I Know What You Streamed Last Night: On the

I Know What You Streamed Last Night: On the Security and Privacy of Streaming Alexios Nikasa , Efthimios Alepisb , Constantinos Patsakisb a University b Department

College London, Gower Street, WC1E 6BT,London, UK of Informatics, University of Piraeus, 80 Karaoli & Dimitriou str, 18534 Piraeus, Greece

Abstract Streaming media are currently conquering traditional multimedia by means of services like Netflix, Amazon Prime and Hulu which provide to millions of users worldwide with paid subscriptions in order to watch the desired content ondemand. Simultaneously, numerous applications and services infringing this content by sharing it for free have emerged. The latter has given ground to a new market based on illegal downloads which monetizes from ads and custom hardware, often aggregating peers to maximize multimedia content sharing. Regardless of the ethical and legal issues involved, the users of such streaming services are millions and they are severely exposed to various threats, mainly due to poor hardware and software configurations. Recent attacks have also shown that they may, in turn, endanger others as well. This work details these threats and presents new attacks on these systems as well as forensic evidence that can be collected in specific cases. Keywords: Security, Privacy, Streaming, Malware, IoT

1. Introduction The deployment of Internet of Things (IoT) devices and services is accelerating and most major mobile network operators consider Machine-To-Machine (M2M) communication networks as a significant source of new revenue [1]. However, whilst IoT is characterized by heterogeneous technologies that concur to the provisioning of innovative services in various application domains, meeting respective security and privacy requirements in these domains becomes increasingly important [2]. In the light of the radical changes occurred in the telecommunication industry over the last decade, a series of novel services and applications have been enabled. For instance, the increase in the available data bandwidth allowed for the sharing and consuming of multimedia content from

Email addresses: [email protected] (Alexios Nikas), [email protected] (Efthimios Alepis), [email protected] (Constantinos Patsakis)

Preprint submitted to Digital Investigation

March 12, 2018

almost all our devices, utilizing local and remote network settings. Foreseeing this shift, service providers have correspondingly redesigned their service and content delivery mechanisms. This evolution is so disruptive that has totally changed the media market as people are continuously leaving traditional media, whether this is newspapers or TV, and are shifting towards their corresponding on-line peers. The most important factor attracting people towards this turn is the fact that they can choose the content they want at the time they want it. This incentive is rather significant since, up to recently, traditional media due to their nature could not serve content on demand. Focusing on multimedia, primarily the discussion points towards sports and entertainment. Film studios and subscription TV providers are following this trend by shifting their services to on-demand content delivery, streaming content to the corresponding subscribers for a predefined cost. However, since the focus is on digital content which replicates rather easily, people are allowed to share content with others who are not authorised to. In fact, unauthorised multimedia content sharing has become an increasing online illegal trend. For instance, recently many mobile apps that illegally stream famous movies and TV series are uploaded in mobile app stores [3, 4]. Yet, the effectiveness of current measures to counter pirated content is not apparent [5, 6, 7, 8, 9]. In spite of the ethical and legal aspects of these user actions, this work studies the security and privacy implications of working with this kind of apps and devices, as the amount of users who use such solutions are in the scale of millions. After a thorough investigation into the related scientific literature we have come up with the conclusion that this is the first work to study these applications under this perspective. Namely, through our conducted experiments we have successfully identified more than 100,000 users worldwide who are using similar services and apps while they are having their devices directly connected to the Internet with poorly configured security settings, e.g. using default user names and passwords. This inevitably exposes them to numerous security and privacy threats which are thoroughly analysed hereafter. Going a step further from the personal security and privacy issues, our results also indicate that the number of the devices that could be used for campaigns such as the recent Ukraine power grid cyberattacks or as bots for the next Mirai is beyond any measure, and even worse, the methods to penetrate thousands of them already exist. 1.1. Ethical considerations While all the information used throughout this work has been erroneously made public, mainly due to misconfigurations or to the data owner’s lack of knowledge, we deliberately refrain from identifying the users and we opted not to collect personal data apart from those necessary for the production of statistics and screenshots so as to illustrate the problem’s magnitude. Despite the “public” nature of these data, we follow Zimmer’s approach [10]: “this logic of “but the data is already public” is an all-too-familiar refrain used to gloss over thorny ethical concerns”.

2

During our experiments we did not penetrate any of the users’ devices since we attempted to confirm our claims by performing no more actions than those absolutely necessary. Similar approaches have already been taken in the literature e.g. [11, 12]. 1.2. Structure of this work The rest of this work is organised as follows. In the next section we review the related work. Then, in Section 3 we discuss potential target applications and services and provide some usage statistics. In Section 4 we focus on the specific use case of Kodi, an app used by millions of users, for which two malicious applications were implemented to simulate two of the most serious attacks. Apart from discussing further threats exposed by similar services, we also present forensics methods which are targeted towards the Kodi platform, allowing an investigator to efficiently collect relevant information from respective devices. Furthermore, in Section 5 we outline measures that could improve the security of such applications and the article concludes in Section 6 where our findings are analysed and discussed. 2. Related Work IoT has penetrated our daily lives and businesses as the number of IoT devices in use have surpassed the number of smartphones, tablets and PCs combined. Consequently, streaming applications over Peer-To-Peer (P2P) systems, as an inextricable part of the IoT, have gained an enormous popularity too. To this end, Liu et al. [13] provide a survey on the existing P2P solutions for live and on-demand video streaming. Their work illustrates representative P2P streaming systems, including tree, multi-tree and mesh based systems. They also describe the challenges and solutions of providing live as well as on-demand video streaming in P2P environments. Nevertheless, it seems that both the scientific literature and the available software solutions have not yet reached maturity as far as the security aspects of this domain are concerned. Indeed, Gheorghe et al. [14] state that regarding P2P streaming applications there are neither best practices in system design, nor widely accepted attack models, nor measurement based studies on security threats to P2P streaming, nor even general surveys investigating specific security aspects of these systems. Fischlin et al. approach the security of channels designed to securely convey a stream of data from one party to another by narrowing the gap between real-world transport layer security protocols [15]. Their approach sheds light, in a formal way, on recent attacks, in particular concerning the use of HTTP over TLS, confirming a disjunction between applications’ expectations on the one hand and the guarantees that secure streaming channels provide on the other. They conclude by highlighting the need for detailed API specifications and security guarantees for such protocols. For more on streaming systems one may refer to [16].

