Viruses could be hidden in online video subtitles and used to hijack viewers’ computers, security experts have warned.
The security risk, spotted by cyber security firm Check Point has been found to affect the VLC, Kodi, Popcorn Time and Stremio online media players. However, the researchers say it could affect other players, too.
If downloaded, malicious subtitles could be used to take control of a range of devices including smartphones and smart TVs meaning the flaw has the potential to affect up to 200 million users, Check Point added.
Once hackers have control of a device they can install ransomware or steal sensitive information including bank details and passwords.
“We have discovered malicious subtitles could be created and delivered to millions of devices automatically, bypassing security software and giving the attacker full control of the infected device and the data it holds,” said Omri Herscovici, vulnerability research team leader at Check Point.
Subtitles for film and TV programmes are created by a wide range of freelance writers and uploaded to shared online holding pens where they’re indexed and ranked. The Check Point researchers showed that hackers can manipulate these repositories’ ranking algorithms so that malicious subtitles are automatically downloaded by the media players.
“The supply chain for subtitles is complex, with more than 25 different subtitle formats in use, all with unique features and capabilities. This fragmented ecosystem, along with limited security, means there are multiple vulnerabilities that could be exploited, making it a hugely attractive target for attackers,” explained Herscovici.
Check Point reported the flaw to the four streaming companies before going public and all four of the services have since released software updates to protect viewers.
“To protect themselves and minimise the risk of possible attacks, users should ensure they update their streaming players to the latest versions,” advises Herscovici.
The firm has been careful not to release too many details on exactly how the malicious subtitles are able to hijack devices.
In February, five people were arrested in connection with the sale and distribution of illegal Kodi set-top boxes in the North West of England and Wales.
While Kodi boxes are legal, software can be loaded onto them to offer unlicensed, illegal streams of premium TV channels. According to intellectual property crime organisation FACT, which worked on the case, those arrested made £250,000 from selling the boxes online.