Hacked in Translation -- from Subtitles to Complete Takeover
Abstract
Check Point researchers revealed a new attack vector which threatens millions of users worldwide - attack by subtitles. By crafting malicious subtitle files, which are then downloaded by a victim's media player, attackers can take complete control over any type of device via vulnerabilities found in many popular streaming platforms, including VLC, Kodi (XBMC), Popcorn-Time and strem.io. We estimate there are approximately 200 million video players and streamers that currently run the vulnerable software, making this one of the most widespread, easily accessed and zero-resistance vulnerability reported in recent years. Our research reveals a new possible attack vector, using a completely overlooked technique in which the cyberattack is delivered when movie subtitles are automatically loaded from online repositories by the user's media player. These subtitles repositories are, in practice, treated as a trusted source by the user or media player; our research also reveals that those repositories can be manipulated and be made to award the attacker's malicious subtitles a high score, which results in those specific subtitles being served to the user. This method requires little or no deliberate action on the part of the user, making it all the more dangerous. Unlike traditional attack vectors, which security firms and users are widely aware of, movie subtitles are perceived as nothing more than benign text files. This means users, Anti-Virus software, and other security solutions vet them without trying to assess their real nature, leaving millions of users exposed to this risk.
- Publication:
-
arXiv e-prints
- Pub Date:
- August 2024
- DOI:
- 10.48550/arXiv.2408.00502
- arXiv:
- arXiv:2408.00502
- Bibcode:
- 2024arXiv240800502H
- Keywords:
-
- Computer Science - Cryptography and Security
- E-Print:
- Published in Check Point Research Blog: https://blog.checkpoint.com/security/hacked-translation-directors-cut-full-technical-details/. Presented in various conferences: Syscan360 Seattle, Shakacon, HITCON, Syscan360 Beijing, Ekoparty, BSides-TLV