3

The prevailing shift towards streaming pirated content is prominently depicted in the recent survey of YouGov1 which highlights that approximately 5 million people in Britain are using pirated streaming services while this number is expected to be increased in the near future by more than 2.5 million. On top of that, companies have been reported to ship Kodi boxes with pirate streaming addons preinstalled [17]. In spite of that, the task of identifying the pirated content, especially when users collude, is not trivial [18] and the effectiveness of current measures is questionable [5, 6, 7, 8, 9]. Lee et al. [19] illustrate attacks on commercial on-line music streaming services that lead to a copyright infringement and they propose countermeasures for on-line commercial music streaming services. In particular, they analyse three vulnerabilities for respective portal sites and present the actual attack scenario and processes. Finally, they conclude their work by suggesting music streaming service countermeasures for the discussed vulnerabilities. Niemietz et al. [20] investigate attack models for Smart-TVs and their apps while they focus on analysing the security of Smart-TV devices. They examine off-the-self TVs from major vendors and report vulnerabilities including, among others, unencrypted traffic in popular apps, poor implementation of TLS and stealing of device data and credentials. Tools like ZMap [21], which enable fast scanning of the whole Internet to identify individual machines, when integrated into search engines they can give rise to powerful technologies such as Shodan [22], the most well-known search engine for Internet-connected devices. As a matter of fact, using Shodan researchers have managed to identify thousands of vulnerable devices [11] that could be trivially exploited due to their poor configuration, the usage of default credentials, etc. 3. Target applications and services During our research we studied an extensive number of platforms in order to provide a more holistic overview of the current landscape. Since the content of services such as Netflix and Hulu is considered legitimate, our study targeted on platforms that are known to host illegal content. Apparently, not all of these platforms are illegal as they primarily serve many legitimate services necessary to several applications. Nonetheless, there is the risk of applying extensions to those platforms allowing people to stream unauthorised content or allowing for an adversary to monitor their usage and even execute arbitrary code remotely. In this context, we have studied the following systems: • Kodi is a media player with great extensibility. Users can watch movies, browse photos or listen to music regardless of whether the content is stored locally or remotely. Developers are able to develop add-ons for Kodi to 1 https://yougov.co.uk/news/2017/04/20/almost-five-million-britons-useillegal-tv-streami/

4

provide various services ranging from weather information to multimedia streaming. While add-ons can be considered independent applications, they are often shipped with other software in the form of an OS, like OSMC, OpenELEC and LibreELEC, so as to facilitate installation in small devices such as the Raspberry Pi. Add-ons could be potentially threatening users’ privacy as they may run malicious code in parallel with the underlying service. Therefore, Kodi’s built-in remote service is by default disabled. Still, in many installations, like OSMC, OpenELEC, and LibreELEC, it is open by default in port 8080. The Kodi Webserver, namely Chorus, is based on libmicrohttp, it does not use any encryption and its default setting is without any authentication, thereby allowing users to send “raw” commands to the device. Hence, anyone with access over LAN (or even WAN) could send commands to Kodi and even take full control of the app/device. • Cuberevo is a multimedia streaming service running on linux OS. • CCcam server can be considered as a cardsharing server where “sharing” is interpreted as the accessing of digital packages when connecting to a CCcam server via the Internet. Perhaps the most basic function of this server is to transfer the encrypted channel codes over a network to the IoT devices connected to that server. The purpose of this product is to provide a multimedia streaming service, mostly found in IPTV’s. • Newcamd is also a cardsharing server very similar to CCcam, yet they use different protocols. • OpenViX is a community based open source project focused on developing user friendly and easy to use Linux Enigma 2 set top box software. OpenViX offers TV streaming services along with relevant information. • Woosh is a live streaming service that can be embedded in websites and is widely used by radio stations. • OpenPLi is a community project for developing open source linux dvb receivers using the linux operating system and the Enigma 2 application. • OpenWebIf is an open source web interface for multimedia streaming. The OpenWebIf action allows users to send messages to enigma2-based Linux satellite receivers having the OpenWebIf plugin installed. • TOPFIELD is a consumer electronics manufacturer making broadcasting receivers and other video and audio related apparatus. Their main business is the making of products such as set top boxes (STBs) and personal video recorders (PVRs) used with satellite or digital television. A Topfield Application Program (TAP) is a software application which extends the standard functionality of the Topfield products and it is designed basically for digital TVs. Examples of TAPs are electronic programme guides, digital photo viewers and MP3 players. 5

