According to the experts at Check Point, hackers could exploit a new attack vector that uses malicious subtitles to compromise devices via their media players.
Millions of users worldwide can be targeted due to security vulnerabilities in many popular streaming platforms, including VLC, Kodi (XBMC), Popcorn-Time, and stream.io.
“Check Point researchers revealed a new attack vector which threatens millions of users worldwide – attack by subtitles.” states the analysis shared by Check Point. “By crafting malicious subtitle files, which are then downloaded by a victim’s media player, attackers can take complete control over any type of device via vulnerabilities found in many popular streaming platforms, including VLC, Kodi (XBMC), Popcorn-Time and strem.io. We estimate there are approximately 200 million video players and streamers that currently run the vulnerable software, making this one of the most widespread, easily accessed and zero-resistance vulnerability reported in recent years.”
The patch for these vulnerabilities are available for download, users should apply them immediately.
According to the security firm, approximately 200 million video players and streamers are currently exposed to subtitle attack.
“We estimate there are approximately 200 million video players and streamers that currently run the vulnerable software, making this one of the most widespread, easily accessed and zero-resistance vulnerability reported in recent years,” continues the analysis. “Hacked in Translation.”
The attackers can craft malicious subtitle files that once executed by a user media player can allow attackers to take complete control over any type of device (i,e, laptops, smart TVs, tablets, and smartphones).
Unlike other attack vectors well known to security firms, this hacking technique is very subtle because subtitles are perceived harmless text files and are not subject to the inspection of security solutions.
In subtitles hack, the subtitle can be manipulated by attackers for several malicious purposes.
“This method requires little or no deliberate action on the part of the user, making it all the more dangerous,” states Check Point.
Check Point analyzed vulnerabilities in media players that allow a remote attacker to execute code and gain control full control of the targeted system.
The researchers were able to exploit a flaw in the popular VLC player to trigger a memory corruption issue and to gain control of a PC. Similar successful tests allowed the researchers to demonstrate subtitles hack on other players.
Check Point presented a proof of concept attack, says victims are persuaded to visit a malicious website that uses one of the streaming video players, or they are tricked into running a malicious subtitle file on their system that they intentionally downloaded for use with a video.
“By conducting attacks through subtitles, hackers can take complete control over any device running them. From this point on, the attacker can do whatever he wants with the victim’s machine, whether it is a PC, a smart TV, or a mobile device. The potential damage the attacker can inflict is endless, ranging anywhere from stealing sensitive information, installing ransomware, mass Denial of Service attacks, and much more,” wrote Check Point.
Check Point plans to disclose the technical details of the tests only when software updates will be provided to the users.
Below the list of update currently available:
(Security Affairs – Subtitles hack, hacking)