Millions of PCs, Smart TVs, and mobile devices are now vulnerable to malicious video subtitle files which are being used by hackers to infiltrate such devices.
The new-found subtitle vulnerability enables hackers to take control of systems via video players and streaming services.
Major subtitle vulnerabilities were discovered by Check Point researchers in the popular VLC player which allowed hackers to gain control of devices where the player was installed. Four such vulnerabilities, namely CVE-2017-8310, CVE-2017-8311, CVE-2017-8312 and CVE-2017-8313 were reported to VLC developers who acted quickly and introduced patches before the vulnerabilities became known to the rest of the world.
Millions of smart TVs and remote control apps at risk from three year-old flaw
“This is a brand new attack vector. We haven’t seen this type of attack yet in the wild. But we believe there are upwards of 200 million video players and streamers vulnerable to this type of attack,” said Omri Herscovici, team leader for products research and development at Check Point.
Similar vulnerabilities have been discovered in other video players and services like Kodi, Stremio and Popcorn Time but researchers at Check Point are refusing to elaborate on such vulnerabilities until they are patched. The total number of affected PCs, Smart TVs, and mobile devices is estimated to be around the region of 200 million.
"“By conducting attacks through subtitles, hackers can take complete control over any device running them. From this point on, the attacker can do whatever he wants with the victim’s machine, whether it is a PC, a smart TV, or a mobile device," said Check Point in a blog post.
The potential damage the attacker can inflict is endless, ranging anywhere from stealing sensitive information, installing ransomware, Mass Denial of Service attacks, and much more,” the security firm added.
Check Point have also explained the modus operandi of hackers who are exploiting the new-found subtitle vulnerability. Hackers encourage users to visit a malicious website to stream videos and then persuade users to download and run malicious subtitle files in their systems. Affected media players and streaming services run poor codes for subtitle parsing which allows hackers to infect subtitle files with malware.
“These repositories hold extensive potential for attackers. Our researchers were also able to show that by manipulating the website’s ranking algorithm, we could guarantee crafted malicious subtitles would be those automatically downloaded by the media player, allowing a hacker to take complete control over the entire subtitle supply chain, without resorting to a man-in-the-middle attack or requiring user interaction,” Check Point added.