• Coolstream is a company that makes audio streaming devices. It provides a variety of streaming solutions, such as the “CoolStream Bluetooth” receiver, an inexpensive solution for streaming music from users’ phones to iPhone/iPod docking stations or to car stereos. • Roku is a TV streaming service used in devices that connect to a TV. A Roku streaming device gets data (the video stream) via a wired or Wi-Fi connection to an Internet router. The device can be connected to any television set or other video display device with appropriate input connections. • Kathrein is a company manufacturing hardware components for broadcasting and similar services. It is the world’s oldest and largest antenna manufacturer. • Vu+ is a company that makes TV boxes used for streaming. The company produces a series of Linux-powered DVB satellite, terrestrial digital television receivers.“Open Black Hole” is an open source project for making unofficial third-party OpenPLi based images for newer Vu+ set-top boxes. • MediaTomb is an open source media server with a web interface. MediaTomb allows users to stream their digital multimedia content through their home network and to listen to or watch it on a variety of UPnP compatible devices. The platform implements the UPnP MediaServer V 1.0 specification that can be found on http://www.upnp.org/. • Emby is a media server with a web interface (MB3) designed to organize, play, and stream audio and video to a variety of devices. Emby uses a client-server model and it is considered as an open-source software solution with a small number of closed-source components as of August 2017. Emby Server and clients have been developed for a variety of OSs such as Windows, Linux, OS X and FreeBSD. Its mobile clients have been developed for Android, iOS, and Windows Phone. It must be highlighted that while there are systems advertised and sold from third parties on the Internet with customized versions of the aforementioned software products preinstalled in order to stream illegal content, there are also other cases where users are encouraged, as reported in a number of forums, to install and execute third party code and firmware to access copyrighted streaming content. As already stated, analysing the ethicality of this trend is beyond the scope of this work. Nonetheless, in the context of our work it should be reported that thousands of users are installing devices in their premises that allows arbitrary code from unknown sources to be executed with little control and auditing from the corresponding communities. To quantify the extent of usage of these systems we selected three popular search engines for Internet-connected devices, namely Shodan, ZoomEye [23] and Censys [24]. One could expect that devices using the above listed software are not, or more precisely should not be, unrestrictedly and directly connected 6

Shodan

ZoomEye

Censys

2543 29 273 4 137 15 2655 8816 4140 31 326 12574 260 1738 1317 744 57 5749 177 34 6 2

2078 306 3341 180 1494 53 7270 30551 16463 1380 4179 12294 1300 21241 2563 796 376 4578 1249 258 56 5

2441 32 568 67 2952 69 6033 8769 2336 208 294 25576 172 1145 84 528 28 84 413 54 16 13

41637

112011

51882 128411

Kodi CubeRevo CCcam Newcamd OpenViX WOOSH OpenPLi OpenWebIF Enigma 2 TOPFIELD COOLSTREAM ROKU KATHREIN VU+ MediaTomb Emby DVBViewer Media Server Tvheadend MythTV jriver nextpvr geexbox Sum Max sum

Table 1: Usage statistics.

to the Internet. Yet, thousands of them can be discovered by running simple queries. Table 1 summarizes the results of these queries for each system. Combining these results by taking the max of each row, more than 120 thousands unique devices were identified. 3.1. User exposure In view of the fact that the discovered systems should not be directly connected to the Internet, as already discussed, our results are similar to those found in [11]. Most of these systems are not designed to provide any security mechanism by default, and even when they have one, users tend to use default credentials making the systems easy to be monitored or controlled. The highlighted rows in Table 1 indicate systems which could be remotely controlled, either via direct access or via default credentials, whereas Figure 1 depicts some screenshots of this kind of streaming systems. While the case of Kodi will be analysed in the following section, there are also other systems putting users at great risk. For instance, there are many 7

machines using MediaTomb with either no credentials or with the default ones. Notably, many of these share copyrighted material (see Figure 1b) and allow an adversary to control the system remotely. In the case of Enigma2, although most machines require authentication, the use of the default credentials exposes many such systems. Having logged in, the adversary has full control of the system (see Figure 1c) and thereby can see and even manipulate via the web remote the content the user watches (Figure 1d). In other interfaces such as Kathrein and OpenWebIf (see Figures 1e and 1f respectively) one can see the user preferences, watch user recordings, or further manipulate user settings. We consider that a brute force attack for the rest of the systems would recover even more exposed machines as e.g. the combinations of strings like root, dreambox, “”, and vuplus are reportedly used by default in many of those. Furthermore, since many users tend to use rather insecure passwords, the use of a wordlist could reveal far more machines. However, we deem this step to be beyond the scope of this work, as our research objective is to highlight the user threats and not to break into every available open and misconfigured system. Essentially, our work underlines that users are exposed to the following threats: • Security issues targeted to users. Such issues can vary from annoying, e.g. remotely shutting down the device or changing recordings and programs, to remote arbitrary code execution (more is to be discussed in the following section). • Security issues targeted to third parties. Compromised user machines can be used for a number of malicious acts, such as Distributed Denial of Services attacks. These attacks are becoming very popular in the IoT era with smartphones having already been compromised by such acts [25]. The recent cyber attacks in Ukraine, as well as the Mirai malware incident [26], has firmly stressed that vulnerable devices with direct Internet access may cause huge security issues. • User profiling. The preferences of the user as well as their sleeping and working patterns or his family status can be easily inferred in real time, thereby compromising his privacy. It is worthwhile to note that many ad networks are currently using many rogue ways to collect such personal information [27]. Furthermore, using the Shodan API we were able to draw some additional statistics. In each query we kept the top 20 results in terms of operating system, country, city and ISP of the host device. The aggregated results for cities and ISPs are shown in Table 2, while Figure 2 illustrates a map with cities having more than 50 users. The statistics for the underlying operating system were rather poor as not all queries were successful. Nevertheless, as far as the collected results indicate, the prevailing OS are *nix based machines, attributed probably to the fact that Linux based distributions can be installed in many low-end devices. Interestingly though, Shodan reported only Linux machines with old kernels, mostly 2.6.x and all the others 3.x. Although the latter may

8

(a) Controling Kodi remotely.

