Movie Subtitle Tracks Let Cyber Attackers Take Complete Control of Devices

The discovery was made by Israeli cybersecurity firm Check Point. The researchers estimate there are around 200 million video players and streamers currently susceptible to the technique, making it one of the most widespread, easily accessed and tough to resist computer weaknesses yet identified. VLC, Kodi, Popcorn Time and Stremio, the world's most popular media players, were all found to be susceptible to the shakedown.

​Cyberattackers typically strike using one of two methods — they either persuade individuals to visit a malicious website, or trick them into running a malicious file on their computer. However, this cyberattack method is entirely novel, and doesn't rely on human gullibility or error to thump users — instead, the attack is delivered when a film's subtitles are loaded by the user's media player.

As the tactic requires little or no direct, deliberate action on the part of users, it's a dangerous con indeed. Moreover, unlike traditional cyberattack methods, of which security firms and users alike are widely cognisant, movie subtitles are perceived as nothing more than benign text files.

As a result, anti-virus software and other security solutions are blind to a malicious subtitle file's true nature.

​Making cyberattackers' work all the easier is the proliferation of online subtitle repositories — many media players download subtitles from these resources automatically, meaning cyberattackers need only upload malicious subtitle tracks to take complete control over an entire subtitle supply chain, and in turn, a user's computer.

These repositories are viewed as a trusted source by media players. Check Point found these sites can also be manipulated and be made to award the attacker's malicious subtitles a high rating, resulting in those specific subtitles being automatically downloaded by media players.

Given the popularity of third party media players, the scale of the potential problem is almost unimaginably vast — the latest version of VLC alone has been downloaded over 170 million times, while Kodi attracts over 10 million unique users daily.

Cyberattackers can take complete control of any device running malicious subtitles — whether it is a PC, smart TV or mobile device — and inflict illimitable damage, stealing sensitive information, installing ransomware, conducting mass denial-of-service attacks (DoS), and much more.

For Matthew Hickey, cofounder of My Hacker House, the good news is the vulnerability has only just been identified.

In other words, while cybersecurity experts have only just gotten wise to the issue, it's likely too that cyberattackers have only recently become cognisant themselves — if at all.

"Vulnerabilities are identified almost daily — often weaknesses go unnoticed as they do not cause the computer to crash or malfunction. It's only once somebody looks for the problem that it is identified. Client-side attacks, like those present with subtitles can be exploited through opening other kinds of documents — the subtitles vulnerability is more prominent as it impacts more than one software package and can be exploited through poisoned subtitle sharing sites," Mr. Hickey told Sputnik.

Nonetheless, he warns that users should be careful when opening movies from third parties — especially content downloaded from torrent sites.

He urges the public to ensure they apply security updates for all third party media software promptly.    

The researchers believe the same Achilles heel is present in almost every media player on the market.

The firm reported their findings to the media player's developers, and some of the issues have already been fixed, while others are under investigation.

Fixed versions of the media player quartet can be downloaded on their respective official sites.