HD-DVD, Blu-ray AACS Copy Protection Broken
Exploit developed within 6-months of launch. Hackers win, but for how long?
by Gerry Block
January 25, 2007 - In the run-up to the launch of the next-gen DVD formats HD-DVD and Blu-ray, a great deal was made of the new formats and the manner in which each would attempt to limit the ability of hackers to break copy-protection and rip the data. Hollywood studios have been in a tizzy since CSS-copy protection on regular DVDs was broken, and cited a pressing need to prevent pirates from jacking movies in full 1080p resolution. HD-DVD and Blu-ray make use of two methods of controlling the data, the HDCP "protected-pathway" of hardware authentication, and AACS signal encryption.
As we discussed last year, critical weaknesses with the HDCP system were discovered early in its development process (story). It has turned out, however, that AACS encryption is actually the first component of next-gen DVD to have been dismantled by the hacking community. In late December a hacker known as muslix64 posted on the Doom9 forums claiming to have defeated AACS. Two days later the individual posted the source code for the tool he developed for the process, BackupHDDVD.
The utility itself only does half the job, however. AACS encryption is based upon an exchange of title and volume keys between player and media. BackupHDDVD does not extract these keys, but merely uses known values to unlock the movie content from AACS protection so that it could potentially be ripped. In posts following his original announcement, muslix64 vaguely referenced that it was possible to extract keys held in memory when HD-DVDs are played with PowerDVD software on Windows computers. The developer of PowerDVD, Cyberlink, has been vociferous in denying that its software could be the source of the extracted keys.
Weeks after the first announcement, Doom9 forum members were able to exploit InterVideo WinDVD 8 and extract keys for four HD-DVD releases, which are now distributed with BackupHDDVD. Shortly afterwards, about two weeks ago, history was made when a 20GB, 1080p rip of Serenity appeared on BitTorrent tracking lists. Just days ago muslix64 returned to announce an alpha version of BackupBluRay, a utility quite similar to BackupHDDVD that relies upon the same method of extracting keys stored in memory to circumvent AACS.
Exactly how long the hacking community will remain victorious in their battle with AACS remains to be seen. The AACS system was designed for the contingency of leaked or extracted keys and has integrated means of revoking player keys. The process would be as simple as pressing new HD-DVD discs that will insist, on attempted playback, upon updating the player software to lock out the compromised keys. There is debate, however, over exactly how specific the AACS Forum is able to be with regard to revoking keys, and locking out a player key may have consequences for uncompromised products. What headaches this system may cause for early adopting consumers remains to be seen and considering the long history of bumbling responses to such developments in the past, we have limited faith that the AACS forum and movie studios will develop a well reasoned response.
The AACS exploit was likely developed faster than the encryption designers expected and is yet another example in the ongoing truth that is the fact that the talent and motivation of the internet collective is always superior to the groups that design the defenses. The BackupHDDVD/BluRay programs are, however, based upon an exploit and do not break AACS to the degree that DeCSS cracks CSS encryption on normal DVDs. Regardless, the fact that within roughly 6 months of the release of HD-DVD and Blu-ray into the wild 1080p rips are being distributed on the net should once again cause the movie studios to consider whether they are pursing a wise path in their approach to DRM and encryption. The process of ripping next-gen DVDs was not developed by Chinese-pirates with replicator facilities but by activist-enthusiasts who are more interested in being able to enjoy their media without restriction than in profit-making piracy.
Stay tuned for more on this front as it develops.