(b) MediaTomb contents

(c) Sending commands to Enigma2.

(d) Screenshot of what the user watches from Enigma2.

(e) User preferences from Kathrein.

(f) Screenshot from an open OpenWebIf streaming.

Figure 1: Screenshots of remotely controlled machines

9

Country

Users

ISP

US DE KR ES GB PL IT AT SE MT NL FR CA LV JP PT CH CZ MX HU

12406 8498 2082 1524 1438 1056 1029 1024 855 759 749 745 573 571 543 495 479 469 409 300

Deutsche Telekom AG Time Warner Cable Comcast Cable Korea Telecom Vodafone DSL AT&T U-verse Vodafone Kabel Deutschland O2 Deutschland Lg Powercomm SIA Lattelecom Telecom Italia SK Broadband Telefonica de Espana Telekom Austria Melita plc WideOpenWest Pavlov Media Spectrum GO p.l.c. Virgin Media

Summary

Users

36004

4333 1605 1173 929 754 717 584 556 548 503 476 472 462 419 408 392 373 365 333 331 15733

Table 2: Statistics from Shodan

indicate Android devices, still, if this is not the case, old kernels may imply further exploitation. 4. The Kodi Use Case In what follows, we study the use case of Kodi, mostly because of its large user base and its plethora of available plugins, legal and illegal ones. For instance, as reported in Google Play, there are more than 10 million installations of Kodi in Android devices while there are specific linux-based operating systems, like OSMC, OpenELEC and LibreELEC, which are built to facilitate Kodi’s installation in devices with low processing capabilities, like the Raspberry Pi. Nevertheless, many of the reported threats here apply to other systems as well used by thousands of users, such as Plex and Emby. The outline of possible attacks described hereafter is illustrated in Figure 3. It should be also pointed out that, apart from lacking native security mechanisms, many installations of such systems are not always up to date with the latest patches allowing thus an adversary to easily collect user information. For instance, CVE-2017-5982 allows an adversary to read arbitrary files from Kodi 17.1.

10

Figure 2: World map with cities which were reported with more than 50 users.

Figure 3: Overview of possible attacks.

11

4.1. Malicious remote By default, Kodi and many of the aforementioned systems allow unauthorised connections through HTTP to assist users in controlling the device. If a device running Kodi is reachable within the LAN, the user can gain access through the web UI, named Chorus 2, by simply connecting to port 8080. The user can then control any playing media content by either adjusting the volume or changing the stream source and the content itself. This is achieved through the provided RESTful interface which consumes unencrypted HTTP Post requests in JSON format. Apart from controlling the media content, all Kodi features can be also accessed and controlled through the web UI, thereby creating another attack vector for streaming applications and devices. Currently, as there are countless users of smartphones and desktop computers, the corresponding markets host millions of apps many of which, although they had managed to bypass the corresponding security checks, they have been in fact reported to be malicious. An important issue here is to understand that these checks refer to the security of the specific device which host the application and not to the security of other similar devices. Accordingly, millions of smart devices have been infected in global scale and, in many cases, without users’ knowledge. Depending on the goals of the malware, the infected device may not harm the user directly but it can be used to attack other devices and applications [28]. This trend has recently been exploited in Android by the WireX botnet where around 300 apps available in Google Play were used for DDoS using thousands of Android devices [29]. Compared to a desktop, the use of a compromised Android device provides the attacker with an additional advantage: mobility. Contrary to typical malware which infects devices in the local network, in Android an adversary can penetrate more networks than he initially could, since these devices are ported by the user. Moreover, it is worth noting that the majority of the networks that such devices are expected to be connected to are most likely insecure. Taking advantage of the above and for the purposes of this study we developed a simple Android application, named MARCO (MAlicious Remote COntrol), that acts as a malicious Kodi remote. MARCO is an app which works on every Android with API level 19 or greater and does not request any dangerous permission from the user [30] in order to maximize the chances of being installed. In principle, most users grant applications many dangerous permissions as they do not seem to take Android permissions into heavy consideration. However, an app which does not request any dangerous permission, and hence it does not alert users of any possible risk, it is most likely to be installed. Still, although normal permissions are implying, according to Google, the least possible risk for the user, they can actually be rather malicious [31, 32, 33, 28, 34]. Once MARCO is installed, it monitors the available IP address to determine whether it is located in a local network where a Kodi application is installed (IP address of the form 192.168.*.*). Since scanning for network identifiers requires location permission (a dangerous permission in Android), MARCO starts sending web requests to all the available addresses (65533 IPs) to determine

