I Know What You Streamed Last Night: on the Security and Privacy of Streaming

Home , DVBViewer, Emby, GeeXboX, LibreELEC, Media server, MythTV

Digital Investigation xxx (2018) 1e12

Contents lists available at ScienceDirect

Digital Investigation

journal homepage: www.elsevier.com/locate/diin

DFRWS 2018 Europe d Proceedings of the Fifth Annual DFRWS Europe I know what you streamed last night: On the security and privacy of streaming

* Alexios Nikas a, Efthimios Alepis b, Constantinos Patsakis b, a University College London, Gower Street, WC1E 6BT, London, UK b Department of Informatics, University of Piraeus, 80 Karaoli & Dimitriou Str, 18534 Piraeus, Greece article info abstract

Article history: Streaming media are currently conquering traditional multimedia by means of services like Netflix, Received 3 January 2018 Amazon Prime and Hulu which provide to millions of users worldwide with paid subscriptions in order Received in revised form to watch the desired content on-demand. Simultaneously, numerous applications and services infringing 15 February 2018 this content by sharing it for free have emerged. The latter has given ground to a new market based on Accepted 12 March 2018 illegal downloads which monetizes from ads and custom hardware, often aggregating peers to maximize Available online xxx multimedia content sharing. Regardless of the ethical and legal issues involved, the users of such streaming services are millions and they are severely exposed to various threats, mainly due to poor Keywords: fi Security hardware and software con gurations. Recent attacks have also shown that they may, in turn, endanger Privacy others as well. This work details these threats and presents new attacks on these systems as well as Streaming forensic evidence that can be collected in specific cases. Malware © 2018 Elsevier Ltd. All rights reserved. IoT

Introduction or TV, and are shifting towards their corresponding on-line peers. The most important factor attracting people towards this turn is the The deployment of Internet of Things (IoT) devices and services fact that they can choose the content they want at the time they is accelerating and most major mobile network operators consider want it. This incentive is rather significant since, up to recently, Machine-To-Machine (M2M) communication networks as a sig- traditional media due to their nature could not serve content on nificant source of new revenue (Dhillon et al., 2017). However, demand. whilst IoT is characterized by heterogeneous technologies that Focusing on multimedia, primarily the discussion points to- concur to the provisioning of innovative services in various appli- wards sports and entertainment. Film studios and subscription TV cation domains, meeting respective security and privacy re- providers are following this trend by shifting their services to on- quirements in these domains becomes increasingly important demand content delivery, streaming content to the corresponding (Sicari et al., 2015). In the light of the radical changes occurred in subscribers for a predefined cost. However, since the focus is on the telecommunication industry over the last decade, a series of digital content which replicates rather easily, people are allowed to novel services and applications have been enabled. For instance, share content with others who are not authorised to. In fact, the increase in the available data bandwidth allowed for the unauthorised multimedia content sharing has become an sharing and consuming of multimedia content from almost all our increasing online illegal trend. For instance, recently many mobile devices, utilizing local and remote network settings. Foreseeing this apps that illegally stream famous movies and TV series are uploa- shift, service providers have correspondingly redesigned their ded in mobile app stores (Ernesto, 2017; Johnson et al., 2015). Yet, service and content delivery mechanisms. This evolution is so the effectiveness of current measures to counter pirated content is disruptive that has totally changed the media market as people are not apparent (Sudler, 2013; Lauinger et al., 2013; Danaher et al., continuously leaving traditional media, whether this is newspapers 2015, 2017; Reimers, 2016). In spite of the ethical and legal aspects of these user actions, this work studies the security and privacy implications of working with this kind of apps and devices, as the amount of users who use such * Corresponding author. E-mail addresses: [email protected] (A. Nikas), [email protected] solutions are in the scale of millions. After a thorough investigation (E. Alepis), [email protected] (C. Patsakis). into the related scientific literature we have come up with the https://doi.org/10.1016/j.diin.2018.03.004 1742-2876/© 2018 Elsevier Ltd. All rights reserved.

