Is DRM A Threat To Computer Security?

Chris Hoffman 12-06-2014

DRM is harmful to our security. At best, it’s a necessary evil — and it’s arguably not necessary and isn’t worth the trade-off. Here’s how DRM and the laws that protect it make our computers less secure and criminalize telling us about the problems.


DRM Can Open Security Holes

Digital Rights Management (DRM) What Is DRM & Why Does It Exist If It's So Evil? [MakeUseOf Explains] Digital Rights Management is the latest evolution of copy protection. It’s the biggest cause of user frustration today, but is it justified? Is DRM a necessary evil in this digital age, or is the model... Read More itself can be insecure. DRM is implemented with software, and this software needs deep permissions into the operating system so it can stop normal operating system functions.

The Sony BMG CD copy protection rootkit — first released in 2005 — is a perfect storm of DRM security issues.

The Sony rootkit came preinstalled on a variety of audio CDs. When you inserted the CD into your computer, the CD would use AutoRun in Windows to automatically launch a program that installs the XCP rootkit on your computer. This DRM software was designed to interfere with copying or ripping of the CD. The XCP rootkit burrowed deep into the operating system, installing itself silently, providing no way to uninstall it, consuming excessive system resources, and potentially crashing the computer. Sony’s EULA didn’t even mention this rootkit in the fine print, which shows how pointless EULAs are 8 Ridiculous EULA Clauses You May Have Already Agreed To Here are some of the most ridiculous terms and conditions in the EULAs of popular services. You may have already agreed to them! Read More .

Even worse, the XCP rootkit opened security holes on the system. The rootkit hid all file names starting with “$sys$” from the operating system. Malware — such as the Breplibot Trojan — began to take advantage of this to disguise itself and more easily infect systems with Sony’s DRM installed.

This isn’t just one isolated example. In 2012, Ubisoft’s uPlay software was found to include a nasty security hole in a browser plug-in Browser Plugins - One of the Biggest Security Problems on the Web Today [Opinion] Web browsers have become much more secure and hardened against attack over the years. The big browser security problem these days is browser plugins. I don’t mean the extensions that you install in your browser... Read More that would allow web pages to compromise computers running uPlay. uPlay is mandatory for running and authenticating Ubisoft games online.  This wasn’t a rootkit — just “really bad code” in DRM software that opened big hole.



Laws That Protect DRM Criminalize Security Research

Laws that protect DRM can criminalize security research and prevent us from even knowing about the problems. For example, in the USA, the Digital Millennium Copyright Act (DMCA) prohibits circumventing access-control measures. What Is the Digital Media Copyright Act? Read More There are some narrow exceptions for security research, but the law broadly criminalizes most circumvention that doesn’t fall under these narrow measures. These are the same sort of laws that criminalize jailbreaking and rooting of phones, tablets, and other devices Is It Illegal To Root Your Android or Jailbreak Your iPhone? Whether you're rooting an Android phones or jailbreaking an iPhone, you're removing the restrictions the manufacturer or cellular carrier placed on the device you own – but is it legal? Read More .

These laws and associated threats create a chilling environment. Security researchers are encouraged to keep quiet about vulnerabilities they know about rather than disclosing them, because disclosing them could be illegal.

This is exactly what happened during the Sony DRM rootkit fiasco. As Cory Doctorow points out:


“…when word got out that Sony BMG had infected millions of computers with an illegal rootkit to stop (legal) audio CD ripping, security researchers stepped forward to disclose that they’d known about the rootkit but had been afraid to say anything about it.”

A Sophos poll found that 98% of business PC users thought the Sony DRM rootkit was a security threat. The law shouldn’t silence security researchers who could inform us about such serious security problems.

Due to the DMCA, it may even have been illegal for anyone to uninstall the Sony rootkit from their PCs. After all, that would be bypassing DRM.


DRM Reduces Your Control Over Your Own Computer

You have control over your own computer — that’s the core problem DRM is trying to solve. When you sit down with a general purpose PC operating system, you have full control over what’s happening on your PC. This means that you could violate copyright in some ways — record a Netflix video stream, copy an audio CD, or download files without the permission of the copyright holder.


Giving the manufacturer this much control means we give up the ability to really control our own devices and protect them in other ways. For example, this is why you have to root Android to install many types of security software — device tracking apps that persist after a factory reset Was Your Android Phone Lost or Stolen? This Is What You Can Do There are many good options for remotely locating your stolen phone, even if you never set anything up before you lost your phone. Read More , firewalls that control which apps can access the network Avast! Introduces Free Mobile Security App For Android 2.1+ [News] There are plenty of free mobile security apps available for Android. The market seems to be filled to the brim with them. Yet it’s hard to say if they’re trustworthy because often they’re developed by... Read More , and permission managers How Android App Permissions Work and Why You Should Care Android forces apps to declare the permissions they require when they install them. You can protect your privacy, security, and cell phone bill by paying attention to permissions when installing apps – although many users... Read More that control what apps can and can’t do on your device. They all require rooting to install because they need to bypass the restrictions on what you can and can’t do on your device.