12

whether a Chorus 2 web interface responds. This way, MARCO uses, instead of the dangerous location permission, the normal Internet permission which is automatically granted by Android and cannot be revoked. Following the concept described in [28], we try to determine whether the Kodi device is unattended based on the status of the web interface, the device activity and the time-frame. If this is the case, then the attacker has two options. Either to navigate to the home screen and to enable SSH to send arbitrary commands, or to navigate to the home screen and to install a malicious add on, presuming that Kodi uses the default skin. 4.2. Malicious add-on The Kodi community offers numerous extensions from repositories that are almost blindly trusted by users who mostly value the provided functionality. The extensions are commonly written in Python which supports a respective API that facilitates the whole process. As already mentioned, any add-on offering a certain service (e.g. movie streaming) could potentially execute malicious code while the user enjoys the service. The problem is well-known and most users are warned about potential dangers of such actions. Yet, the add-ons are shared across many repositories with a “word of mouth” evaluation of what they offer. While add-ons in Kodi operate in the userspace, it is relatively easy to escalate the permissions within multiple Kodi installations, like OSMC, OpenELEC and LibreELEC that install Kodi as part of a Linux bundle, or “smart TV” bundles that have Kodi installed on top of an Android device. This is because in the former case the devices use the default credentials, while in the latter the underlying Android version is usually rather old, e.g. KitKat or Lollipop, suffering many in the wild exploiting mechanisms. Even worse, in many cases Android operates in a “rooted” environment providing to malicious apps a wider attack surface. To demonstrate this threat, we developed a simple backdoor add-on that we refer to as BAO (Backdoor Add-On). BAO targets OSMC, OpenElec and LibreELEC devices that use the default credentials osmc/osmc, root/openelec and root/libreelec respectively. BAO simply displays some images of Baozi while working silently on the background. More specifically, it launches a reverse shell to the target machine by dynamically attaching the attack code which downloads from the Internet2 . This way, BAO manages to hide the malicious code from possible static analysis checks. 4.3. Subtitles as a backdoor Subtitles are a very common and widely used feature of media players. Most users consider subtitles as a simple text file containing two kinds of data: the time stamp indicating when the subtitle should be displayed and the subtitle 2 Due to anonymity of the review process, the code of BAO will become available once the paper is accepted.

13

text itself. Nowadays, this simple format has been further extended to provide more advanced features such as colors and animations. Depending on the media player and the installed plugins, the media player may automatically download the subtitles, sync and attach them to the media content displayed without any user interaction. Up to recently, subtitles were considered harmless, however, recent vulnerabilities like CVE-2017-8314 found in many media players3 , e.g. VLC, Kodi and PopcornTime, allow an adversary to remotely execute arbitrary code in the victim’s device. By tricking the media player to download an infected subtitle, more than 200 million users are being exposed to malicious activities. 4.4. Backdoored movies The disclosure of Stagefright vulnerabilities in 2015 [35] had big impact not only because the vulnerability was very severe and affected millions of devices, but because it affected a domain that was considered until then secure. The group of Stagefright vulnerabilities showed that properly crafted media files could exploit the Android media framework (libstagefright) to compromise the device completely. The involved risks were further magnified due to the high fragmentation of the Android market. According to Google4 , at the time of writing almost 1% of the devices have the latest version of Android installed, while around 25% of the devices are exposed to the original vulnerabilities. Although there is a patch for devices running on Android 5.1.1 and above, recently5 (CVE-2017-0713) another Stagefright vulnerability that affect devices running up to Android 7.1.2 has been disclosed. The above indicate that it is crucial for Android media players to be aligned with the latest versions of Android. While top notch devices, like those made by NVidia and Xiaomi, may receive the latest updates from Google, most Android Kodi boxes are sold with deprecated versions. For instance, widely sold solutions like SkyStream, EZ Stream Ti8, gembox, Q-BOX, G-box, Minix Neo, and WeTek core and Play, all ship with Android version up to 5.1.1 leaving them exposed to this kind of vulnerabilities and without having the chance of receiving any of the needed security patches in the near future due to the heavy fragmentation of Android. In this regard, another attack vector for streaming apps like Kodi is introduced. 4.5. Forensics Evidence By default, Kodi keeps track of almost all actions made in its environment. Although normally each add-on has a different database and a dedicated folder to store its data, the user data folder is of specific interest for locating the user’s history of illegal content streaming. Depending on the underlying OS, this directory can be located in different paths, as illustrated in Table 3. 3 https://blog.checkpoint.com/2017/05/23/hacked-in-translation/ 4 https://developer.android.com/about/dashboards/index.html 5 https://source.android.com/security/bulletin/2017-08-01

14

Figure 4: Kodi Database Schema 4.0a. Source: https://kodi.wiki/view/Database_Schema_ 4.0/a.

15

OS

Path

Android iOS Linux Mac LibreELEC/OpenELEC Windows

Android/data/org.xbmc.kodi/files/.kodi/userdata/ /private/var/mobile/Library/Preferences/Kodi/userdata/ ∼/.kodi/userdata/ ∼/Library/Application Support/Kodi/userdata/ /storage/.kodi/userdata/ %APPDATA%\kodi\userdata

Table 3: Location of Kodi user data in different OS.

In principle, all the information that Kodi keeps is stored in SQLite in the aforementioned folders as separate db files. It should be noted here that even if some data are deleted from SQLite databases, there are possible ways to be recovered [36, 37]. The generic schema of the Kodi database is illustrated in Figure 4. Based on this, one can easily extract valuable information when asked to investigate a Kodi box for copyright infringement. To this end, the involved information can be categorised as follows: • Repositories: Kodi has a big supporting community which maintains several projects. In order not to overwhelm the users with functionalities they do not need, Kodi comes with some baseline features that users can add to and/or remove whenever deemed necessary. Therefore, the official Kodi repository contains numerous plugins and add-ons to extend its functionality, all of which are legal. However, Kodi allows users to use additional repositories which provide them with access to even more plugins and add-ons. • Addons: This category contains the list of add-ons installed by the user. For Kodi, there is a huge list of add-ons that extend its functionality and enable the streaming of multimedia content via aggregators. The role of the latter is to aggregate various stream sources so that users can easily locate the desired stream in terms of content and quality. • Stream content: This category describes all the content (movies and audio) consumed by the device and it represents the true evidence of the use of copyrighted material. Certainly, there are many copyleft streams available. However, each stream’s name, links, watched duration, etc., can evidently help determine whether the content streamed by the device was unlawful. In order to collect the installed add-ons, one can simply use the JSON RPC interface that Kodi provides to execute the POST of Listing 1, which will return a JSON result in the form of Listing 2. Within the user data directory there is a sub-directory named “Database” containing several SQLite databases. The number and the types of the files found under this sub-directory depend on the current Kodi version as well as

16

1 2 3

curl -H "Content-Type: application/json" -X POST -d '{ "jsonrpc": "2.0", "method": "Addons.GetAddons", "id": "1"}' http://192.168.1.2:8080/jsonrpc Listing 1: A POST to retrieve installed Addons from Kodi.

