through on their statements.

    Which is, as has been amply illustrated here by the SuncMax shills themselves, is exactly what SuncMax doesn’t do.

  19. Edward Kuns says:

    ditto/Diddo/troll,

    Please post a link to an intelligent analysis of TotalPlay that supports those allegations. Everyone here would be interested in seeing such. Until such a time as a link is given (rather than yet another an empty allegation), I will wait for the professors here — or someone else — to analyze TotalPlay. I genuinely hope they *will* analyze TotalPlay here, so we understand the total playing field for commercial DRM solutions for music CDs.

    Anyway, as usual, those allegations are totally off topic for this specific entry.

    So for something on topic, I agree somewhat with supercat. It might be worth one sentence to point out that while the DRM vendors see this topic as an attack on installation, the consumer sees the same act as a defense against attack.

    Language is important (especially when the media picks up a technical story they don’t understand) and it would be unfortunate to allow the DRM vendors to control the language used. I understand that “attack” is the standard security term, but this “attack” is truly a defense. (And I know that y’all know *all* of that. I just wanted to add my voice to the choir asking for at least one extra sentence of description/clarification — for the sole purpose of having some control over the terms of debate.)

  20. Maybe “defeat” is the word needed.

    I suppose the next proposal for Congress will be that CD or DVD drives have to incorporate an adhesive tape/felt pen mark detector.

    Or a watermark in the adhesive tape that is read by the drive.

    And “professional grade” adhesive tape will lack the watermark, but stationery stores will only be allowed to sell it to professionals.

  21. Sadly obvious says:

    Zilchkitty apparently can’t attack the message but instead the messenger, which BTW is still off topic, A common tactic when the ammo box is empty.

    Perhaps the next DRM should come with a felt tip pen and a small roll of masking tape fastened to the jewel case? Or would that compromise ones computer too drastically too? Hmmm

  22. the zapkitty says:

    Sadly obvious Says:

    🙂

    “Zilchkitty apparently can’t attack the message but instead the messenger, which BTW is still off topic…”

    You posted an on-topic message? First time for everything, I guess. Please repeat it, I seem to have missed it… Oh yeah… you can’t because you didn’t. Macrovision isn’t the topic… the malware of Mediamax and XCP are the topic… which of course must irritate you no end.

    “Perhaps the next DRM should come with a felt tip pen and a small roll of masking tape fastened to the jewel case?”

    Ah! getting closer to topic.

    No need for physical attachments… just the warning from US-CERT telling folks how to avoid installing any DRM malware that might be lurking on their newly-purchased CD’s.

    Just need to plaster it on the CD case in big red letters 🙂

  23. how can i check to see if rootkit has been installed on my system? and how can i remove it?

  24. I’d like to know about spotting the root kit theory. I really dig reading about the conspirecy of these global wing heads who are so greedy they just need total control not just 95%.

  25. Hey everyone! I installed a program called creator 8/ Roxio made by element 5.! For 4 weeks my cd & dvd capabilities were gone, missing was drivers and application items. I run windows xp and I was helpless in fixing it myself. Called in a “pro” and he said the file has corrupted the main drives. I had to purchase a backup copy from Roxio. It took 41/2 hours to replace what it had stolen from my pc. The cdrom could not be installed 395 error codes we finally had to call it quits. The package was corrupted in the installation phase from element 5. E-mailed them still trying to get my money back. They’ve never answered me.
    Has anyone else encountered this problem? Is this some type of coding or another thief selling stuff undercover?

  26. Interesting set of posts. ..permit me to deviate a trifle. I am just thinking aloud whether the principle of the ‘felt pen’ cannot be taken a bit further to trick the a CD application which reports on an attempted run that a ‘later Operating System’ is needed. To be more specific : if you attempt to install Office 2000XP on a mobo with Windows 95..a ‘pop up’ says : “you need a newer OS…even though you have the needed ram and HD space. Thanks for any imput.