Hacker Claims to Have Cracked Next Gen DRM Standard

A hacker who calls himself Muslix64 has Hollywood and music studios on edge this New Year's Eve weekend as they wait to see whether their latest digital rights management software standard will work as designed.

Muslix64 has posted on the Internet the tools and title keys he said he has used to decrypt the next generation DRM standard for high definition DVDs.

Called Advanced Access Content System, or AACS, this standard has been adopted by most of the major Hollywood and music studios to protect the newest DVDs and CDs. Muslix64 also posted a video of the decryption on YouTube.

Story Still Unfolding

Muslix64's claims are only the first part of the story, though, which is still unfolding, Greg Coticchia, senior vice president and chief marketing officer of Cloakware, a DRM provider, told TechNewsWorld.

In contrast to earlier DRM standards such as Content Scramble System, or CSS, he said, AACS was developed to allow licensers to revoke the title keys when a hack occurred in order to protect future content. "People have been predicting this crack [of AACS] for some time. Now we will see how AACS responds."

To work as it should, AACS has to overcome a few challenges first, though.

It is true that AACS has a built-in ability to revoke individual players or groups of players, unlike earlier systems such as CSS, Carter Laren, senior security architect at Cryptography Research told TechNewsWorld.

"The main difficulty that AACS will have in responding to this attack, however, will be determining which player(s) to revoke. Muslix64 has not actually released any player keys or detailed information about how the keys were obtained," he said, noting that the source code that was released simply implements AACS decryption, but doesn't include keys.

Also, in the YouTube video, it was implied that title or player keys was obtained from Cyberlink's PowerDVD -- at least that is what was used in the demonstration video to play the content, Laren said.

"We shouldn't be too quick to jump to that conclusion: the keys could just have easily come from a different HD DVD player, and the Cyberlink player may have just been a convenient way to demonstrate playback," Larem continued.

"If the hacker only releases title keys, tracking the hack down will remain tough. Nevertheless, I'm sure at this very moment the handful of companies that make HD DVD players are updating their software in an attempt to make extracting keys more difficult," he concluded.

Hacked or Not?

All the fuss over the hack, though, may be for nothing. It is not entirely clear that AACS was cracked in the first place, according to Laren.

"Instead, keys appear to have been extracted from a specific implementation of an HD DVD player, and to my knowledge the AACS group never officially claimed that stealing keys was impossible -- that would be a silly thing to claim," he claimed.

Mary Litchhult, vice president of TitleMatch Entertainment Group, a company that produces DVDs of most movie titles on demand, is among those hoping Muslix64's claims are overblown, even though the DVDs it produces are not high definition and are protected by the CSS standard.

"These hackers operate, it seems, for the thrill of the kill," she told TechNewsWorld. "They want to be able to say they cracked a difficult-to-hack standard."

CSS, for instance, was cracked soon after it was introduced by the infamous "DVD Jon."

The end result is increased costs for both movie studios, and eventually, consumers, she said.

"This has become a cat and mouse game for the movie studios," Coticchia explained. "No matter what you put out, there will be someone who will try to figure out how to get around it."

The latest school of thought for copyright protection is to make security inseparable from the source, such as with the AACS standard. "That is seen as the key to security as long you are not preventing ease of use," Coticchia added. "That is the balance content providers are trying to strike."