1

{ "id": "1", "jsonrpc": "2.0", "result": { "addons": [{ "addonid": "resource.language.ca_es", "type": "kodi.resource.language" }, { "addonid": "repository.exodus", "type": "xbmc.addon.repository" }, { "addonid": "resource.language.mt_mt", "type": "kodi.resource.language" ...

2 3 4 5 6 7 8 9 10 11 12 13 14 15

} Listing 2: A JSON result containing installed Addons.

17

201 556 903 914 967

repository.un* repository.s* s*.all repository.e* repository.xbmc.org

123* abc* 321* 222* 333*

02/07/18 02/07/18 02/07/18 02/07/18 02/07/18

03:26 03:26 03:26 03:26 03:26

PM PM PM PM PM

2.0.0 1.1.0 1.7.09 2.2.1 9.9.9

Table 4: Obfuscated data from Addons27.db repo table.

1 2 3 4

select files.idFile,path.strPath, files.strFilename fname, files.playCount,files.lastPlayed from files,path where path.idPath = files.idPath and files.playCount > 0; Listing 3: A query for SQLite to retrieve watched streams.

any previously installed versions that may co-exist6 . As the name implies, the AddonsXX.db file found in that sub-directory contains additional information about the installed add-ons and it also keeps track of all installed repositories (see Table 4). Similarly, one can perform the query depicted in Listing 3 to retrieve the list of streamed files. The results are in the form of table 5, and allow an investigator to determine which file was streamed, the last time it was accessed and how many times the streaming was performed. Depending also on the installed add-ons, one can also recover the original title as well as some hashes that could be used as further evidence. While the aforementioned information is the typical anticipated, a wealth of additional information can be also discovered under the Kodi temporary folder, e.g. ~/.kodi/temp in Linux based systems. As a matter of fact, the issue of Kodi not properly cleaning its garbage is a well-known problem within its community. One of the most important files contained there is kodi.log which, along with previous log files, encloses a lot of information regarding user’s recent activity, e.g. information on add-on updates that user might had later uninstalled, information about streams the user accessed, media that he used, and so forth. The excerpt from the Kodi log file in Listing 4 is indicative 6 https://kodi.wiki/view/Database_versions

7 10 115 122 128

http://r6—sn-i*.googlevideo.com* http://r6—sn-i*.googlevideo.com* http://art1.ridemy*/swf/1333* https://cs*.vk.me/5/u327*/videos/ https://s27.escdn.co/hls/,jg6*

webm&upn=YGvr* mp4&upn=YGv* 24* 56955c* master.m3u8*

1 3 1 2 1

2017-12-29 2017-12-29 2017-12-22 2017-12-23 2017-12-26

11:08:38 11:09:52 22:07:03 23:38:39 02:36:08

Table 5: Obfuscated data from watched content as recorded in Movies107.db.

18

12:58:16.713 T:1387414272 ERROR: GetDirectory - Error getting 12:58:26.725 T:1925818880 ERROR: Previous line repeats 6 times. 12:58:26.725 T:1925818880 NOTICE: VideoPlayer: Opening: /media/A06E-AAAA/ripped-movie.mp4 12:58:26.725 T:1925818880 WARNING: CDVDMessageQueue(player)::Put MSGQ_NOT_INITIALIZED 12:58:26.726 T:1179644672 NOTICE: Creating InputStream 12:58:26.730 T:1179644672 NOTICE: Creating Demuxer ... 13:18:48.082 T:1925818880 ERROR: Playlist Player: skipping unplayable item: 0, path [plugin://plugin.video.youtube/play/?video_id=*] 13:18:55.788 T:1171256064 NOTICE: [plugin.video.youtube] Running: YouTube (5.4.5) on Krypton (Kodi-17.6) with Python 2.7.13 13:18:58.204 T:1925818880 NOTICE: VideoPlayer: Opening: https://r6---* Listing 4: Excerpt from the Kodi log file.

of the information which is logged. On top of that, the folder contains many cached fileinfo files (.fi) that represent the recent user interaction with the installed plugins and add-ons. Additionally, many subtitle files can be found in the temporary folder providing more evidence of what movies or series the user recently streamed. Finally, it is worthwhile to note that add-ons can further have independent log files to record additional information and, as such, to keep valuable data for an investigation. This information may vary from subtitles to URLs of streamed content and from fanarts to logs of user interaction, depending always on the specific add-on. 5. Solutions Clearly, many of the aforementioned problems can be countered with proper configuration of the devices hosting such apps. Some of the countermeasures include, among others, adding new users and removing default credentials as well as removing direct access of these devices from the Internet so that they cannot be accessed directly from an adversary. Nevertheless, these actions cannot counteract the “compromised insider” attack described earlier under the malicious remote control in Section 4. The reason is that this attack scenario exploits a basic concept in all these applications: ease of use. The target audience of these apps is common users who simply wish to use a streaming device and who know little about security. To secure these devices in an easy and transparent way we argue that the current model of remotes which simply use HTTP can still be used for the most part of the functionality apart from system access and system controls. This is due to the fact that there is a higher need for proper user authentication when accessing the latter. Considering that the use of credentials in such devices hinders their usability, we suggest using one-time passwords to securely authenticate the remote to the host device. 19

