When an audio CD infects your computer with anti-copying software, it installs its own player. This player is intended to allow minimal, listen-only use of your CDs, while locking you out of copying those tracks to an unauthorized portable device, your laptop, or your next computer. However, these players fail miserably, because they are amateurishly implemented and can be defeated by minimally skilled attackers.

Princeton's Ed Felten and Alex Halderman have published the final installment in a brilliant series of excerpts from a paper-in-progress on lessons learned from the Sony DRM disaster, in which the company incurred millions in legal liability for deliberately infecting its customers' computers with anti-copying software that left them vulnerable to worms and viruses, destabilized their computers, and spied on their actions.

In today's installment, Ed and Alex talk about attacks on the custom players installed by the DRM on Sony's crippled CDs. These players were meant to impose restrictions on users, but they made many common beginners' security mistakes, leaving them vulnerable to simple attacks that could disable their restrictive behavior.

It is well known that DRM systems like this are vulnerable to rollback attacks. In a rollback attack, the state of the machine is backed up before performing the limited operation (in this case, burning the copy). When the operation is complete, the old system state is restored, and the DRM software is not able to determine that the operation has occurred. This kind of attack is easy to perform with virtual machine software like VMWare, which allows the entire state of the system to be saved or restored in a few clicks. The XCP and MediaMax both fail under this attack, which allows unlimited copies to be burned with their players.

Link

Previous installments of the Sony DRM Debacle Roundup: Part I, Part II, Part III, Part IV, Part V

(Sony taproot graphic courtesy of Sevensheaven)