Please cite this article in press as: Nikas, A., et al., I know what you streamed last night: On the security and privacy of streaming, Digital Investigation (2018), https://doi.org/10.1016/j.diin.2018.03.004 2 A. Nikas et al. / Digital Investigation xxx (2018) 1e12 conclusion that this is the first work to study these applications as far as the security aspects of this domain are concerned. Indeed, under this perspective. Namely, through our conducted experi- Gheorghe et al. (2011) state that regarding P2P streaming appli- ments we have successfully identified more than 100,000 users cations there are neither best practices in system design, nor widely worldwide who are using similar services and apps while they are accepted attack models, nor measurement based studies on secu- having their devices directly connected to the Internet with poorly rity threats to P2P streaming, nor even general surveys investi- configured security settings, e.g. using default user names and gating specific security aspects of these systems. passwords. This inevitably exposes them to numerous security and Fischlin et al. approach the security of channels designed to privacy threats which are thoroughly analysed hereafter. Going a securely convey a stream of data from one party to another by step further from the personal security and privacy issues, our re- narrowing the gap between real-world transport layer security sults also indicate that the number of the devices that could be used protocols (Fischlin et al., 2015). Their approach sheds light, in a for campaigns such as the recent Ukraine power grid cyberattacks formal way, on recent attacks, in particular concerning the use of or as bots for the next Mirai is beyond any measure, and even HTTP over TLS, confirming a disjunction between applications’ worse, the methods to penetrate thousands of them already exist. expectations on the one hand and the guarantees that secure streaming channels provide on the other. They conclude by high- Ethical considerations lighting the need for detailed API specifications and security guarantees for such protocols. For more on streaming systems one may While all the information used throughout this work has been refer to (Liu et al., 2008). erroneously made public, mainly due to misconfigurations or to the The prevailing shift towards streaming pirated content is data owner's lack of knowledge, we deliberately refrain from prominently depicted in the recent survey of YouGov1 which identifying the users and we opted not to collect personal data highlights that approximately 5 million people in Britain are using apart from those necessary for the production of statistics and pirated streaming services while this number is expected to be screenshots so as to illustrate the problem's magnitude. Despite increased in the near future by more than 2.5 million. On top of the “public” nature of these data, we follow Zimmer's approach that, companies have been reported to ship Kodi boxes with pirate (Zimmer, 2010): streaming addons preinstalled (Ernesto, 2018). In spite of that, the task of identifying the pirated content, especially when users “this logic of “but the data is already public” is an all-too-familiar collude, is not trivial (Furon and Doerr,€ 2010) and the effectiveness refrain used to gloss over thorny ethical concerns”. of current measures is questionable (Sudler, 2013; Lauinger et al., 2013; Danaher et al., 2015, 2017; Reimers, 2016). During our experiments we did not penetrate any of the users’ Lee et al. (2010) illustrate attacks on commercial on-line devices since we attempted to confirm our claims by performing no music streaming services that lead to a copyright infringement more actions than those absolutely necessary. Similar approaches and they propose countermeasures for on-line commercial music have already been taken in the literature e.g. (Bodenheim et al., streaming services. In particular, they analyse three vulnerabil- 2014; Balthasar Martin, 2017). ities for respective portal sites and present the actual attack scenario and processes. Finally, they conclude their work by Structure of this work suggesting music streaming service countermeasures for the discussed vulnerabilities. The rest of this work is organised as follows. In the next section Niemietz et al. (2015) investigate attack models for Smart-TVs we review the related work. Then, in Section Target applications and their apps while they focus on analysing the security of and services we discuss potential target applications and services Smart-TV devices. They examine off-the-self TVs from major ven- and provide some usage statistics. In Section The Kodi use case we dors and report vulnerabilities including, among others, unen- focus on the specific use case of Kodi, an app used by millions of crypted traffic in popular apps, poor implementation of TLS and users, for which two malicious applications were implemented to stealing of device data and credentials. simulate two of the most serious attacks. Apart from discussing Tools like ZMap (Durumeric et al., 2013), which enable fast further threats exposed by similar services, we also present fo- scanning of the whole Internet to identify individual machines, rensics methods which are targeted towards the Kodi platform, when integrated into search engines they can give rise to powerful allowing an investigator to efficiently collect relevant information technologies such as Shodan (Matherly, 2009), the most well- from respective devices. Furthermore, in Section Solutions we known search engine for Internet-connected devices. As a matter outline measures that could improve the security of such applica- of fact, using Shodan researchers have managed to identify thou- tions and the article concludes in Section Conclusions where our sands of vulnerable devices (Bodenheim et al., 2014) that could be findings are analysed and discussed. trivially exploited due to their poor configuration, the usage of default credentials, etc. Related work Target applications and services IoT has penetrated our daily lives and businesses as the number of IoT devices in use have surpassed the number of smartphones, During our research we studied an extensive number of plat- tablets and PCs combined. Consequently, streaming applications forms in order to provide a more holistic overview of the current over Peer-To-Peer (P2P) systems, as an inextricable part of the IoT, landscape. Since the content of services such as Netflix and Hulu is have gained an enormous popularity too. To this end, Liu et al. considered legitimate, our study targeted on platforms that are (2008) provide a survey on the existing P2P solutions for live and known to host illegal content. Apparently, not all of these platforms on-demand video streaming. Their work illustrates representative are illegal as they primarily serve many legitimate services neces- P2P streaming systems, including tree, multi-tree and mesh based sary to several applications. Nonetheless, there is the risk of systems. They also describe the challenges and solutions of providing live as well as on-demand video streaming in P2P envi- fi ronments. Nevertheless, it seems that both the scienti c literature 1 https://yougov.co.uk/news/2017/04/20/almost-five-million-britons-use-illegal- and the available software solutions have not yet reached maturity tv-streami/.