Since the remote control is expected to be a mobile device on which it is rather cumbersome to type texts, we argue that a “visual” authentication may be more appropriate. To this end, we propose that users may navigate with their remote to the settings, the access to which should be locked, waiting for user authentication through a QR code which will contain a one time password. This password can be used as a key for AES encryption in counter mode. As a message could not be decrypted without the proper key each message would be authenticated only for the current session, thereby avoiding replay attacks. The use of the counter mode, instead of e.g. CBC, facilitates the exchange of messages in this scenario, because the amount of these messages between the remote and the host device would be rather low, allowing the devices to easily withstand potential network errors, e.g. lost messages. In this case, the counter would be increased by a small amount in one of the devices, so the other could easily catch up by incrementing its counter. While the use of HTTPS could significantly improve the aforementioned procedure, the proposed approach bypasses problems that might stem from the use of certificates. For instance, in the HTTPS approach the host device would be expected to create a self-signed certificate which the remote control would have to install and trust, opening this way the door for other man-inmiddle attacks and UX constraints like notifications in Android for potential monitoring. The use of a visual one time password like QR does not protect from shoulder surfing attacks, nevertheless, it is considered more robust alternative than typical graphical passwords [38]. In terms of its usability it has been welcomed and widely used for authentication in popularly used services such as WhatsApp, mainly to the minimum user interaction and knowledge requirements. Apart from the fact that this method requires less user interaction, it is robust to errors as users of mobile devices are more prone to introduce mistakes while typing. Moreover, the proposed use is taking place within a rather constrained environment; most likely the user’s house in which the user can easily determine whether someone tries to attack him. In addition, the authentication is only required when the user wants to access the device settings, therefore it is an action that has to be performed for a limited amount of times. Finally, since these systems are used by countless developers worldwide, we reason that it is hightime for developers to start integrating more security measures such as permission levels on applications or automated patch management for Android devices. The latter is rather important as Android is severely fragmented with millions of devices not being able to receive critical OS updates. 6. Conclusions This work highlighted the security and privacy issues may arise from the usage of a widespread multimedia service, namely the streaming service. Users of such systems worldwide are exposed to numerous threats, ranging from annoying to very serious ones, all harmful. They may further expose other users and services to threats through their compromised machines. User experience and 20

lack of knowledge on systems’ security are perhaps the most important factors for making these threats real. In this regard, we detailed both a number of streaming platforms exposed to security threats and also a number of ISPs involved. Using the Kodi use case as a test bed for the purposes of this study, we examined four attack vectors, two of which are reported through this work by implementing two respective simulated apps. An initial analysis of our results has revealed that the number of exposed users of streaming services are in the range of tens of thousands. However, it is the authors’ strong belief that this number will increase significantly through extending the described methods, e.g. incorporating brute force attacks. Additionally, we provided guidelines for digital forensics in devices using Kodi and we examined the type of collected information. Finally, we proposed a set of countermeasures and possible solutions to the described security issues. Our future work is mainly aimed toward the Android security and the security assessment of streaming applications. To this end, we are going to test Android-based streaming devices in terms of their security since, apart from the use of deprecated OS versions, there are quite often customized versions which may hinder security for the sake of applicability. Moreover, streaming apps have not received yet any in depth security and privacy review, making this task a rather challenging issue. Currently, we are in the process of performing forensic analysis for other streaming platforms, beyond Kodi, and of examining their underlying firmware. Acknowledgments This work was supported by the European Commission under the Horizon 2020 Programme (H2020), as part of the projects OPERANDO (Grant Agreement no. 653704) and YAKSHA (Grant Agreement no. 780498) and is based upon work from COST Action CRYPTACUS, supported by COST (European Cooperation in Science and Technology). The authors would like to thank E. Politou and A. Chryssanthou for their valuable feedback. References [1] H. S. Dhillon, H. C. Huang, H. Viswanathan, Wide-area wireless communication challenges for the internet of things, IEEE Communications Magazine 55 (2) (2017) 168–174. doi:10.1109/MCOM.2017.1500269CM. URL https://doi.org/10.1109/MCOM.2017.1500269CM [2] S. Sicari, A. Rizzardi, L. A. Grieco, A. Coen-Porisini, Security, privacy and trust in internet of things: The road ahead, Computer Networks 76 (2015) 146–164. doi:10.1016/j.comnet.2014.11.008. URL https://doi.org/10.1016/j.comnet.2014.11.008

