A First Look at Digital Rights Management Systems for Secure Mobile Content Delivery

TL;DR

This paper provides the first comprehensive security analysis of major mobile DRM systems like Widevine, FairPlay, and PlayReady, revealing vulnerabilities and proposing mitigations for secure content delivery on billions of devices.

Contribution

It offers a detailed security comparison of leading mobile DRM solutions, identifying design flaws and vulnerabilities, and suggests future research directions.

Findings

Identified micro-architectural side-channel vulnerabilities

Detected lack of post-quantum security features

Compared security properties of major DRM systems

Abstract

Digital rights management (DRM) solutions aim to prevent the copying or distribution of copyrighted material. On mobile devices, a variety of DRM technologies have become widely deployed. However, a detailed security study comparing their internal workings, and their strengths and weaknesses, remains missing in the existing literature. In this paper, we present the first detailed security analysis of mobile DRM systems, addressing the modern paradigm of cloud-based content delivery followed by major platforms, such as Netflix, Disney+, and Amazon Prime. We extensively analyse the security of three widely used DRM solutions -- Google Widevine, Apple FairPlay, and Microsoft PlayReady -- deployed on billions of devices worldwide. We then consolidate their features and capabilities, deriving common features and security properties for their evaluation. Furthermore, we identify some design-level shortcomings that render them vulnerable to emerging attacks within the state of the art, including micro-architectural side-channel vulnerabilities and an absence of post-quantum security. Lastly, we propose mitigations and suggest future directions of research.