Hacked by Subtitles

CheckPoint researchers published in the company blog a warning about a vulnerability affecting several video players. They found that VLC, Kodi (XBMC), Popcorn-Time and strem.io are all vulnerable to attack via malicious subtitle files. By carefully crafting a subtitles file they claim to have managed to take complete control over any type of device using the affected players when they try to load a video and the respective subtitles.

According to the researchers, things look pretty grim:

We estimate there are approximately 200 million video players and streamers that currently run the vulnerable software, making this one of the most widespread, easily accessed and zero-resistance vulnerability reported in recent years. (…) Each of the media players found to be vulnerable to date has millions of users, and we believe other media players could be vulnerable to similar attacks as well.

One of the reasons you might want to make sure your software is up to date is that some media players download subtitles automatically from several shared online repositories. An attacker, as the researchers proved, could manipulate the website’s ranking algorithm and not only would entice more unsuspecting users to manually download his subtitles,  but would also guarantee that his crafted malicious subtitles would be those automatically downloaded by the media players.

No additional details were disclosed yet about how each video player is affected, although the researchers did share the details to each of the software developers so they can tackle the issue. They reported that some of the problems are already fixed in their current versions, while others are still being investigated. It might be a good idea to watch carefully and update your system before the details come out.

Meanwhile, we can look at the trailer:

Continue reading “Hacked by Subtitles”

Turning a phone into a media center remote

IMG_2061

[Kees] wanted a remote for an XBMC audio system. He had a classic T65 Dutch telephone in one of his project boxes and thought this phone with the addition of a Raspberry Pi he could have a functional media remote with classic lines and 70s styling.

Each of the digits on the phone were wired up to a small solderless breadboard. With a handful of resistors, [Kees] set up a simple pull up/pull down circuit feeding in to his Raspi’s GPIO input.

With a short Python script, [Kees] managed to map the buttons to XMBC’s play/pause, volume up/down, next, and previous commands. There were a few buttons left over, so those were mapped to online radio stations, playlists, and a strange setting known only as ‘moo’. We’re not sure what that button does, but you can see the other functions of this XMBC phone remote in action in the video below.

Continue reading “Turning a phone into a media center remote”