conference logo

Playlist "37C3: Unlocked"

Full AACSess: Exposing and exploiting AACSv2 UHD DRM for your viewing pleasure

Adam Batori

Following the failure and easy exploitation of the AACSv1 DRM on HD-DVD and Blu-ray, AACS-LA went back to the drawing board and announced the next generation AACSv2 DRM scheme, launching alongside 4K UHD Blu-ray in 2015. Since then, nearly no information has come out publicly about any vulnerabilities or even the algorithms themselves, owing in large part to software players requiring the use of Intel SGX secure enclave technology, which promises integrity and confidentiality of AACSv2 code and data through local and remote attestation mechanisms. Join us as we explore the broken history of AACS, describe practical side-channel attacks against SGX, and present the first look into the inner workings of AACSv2 DRM, culminating in a demonstration of the first full compromise of AACSv2 and unofficial playback of a UHD-BD disc.

The Advanced Access Content System (AACS) is a DRM scheme used to safeguard audio and visual content, particularly in high-definition formats like HD-DVD and Blu-ray. First introduced in 2005 following the failure of the Content Scramble System (CSS) used in DVDs, AACS was designed to be not only secure against regular piracy, but included multiple features intended to restrict the impact of a potential leak of cryptographic material such as revocation lists and traitor-tracing. The concepts and algorithms of AACS were described in a publicly-released whitepaper, relying on strong cryptography and secrecy of keys to maintain security. Unsurprisingly, less than a year after publication, the first unlicensed decryption tool was demonstrated using keys reverse-engineered from a software player binary. While AACS-LA was quick to revoke those keys, a cat-and-mouse game emerged with new keys being regularly extracted from sources such as software updates and PS3 firmware.

With AACS effectively broken and easily bypassed as described in Eckersley’s 24c3 presentation, AACS-LA would announce the introduction of AACSv2 for the next generation 4K UHD Blu-ray discs. This time, however, AACS-LA would not release the specifications of the DRM publicly, requiring strict NDAs for implementers and increased software/hardware security measures. Most notably, playback of legitimately purchased UHD-BDs on PC requires Cyberlink PowerDVD software running on Windows 10 and an SGX-capable 7th-10th generation Intel CPU. Since the DRM would run exclusively in the SGX secure enclave, no further information about its inner workings or vulnerabilities would be discovered publicly, until now.

In this presentation, we explore the security system of AACSv2 DRM and the Intel SGX trusted execution environment. We first analyze the principles of SGX and its promises of an isolated environment, protected from all software running on the machine. We also investigate the use of SGX local and remote attestation primitives intended to verify the integrity and confidentiality of AACSv2 key material and DRM code, and why it has resisted outside analysis for so many years. We then discover how hardware side-channel attacks can be used to undermine these guarantees of SGX, and craft an effective exploit to extract cryptographic material from the enclave and defeat the DRM code obfuscation.

Following that, we present the first public description of the inner workings of AACSv2, the key derivation process, and the updated revocation and traitor-tracing mechanisms. We studied BIOS updates from six motherboard vendors to show how SGX can be broken both easily and cheaply, and that vendors are now faced with a decision of security vs. usability in trusting unpatched machines. Finally, we conclude with the first demonstration of a UHD Blu-ray disc being decrypted and played back on a non-official platform.