EXECUTIVE SUMMARY

Malicious subtitle files are making media streaming platforms into an easy attack vector for taking over TV’s, computers and mobile devices. What’s worse, attackers can manipulate infected subtitle files to make media players download them automatically; no human help needed. Potentially 200 million video players are subject to this attack that typically evades Antivirus and other security measures. VLC, Kodi, Popcorn Time, and Stremio are four of the most prominent media players found to be vulnerable. The potential damage to users includes information theft, installing ransomware, Denial of Service (DoS) attacks, and more.

Read the full story….

A new attack vector, dubbed ‘Hacked in Translation,’ threatens millions of users worldwide. By creating malicious subtitle files, attackers can take complete control over any type of device via vulnerabilities found in many popular media streaming platforms.

Discovered by researchers from Check Point Software, the vector potentially impacts close to 200 million video players and streamers that currently run the vulnerable software. And because it’s so widespread, this makes it one of the most, easily accessed zero-resistance vulnerability reported in recent years.

How it Works

Subtitles for films or TV shows are created by a wide range of subtitle writers, and uploaded to shared online repositories, such as OpenSubtitles.org. From there, they are indexed and ranked. While exploring the vulnerability, researchers demonstrated that hackers can easily craft malicious subtitle files and manipulate the ranking algorithm. As a result, malicious subtitles could then be automatically downloaded by the media player—giving hackers complete control, without user interaction.
What makes this especially notable is that movie subtitles have traditionally been viewed as simple text files. Because of that, antivirus and other security solutions are not prompted to inspect on a deeper level. This boosts the risk of exposure tremendously.

The Secret Sauce

The attack vector takes advantage of two things: the way media players process subtitle files, and the large number of subtitle formats. For instance, there are more than 25 subtitle formats in use, each with unique features and capabilities. Each media player uses a different method and players often need to parse together multiple subtitle formats to ensure coverage and provide a good user experience. In situations that involve fragmented software, you typically see numerous distinct vulnerabilities.

The Bottom Line

Hackers can take complete control over any device running subtitles. In other words, the attacker can do anything with the victim’s machine, whether it is a PC, a smart TV, or a mobile device. The potential damage is endless, ranging anywhere from stealing sensitive information, installing ransomware, inflicting mass Denial of Service (DoS) attacks, and more.

Which Media Players are Affected?

VLC, Kodi, Popcorn Time, and Stremio are four of the most prominent media players—all have been tested and found to be vulnerable. Check Point researchers believe similar vulnerabilities exist in other media players, as well. In the course of their investigation, the researchers reported all vulnerabilities and exploits to the developers of the vulnerable media players. Some of the issues were already fixed, while others are still under analysis.

Watch a demo of how this attack vector plays out.