We’ve pointed this out before — our computing devices are becoming more and more locked down Convenience Before Freedom: How Tech Companies Are Slowly Trapping You [Opinion] Computers were once under our control. We could run any software we wanted on them, and the companies that manufactured the computer had no say. Today, computers are increasingly being locked down. Apple and Microsoft... Read More . Cory Doctorow explains the battle we’re facing in “The coming war on general-purpose computing”:

“Today we have marketing departments that say things such as “we don’t need computers, we need appliances. Make me a computer that doesn’t run every program, just a program that does this specialized task, like streaming audio, or routing packets, or playing Xbox games, and make sure it doesn’t run programs that I haven’t authorized that might undermine our profits.”

We don’t know how to build a general-purpose computer that is capable of running any program except for some program that we don’t like, is prohibited by law, or which loses us money. The closest approximation that we have to this is a computer with spyware: a computer on which remote parties set policies without the computer user’s knowledge, or over the objection of the computer’s owner. Digital rights management always converges on malware.”


Let’s face it — DRM is harmful. Worse yet, it doesn’t actually stop copying — just witness all the unauthorized file-downloading still going on. We need to acknowledge the problems and realize that there’s a trade-off to using DRM. If we’re going to use DRM, we should at least protect security researchers so they can tell us when we’re using DRM software that puts our PCs at risk!


Image Credit: YayAdrian on Flickr, Ian Muttoo on Flickr, Lordcolus on Flickr, Shutterstock

Related topics: Digital Rights Management, Online Security, Sony.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Gary W.
    November 7, 2016 at 4:32 pm

    Technology has surpassed ethics in this case. By that I mean; "You pay for a PC and yet it is NOT really Yours". DRM allows the manufacturer to modify and restrict your purchase and programming for the life of the system. Isn't this the REAL reason Microsoft GAVE AWAY Windows 10??? You pay to use their programs and if you don't connect it to the network it WILL SHUT DOWN! And if you don't pay for their storage and services they just turn your system OFF.
    The big Corporations hate Linux and open source because they can't control it.

  2. Al Mo
    June 14, 2014 at 5:57 am

    It's not the Government that is robbing banks, corrupting ATM machines, stealing credit card info, stealing Identities, copying CD's DVD's to steal away profits from companies trying to get just due compensation for their products and investments. Identify the problem where it belongs.
    Beneath every problem are issues that need to be solved. Don't solve the issues and the problems will remain.

  3. Al Mo
    June 14, 2014 at 5:57 am

    It's not the Government that is robbing banks, corrupting ATM machines, stealing credit card info, stealing Identities, copying CD's DVD's to steal away profits from companies trying to get just due compensation for their products and investments. Identify the problem where it belongs.
    Beneath every problem are issues that need to be solved. Don't solve the issues and the problems will remain.

  4. Kelalole
    June 13, 2014 at 6:27 pm

    When it comes to products which I have paid for, thereby making them my own property, I will do everything in my power to remove or circumvent Digital Restrictions Management. The DMCA is a prime example of why politicians should not be allowed to write laws, it needs to be repealed. Just as with gun control laws, DRM has no effect on criminals, it only serves to handicap everyone else. This is one of the great reasons to support FOSS.

  5. Robert B
    June 13, 2014 at 6:02 pm

    I agree with you 100%, I have pretty much given up on the notion of effecting real change in our laws at least here in the US because I believe that 100% of our elected officials especially at the federal level are CORRUPT and on the take from corporate America. However we consumers do have a very effective tool at our disposal if we would just get enough organized and on the same page and that is called BOYCOTT! We gamers should pick the worse offending publishers, EA comes to mind, and not purchase anything from them for as long at it would take to put them out of business. The rest of the industry would get the hint and stop using DRM. DRM does not do anything to stop piracy just check that availability on a new game the day it is released on bit torrent. All DRM does it to inconvenience the companies paying customers along with causing security problems for their computers.

  6. Jeremy D
    June 13, 2014 at 5:50 am

    Where can I get those stickers at the top of the page?

  7. Michael M
    June 12, 2014 at 8:03 pm

    don't even get me started about diablo3 and other drm companies that make you stay allways on with no off-line play