Please cite this article in press as: Nikas, A., et al., I know what you streamed last night: On the security and privacy of streaming, Digital Investigation (2018), https://doi.org/10.1016/j.diin.2018.03.004 A. Nikas et al. / Digital Investigation xxx (2018) 1e12 3 applying extensions to those platforms allowing people to stream Roku is a TV streaming service used in devices that connect to a unauthorised content or allowing for an adversary to monitor their TV. A Roku streaming device gets data (the video stream) via a usage and even execute arbitrary code remotely. In this context, we wired or Wi-Fi connection to an Internet router. The device can have studied the following systems: be connected to any television set or other video display device with appropriate input connections. Kodi is a media player with great extensibility. Users can watch Kathrein is a company manufacturing hardware components for movies, browse photos or listen to music regardless of whether broadcasting and similar services. It is the world's oldest and the content is stored locally or remotely. Developers are able to largest antenna manufacturer. develop add-ons for Kodi to provide various services ranging Vuþ is a company that makes TV boxes used for streaming. The from weather information to multimedia streaming. While add- company produces a series of Linux-powered DVB satellite, ons can be considered independent applications, they are often terrestrial digital television receivers.“Open Black Hole” is an shipped with other software in the form of an OS, like OSMC, open source project for making unofficial third-party OpenPLi OpenELEC and LibreELEC, so as to facilitate installation in small based images for newer Vu þ set-top boxes. devices such as the Raspberry Pi. MediaTomb is an open source media server with a web interface. MediaTomb allows users to stream their digital multimedia Add-ons could be potentially threatening users' privacy as they content through their home network and to listen to or watch it may run malicious code in parallel with the underlying service. on a variety of UPnP compatible devices. The platform imple- Therefore, Kodi's built-in remote service is by default disabled. Still, ments the UPnP MediaServer V 1.0 specification that can be in many installations, like OSMC, OpenELEC, and LibreELEC, it is found on http://www.upnp.org/. open by default in port 8080. The Kodi Webserver, namely Chorus, Emby is a media server with a web interface (MB3) designed to is based on libmicrohttp, it does not use any encryption and its organize, play, and stream audio and video to a variety of de- default setting is without any authentication, thereby allowing vices. Emby uses a client-server model and it is considered as an users to send “raw” commands to the device. Hence, anyone with open-source software solution with a small number of closed- access over LAN (or even WAN) could send commands to Kodi and source components as of August 2017. Emby Server and clients even take full control of the app/device. have been developed for a variety of OSs such as Windows, Linux, OS X and FreeBSD. Its mobile clients have been developed Cuberevo is a multimedia streaming service running on linux for Android, iOS, and Windows Phone. OS. CCcam server can be considered as a cardsharing server where It must be highlighted that while there are systems adver- “sharing” is interpreted as the accessing of digital packages tised and sold from third parties on the Internet with custom- when connecting to a CCcam server via the Internet. Perhaps the ized versions of the aforementioned software products most basic function of this server is to transfer the encrypted preinstalled in order to stream illegal