Last week we reported on the vulnerability exposed in Widevine’s Level 3 content security. Following on from this, Widevine have confirmed that their CDN schedule has been accelerated to deal with this.
WHAT WAS THE VULNERABILITY?
Widevine Level 3 is one of Google’s less secure in-house DRM implementations. This is typically used for lower quality videos which are 720p or HD. Setting software based whitebox crypto as a minimum requirement when using Widevine means that the encryption keys will pass through the CPU and RAM on the client device unencrypted.
WHO’S AFFECTED BY THIS VULNERABILITY?
- Mac and PC browsers using Widevine software CDM, such as Firefox or Chrome.
- Devices not supported by TEE. So usually more dated or low cost devices.
Widevine have set to work on this right away. Widevine is currently updating the browser and iOS CDM, in addition to, deprecating older CDMs.
Desktop Browser CDM
For browsers using the Component Updater (like Chrome), the browser will automatically update to the latest CDM. No end user action is required.
Relevant CDM version(s), and deprecation schedule:
The updated Widevine iOS client will be released on Feb 11, 2019. This is a required update and will be enforced as the minimum version allowed.
All prior versions of the Widevine iOS client will be deprecated on March 31, 2019.
SO WHAT DOES THIS MEAN FOR CONTENT SECURITY?
This schedule of works does not guarantee a fix to the Widevine Level 3 security vulnerability. This highlights that even the most well-known DRM services can come under scrutiny and expose flaws. If the configuration changes are successful, these developments should be automatically updated within the browser or CDM. We will continue to update you on
the progress as Widevine make announcements.
HOW TO KEEP YOUR CONTENT SECURE IN THE FUTURE
- As DRM experts we continuously monitor content security vulnerabilities to ensure that your content remains protected, your service remains uninterrupted and you can deliver high quality streaming for your viewers.
- As Player and DRM experts VUALTO work with all our clients to ensure that your DRM policies and settings are fit for purposes. Our DRM solutions are completely tailored to your requirements and we will recommend changes to your configuration when required.
- VUDRM from VUALTO offers an enhanced level of DRM security through the use of VUDRM tokens. Using our flexible token generation, you can dynamically issue individual user permissions for one piece of content, with no need for re-encryption. You can restrict your content to only be played on devices that support hardware decryption by setting values in the VUDRM token itself. For more information firstname.lastname@example.org.