Check Point researchers discovered a new attack vector that could allow hackers to create malicious subtitles to target users of popular media platforms to gain complete control of users’ PCs, mobiles, and smart TVs

Check Point® Software Technologies Ltd. (NASDAQ:CHKP) today announced its security researchers revealed a new attack vector threatening hundreds of millions of users of popular media players, including VLC, Kodi (XBMC), Popcorn Time and Stremio. By crafting malicious subtitles, which are then downloaded by viewers, attackers can potentially take complete control of any device running the vulnerable platforms.

Subtitles Hackers
Image source: YouTube Video Screenshot

“The supply chain for subtitles is complex, with over 25 different subtitle formats in use, all with unique features and capabilities. This fragmented ecosystem, along with limited security, means there are multiple vulnerabilities that could be exploited, making it a hugely attractive target for attackers,” said Omri Herscovici, vulnerability research team leader at Check Point. “We have now discovered malicious subtitles could be created and delivered to millions of devices automatically, bypassing security software and giving the attacker full control of the infected device and the data it holds.”

Check Point’s research team tested and found vulnerabilities in four of the most popular media players: VLC, Kodi, Popcorn Time and Stremio, and followed responsible disclosure guidelines to report the vulnerabilities. By exploiting vulnerabilities in these platforms, hackers were able to use the malicious files to take over the devices playing the media.

The subtitles for films or TV shows are created by a wide range of subtitle writers, and uploaded to shared online repositories, such as OpenSubtitles.org, where they are indexed and ranked. Check Point researchers also demonstrated that by manipulating the repositories’ ranking algorithm, malicious subtitles can be automatically downloaded by the media player, allowing a hacker to take complete control over the entire subtitle supply chain without user interaction.

Since the vulnerabilities were disclosed, all four companies have fixed the reported issues. Stremio and VLC have also released new software versions incorporating this fix. “To protect themselves and minimize the risk of possible attacks, users should ensure they update their streaming players to the latest versions,” concluded Herscovici.

VLC has over 170 million downloads of its latest version, released June 5, 2016. Kodi (XBMC) has reached over 10 million unique users per day, and nearly 40 million unique users per month. No current estimates exist for Popcorn Time usage, but it is estimated to be tens of millions. Check Point has reason to believe similar vulnerabilities exist in other streaming media players.

To learn more, visit the Check Point blog:  http://blog.checkpoint.com/2017/05/23/hacked-in-translation/

A video of how the attack works can be found below

Follow Check Point via:

Twitter: http://www.twitter.com/checkpointsw

Facebook: https://www.facebook.com/checkpointsoftware

Blog: http://blog.checkpoint.com

YouTube: http://www.youtube.com/user/CPGlobal

LinkedIn: https://www.linkedin.com/company/check-point-software-technologies

About Check Point Software Technologies Ltd.

Check Point Software Technologies Ltd. (www.checkpoint.com) provides industry-leading solutions and protects customers from cyberattacks with an unmatched catch rate of malware and other types of threats. Check Point offers a complete security architecture defending enterprises – from networks to mobile devices – in addition to the most comprehensive and intuitive security management. Check Point protects over 100,000 organizations of all sizes.