Forget emails, hackers are turning to subtitle files as a new attack vector. Victims who downloaded the malicious subtitle files, gives attackers access to exploit vulnerabilities in popular streaming platforms, including VLC, Kodi (XBMC), Popcorn-Time and strem.io – in turn giving them complete control of your devices.
Checkpoint security notes that this type of attack is often overlooked by security firms. “Unlike traditional attack vectors, which security firms and users are widely aware of, movie subtitles are perceived as nothing more than benign text files. This means users, Anti-Virus software, and other security solutions vet them without trying to assess their real nature, leaving millions of users exposed to this risk.”
“This method requires little or no deliberate action on the part of the user, making it all the more dangerous.”
The attack takes advantages of poor security in the way media players process subtitle files, with over 25 subtitle formats that media players need to integrate the features and capabilities using different, often fragmented software, creating the vulnerabilities. With this attack, hackers can gain absolute control of the device – whether PC, a smart TV, or a mobile device. Hackers can do anything they wish, from stealing sensitive information, installing ransomware, mass Denial of Service attacks, and much more.
Checkpoint estimates affected users in the hundreds of millions. “Each of the media players found to be vulnerable to date has millions of users, and we believe other media players could be vulnerable to similar attacks as well.”
VLC has over 170 million downloads of its latest version alone, released June 5, 2016. Kodi (XBMC) has reached over 10 million unique users per day, and nearly 40 million unique users each month.
Check point has tested and identified vulnerabilites in VLC, Kodi, Popcorn Time and Stremio. “We have reason to believe similar vulnerabilities exist in other media players as well.” Checkpoint has since disclosed and reported all vulnerabilities and exploits to the vulnerable media players. Some of the issues have been fixed, with others still under investigation. No further technical details have been publicised to allow time for developers to deploy patches.