Is DRM A Threat To Computer Security?

DRM is harmful to our security. At best, it’s a necessary evil — and it’s arguably not necessary and isn’t worth the trade-off. Here’s how DRM and the laws that protect it make our computers less secure and criminalize telling us about the problems.

DRM Can Open Security Holes

Digital Rights Management (DRM) itself can be insecure. DRM is implemented with software, and this software needs deep permissions into the operating system so it can stop normal operating system functions.

The Sony BMG CD copy protection rootkit — first released in 2005 — is a perfect storm of DRM security issues.

The Sony rootkit came preinstalled on a variety of audio CDs. When you inserted the CD into your computer, the CD would use AutoRun in Windows to automatically launch a program that installs the XCP rootkit on your computer. This DRM software was designed to interfere with copying or ripping of the CD. The XCP rootkit burrowed deep into the operating system, installing itself silently, providing no way to uninstall it, consuming excessive system resources, and potentially crashing the computer. Sony’s EULA didn’t even mention this rootkit in the fine print, which shows how pointless EULAs are.

Even worse, the XCP rootkit opened security holes on the system. The rootkit hid all file names starting with “$sys$” from the operating system. Malware — such as the Breplibot Trojan — began to take advantage of this to disguise itself and more easily infect systems with Sony’s DRM installed.

This isn’t just one isolated example. In 2012, Ubisoft’s uPlay software was found to include a nasty security hole in a browser plug-in that would allow web pages to compromise computers running uPlay. uPlay is mandatory for running and authenticating Ubisoft games online.  This wasn’t a rootkit — just “really bad code” in DRM software that opened big hole.

sony   Is DRM A Threat To Computer Security?

Laws That Protect DRM Criminalize Security Research

Laws that protect DRM can criminalize security research and prevent us from even knowing about the problems. For example, in the USA, the Digital Millennium Copyright Act (DMCA) prohibits circumventing access-control measures. There are some narrow exceptions for security research, but the law broadly criminalizes most circumvention that doesn’t fall under these narrow measures. These are the same sort of laws that criminalize jailbreaking and rooting of phones, tablets, and other devices.

These laws and associated threats create a chilling environment. Security researchers are encouraged to keep quiet about vulnerabilities they know about rather than disclosing them, because disclosing them could be illegal.

This is exactly what happened during the Sony DRM rootkit fiasco. As Cory Doctorow points out:

“…when word got out that Sony BMG had infected millions of computers with an illegal rootkit to stop (legal) audio CD ripping, security researchers stepped forward to disclose that they’d known about the rootkit but had been afraid to say anything about it.”

A Sophos poll found that 98% of business PC users thought the Sony DRM rootkit was a security threat. The law shouldn’t silence security researchers who could inform us about such serious security problems.

Due to the DMCA, it may even have been illegal for anyone to uninstall the Sony rootkit from their PCs. After all, that would be bypassing DRM.

cd with sony rootkit legal warning   Is DRM A Threat To Computer Security?

DRM Reduces Your Control Over Your Own Computer

You have control over your own computer — that’s the core problem DRM is trying to solve. When you sit down with a general purpose PC operating system, you have full control over what’s happening on your PC. This means that you could violate copyright in some ways — record a Netflix video stream, copy an audio CD, or download files without the permission of the copyright holder.

Giving the manufacturer this much control means we give up the ability to really control our own devices and protect them in other ways. For example, this is why you have to root Android to install many types of security software — device tracking apps that persist after a factory reset, firewalls that control which apps can access the network, and permission managers that control what apps can and can’t do on your device. They all require rooting to install because they need to bypass the restrictions on what you can and can’t do on your device.

We’ve pointed this out before — our computing devices are becoming more and more locked down. Cory Doctorow explains the battle we’re facing in “The coming war on general-purpose computing”:

“Today we have marketing departments that say things such as “we don’t need computers, we need appliances. Make me a computer that doesn’t run every program, just a program that does this specialized task, like streaming audio, or routing packets, or playing Xbox games, and make sure it doesn’t run programs that I haven’t authorized that might undermine our profits.”

We don’t know how to build a general-purpose computer that is capable of running any program except for some program that we don’t like, is prohibited by law, or which loses us money. The closest approximation that we have to this is a computer with spyware: a computer on which remote parties set policies without the computer user’s knowledge, or over the objection of the computer’s owner. Digital rights management always converges on malware.”

locked down tablet pc   Is DRM A Threat To Computer Security?

Let’s face it — DRM is harmful. Worse yet, it doesn’t actually stop copying — just witness all the unauthorized file-downloading still going on. We need to acknowledge the problems and realize that there’s a trade-off to using DRM. If we’re going to use DRM, we should at least protect security researchers so they can tell us when we’re using DRM software that puts our PCs at risk!

Image Credit: YayAdrian on Flickr, Ian Muttoo on Flickr, Lordcolus on Flickr, Shutterstock

8 Comments - Write a Comment

3 votes
Reply

Michael M

don’t even get me started about diablo3 and other drm companies that make you stay allways on with no off-line play

1 votes
Reply

Jeremy D

Where can I get those stickers at the top of the page?

0 votes
0 votes

P.f. B

Eff.org should still carry them, if I’m not mistaken.

2 votes
Reply

Robert B

I agree with you 100%, I have pretty much given up on the notion of effecting real change in our laws at least here in the US because I believe that 100% of our elected officials especially at the federal level are CORRUPT and on the take from corporate America. However we consumers do have a very effective tool at our disposal if we would just get enough organized and on the same page and that is called BOYCOTT! We gamers should pick the worse offending publishers, EA comes to mind, and not purchase anything from them for as long at it would take to put them out of business. The rest of the industry would get the hint and stop using DRM. DRM does not do anything to stop piracy just check that availability on a new game the day it is released on bit torrent. All DRM does it to inconvenience the companies paying customers along with causing security problems for their computers.

1 votes
Reply

Kelalole

When it comes to products which I have paid for, thereby making them my own property, I will do everything in my power to remove or circumvent Digital Restrictions Management. The DMCA is a prime example of why politicians should not be allowed to write laws, it needs to be repealed. Just as with gun control laws, DRM has no effect on criminals, it only serves to handicap everyone else. This is one of the great reasons to support FOSS.

0 votes
Reply

Al Mo

It’s not the Government that is robbing banks, corrupting ATM machines, stealing credit card info, stealing Identities, copying CD’s DVD’s to steal away profits from companies trying to get just due compensation for their products and investments. Identify the problem where it belongs.
Beneath every problem are issues that need to be solved. Don’t solve the issues and the problems will remain.

0 votes
Reply

Al Mo

It’s not the Government that is robbing banks, corrupting ATM machines, stealing credit card info, stealing Identities, copying CD’s DVD’s to steal away profits from companies trying to get just due compensation for their products and investments. Identify the problem where it belongs.
Beneath every problem are issues that need to be solved. Don’t solve the issues and the problems will remain.

Your comment