International and foreign-language film fans beware: Check Point researchers have uncovered a new attack vector that uses malicious subtitles to infect devices via their media players.
According to Check Point, the gambit threatens millions of users worldwide via vulnerabilities found in many popular streaming platforms, including VLC, Kodi (XBMC), Popcorn-Time and strem.io. All have issued patches, and users should update immediately.
“We estimate there are approximately 200 million video players and streamers that currently run the vulnerable software, making this one of the most widespread, easily accessed and zero-resistance vulnerability reported in recent years,” Check Point researchers said in a blog, cleverly entitled “Hacked in Translation.”
By crafting malicious subtitle files, which are then downloaded by a victim’s media player, attackers can take complete control over any type of device, be it smart TVs, laptops, tablets and phones, and so on. Once the hackers are in, they can do anything from stealing sensitive information to installing ransomware and carrying out mass denial-of-service (DoS) attacks.
Generally speaking, subtitle repositories are, in practice, treated as a trusted source by the user or media player; but Check Point research also reveals that those repositories can be manipulated and be made to award the attacker’s malicious subtitles a high score, which results in those specific subtitles being served to the user.
“This method requires little or no deliberate action on the part of the user, making it all the more dangerous,” Check Point noted. To boot, movie subtitles are perceived as nothing more than benign text files, so users, antivirus and other security solutions don’t flag them as being potentially concerning.
The issue, according to the firm, starts with complexity, as there are more than 25 subtitle formats in use, each with unique features and capabilities. Media players often need to parse together multiple subtitle formats to ensure coverage and provide a better user experience, with each media player using a different method.
“Like other, similar situations which involve fragmented software, this results in numerous distinct vulnerabilities,” Check Point said.