21

[3] Ernesto, The windows app store is full of pirate streaming apps, https://torrentfreak.com/the-windows-app-store-is-full-ofpirate-streaming-apps-170820/ (2017). [4] R. Johnson, N. Kiourtis, A. Stavrou, V. Sritapan, Analysis of content copyright infringement in mobile application markets, in: Electronic Crime Research (eCrime), 2015 APWG Symposium on, IEEE, 2015, pp. 1–10. [5] H. Sudler, Effectiveness of anti-piracy technology: Finding appropriate solutions for evolving online piracy, Business Horizons 56 (2) (2013) 149–157. [6] T. Lauinger, M. Szydlowski, K. Onarlioglu, G. Wondracek, E. Kirda, C. Kruegel, Clickonomics: Determining the effect of anti-piracy measures for one-click hosting., in: NDSS, 2013. [7] B. Danaher, M. D. Smith, R. Telang, The effect of piracy website blocking on consumer behavior. [8] I. Reimers, Can private copyright protection be effective? evidence from book publishing, The Journal of Law and Economics 59 (2) (2016) 411–440. [9] B. Danaher, M. D. Smith, R. Telang, Copyright enforcement in the digital age: empirical evidence and policy implications, Communications of the ACM 60 (2) (2017) 68–75. [10] M. Zimmer, “But the data is already public”: on the ethics of research in Facebook, Ethics and information technology 12 (4) (2010) 313–325. [11] R. Bodenheim, J. Butts, S. Dunlap, B. Mullins, Evaluation of the ability of the shodan search engine to identify internet-facing industrial control devices, International Journal of Critical Infrastructure Protection 7 (2) (2014) 114–123. [12] F. B. Balthasar Martin, Next-gen mirai, in: DeepSec 2017, 2017. [13] Y. Liu, Y. Guo, C. Liang, A survey on peer-to-peer video streaming systems, Peer-to-Peer Networking and Applications 1 (1) (2008) 18–28. doi:10.1007/s12083-007-0006-y. URL https://doi.org/10.1007/s12083-007-0006-y [14] G. Gheorghe, R. L. Cigno, A. Montresor, Security and privacy issues in P2P streaming systems: A survey, Peer-to-Peer Networking and Applications 4 (2) (2011) 75–91. doi:10.1007/s12083-010-0070-6. URL https://doi.org/10.1007/s12083-010-0070-6 [15] M. Fischlin, F. G¨ unther, G. A. Marson, K. G. Paterson, Data is a stream: Security of stream-based channels, in: Annual Cryptology Conference, Springer, 2015, pp. 545–564. [16] Y. Liu, Y. Guo, C. Liang, A survey on peer-to-peer video streaming systems, Peer-to-peer Networking and Applications 1 (1) (2008) 18–28. 22

[17] Ernesto, Tickbox must remove pirate streaming addons from sold devices, https://torrentfreak.com/tickbox-remove-pirate-streamingaddons-180214/ (2018). [18] T. Furon, G. Do¨err, Tracing pirated content on the internet: Unwinding ariadne’s thread, IEEE Security & Privacy 8 (5) (2010) 69–71. [19] S. Lee, D. Choi, D. Won, S. Kim, Security analysis on commercial online music streaming service and countermeasures, in: Proceedings of the 4th International Conference on Uniquitous Information Management and Communication, ACM, 2010, p. 59. [20] M. Niemietz, J. Somorovsky, C. Mainka, J. Schwenk, Not so smart: On smart tv apps, in: Secure Internet of Things (SIoT), 2015 International Workshop on, IEEE, 2015, pp. 72–81. [21] Z. Durumeric, E. Wustrow, J. A. Halderman, Zmap: Fast internet-wide scanning and its security applications., in: USENIX Security Symposium, Vol. 8, 2013, pp. 47–53. [22] J. C. Matherly, Shodan the computer search engine, Available at [Online]: http://www. shodanhq. com/help. [23] ZoomEye, https://www.zoomeye.org/ (2017). [24] Z. Durumeric, D. Adrian, A. Mirian, M. Bailey, J. A. Halderman, A search engine backed by Internet-wide scanning, in: Proceedings of the 22nd ACM Conference on Computer and Communications Security, 2015. [25] D. Goodin, One of 1st-known android ddos malware infects phones in 100 countries, https://arstechnica.com/informationtechnology/2017/08/first-known-android-ddos-malware-infectsphones-in-100-countries/ (2017). [26] M. Antonakakis, T. April, M. Bailey, M. Bernhard, E. Bursztein, J. Cochran, Z. Durumeric, J. A. Halderman, L. Invernizzi, M. Kallitsis, et al., Understanding the mirai botnet, in: USENIX Security Symposium, 2017. [27] S. Maheshwari, That game on your phone may be tracking what youre watching on tv, https://www.nytimes.com/2017/12/28/business/ media/alphonso-app-tracking.html (2017). [28] E. Alepis, C. Patsakis, Monkey says, monkey does: Security and privacy on voice assistants, IEEE Access. [29] J. Cochran, The wirex botnet: How industry collaboration disrupted a ddos attack, https://blog.cloudflare.com/the-wirex-botnet/ (2017).

23

[30] E. Alepis, C. Patsakis, Hey Doc, Is This Normal?: Exploring Android Permissions in the Post Marshmallow Era, Springer International Publishing, Cham, 2017, pp. 53–73. [31] O. Peles, R. Hay, One class to rule them all: 0-day deserialization vulnerabilities in android, in: 9th USENIX Workshop on Offensive Technologies (WOOT 15), USENIX Association. [32] S. M. Kywe, Y. Li, K. Petal, M. Grace, Attacking android smartphone systems without permissions, in: Privacy, Security and Trust (PST), 2016 14th Annual Conference on, IEEE, 2016, pp. 147–156. [33] E. Alepis, C. Patsakis, Trapped by the ui: The android case, in: International Symposium on Research in Attacks, Intrusions, and Defenses, Springer, 2017, pp. 334–354. [34] E. Alepis, C. Patsakis, There’s wally! location tracking in android without permissions, in: Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,, INSTICC, ScitePress, 2017, pp. 278–284. doi:10.5220/0006125502780284. [35] J. Drake, Stagefright: Scary code in the heart of android, BlackHat USA. [36] S. Jeon, J. Bang, K. Byun, S. Lee, A recovery method of deleted record for sqlite database, Personal and Ubiquitous Computing 16 (6) (2012) 707–715. [37] B. Wu, M. Xu, H. Zhang, J. Xu, Y. Ren, N. Zheng, A recovery approach for sqlite history recorders from yaffs2, in: Information and Communication Technology-EurAsia Conference, Springer, 2013, pp. 295–299. [38] K. Renaud, A. De Angeli, Visual passwords: cure-all or snake-oil?, Communications of the ACM 52 (12) (2009) 135–140.

24