Exploring Widevine for Fun and Profit

TL;DR

This paper analyzes the internals of Widevine DRM on Android, develops a tool to trace its cryptographic operations, and demonstrates privacy concerns and security vulnerabilities, including bypassing obfuscation and recovering the Root-of-Trust.

Contribution

It provides a detailed structural analysis of Widevine on Android, introduces WideXtractor for tracing, and uncovers privacy and security issues.

Findings

Identified cryptographic keys and protocol structure of Widevine

Developed WideXtractor tool for function call tracing

Demonstrated privacy concerns and security vulnerabilities in Widevine

Abstract

For years, Digital Right Management (DRM) systems have been used as the go-to solution for media content protection against piracy. With the growing consumption of content using Over-the-Top platforms, such as Netflix or Prime Video, DRMs have been deployed on numerous devices considered as potential hostile environments. In this paper, we focus on the most widespread solution, the closed-source Widevine DRM. Installed on billions of devices, Widevine relies on cryptographic operations to protect content. Our work presents a study of Widevine internals on Android, mapping its distinct components and bringing out its different cryptographic keys involved in content decryption. We provide a structural view of Widevine as a protocol with its complete key ladder. Based on our insights, we develop WideXtractor, a tool based on Frida to trace Widevine function calls and intercept messages for inspection. Using this tool, we analyze Netflix usage of Widevine as a proof-of-concept, and raised privacy concerns on user-tracking. In addition, we leverage our knowledge to bypass the obfuscation of Android Widevine software-only version, namely L3, and recover its Root-of-Trust.