content, there are also channel codes over a network to the IoT devices connected to other cases where users are encouraged, as reported in a number that server. The purpose of this product is to provide a multi- of forums, to install and execute third party code and firmware media streaming service, mostly found in IPTV's. to access copyrighted streaming content. As already stated, Newcamd is also a cardsharing server very similar to CCcam, yet analysing the ethicality of this trend is beyond the scope of this they use different protocols. work. Nonetheless, in the context of our work it should be re- OpenViX is a community based open source project focused on ported that thousands of users are installing devices in their developing user friendly and easy to use Linux Enigma 2 set top premises that allows arbitrary code from unknown sources to be box software. OpenViX offers TV streaming services along with executed with little control and auditing from the corresponding relevant information. communities. Woosh is a live streaming service that can be embedded in To quantify the extent of usage of these systems we selected websites and is widely used by radio stations. three popular search engines for Internet-connected devices, OpenPLi is a community project for developing open source namely Shodan, ZoomEye (2017) and Censys (Durumeric et al., linux dvb receivers using the linux operating system and the 2015). One could expect that devices using the above listed soft- Enigma 2 application. ware are not, or more precisely should not be, unrestrictedly and OpenWebIf is an open source web interface for multimedia directly connected to the Internet. Yet, thousands of them can be streaming. The OpenWebIf action allows users to send messages discovered by running simple queries. Table 1 summarizes the re- to enigma2-based Linux satellite receivers having the Open- sults of these queries for each system. Combining these results by WebIf plugin installed. taking the max of each row, more than 120 thousands unique de- TOPFIELD is a consumer electronics manufacturer making vices were identified. broadcasting receivers and other video and audio related apparatus. Their main business is the making of products such User exposure as set top boxes (STBs) and personal video recorders (PVRs) used with satellite or digital television. A Topfield Application Pro- In view of the fact that the discovered systems should not be gram (TAP) is a software application which extends the standard directly connected to the Internet, as already discussed, our results functionality of the Topfield products and it is designed basically are similar to those found in (Bodenheim et al., 2014). Most of these for digital TVs. Examples of TAPs are electronic programme systems are not designed to provide any security mechanism by guides, digital photo viewers and MP3 players. default, and even when they have one, users tend to use default Coolstream is a company that makes audio streaming devices. It credentials making the systems easy to be monitored or controlled. provides a variety of streaming solutions, such as the “CoolStream The highlighted rows in Table 1 indicate systems which could be Bluetooth” receiver, an inexpensive solution for streaming music remotely controlled, either via direct access or via default creden- from users' phones to iPhone/iPod docking stations or to car tials, whereas Fig. 1 depicts some screenshots of this kind of stereos. streaming systems.

Table 1 inferred in real time, thereby compromising his privacy. It is Usage statistics. worthwhile to note that many ad networks are currently using Shodan ZoomEye Censys many rogue ways to collect such personal information (Maheshwari, 2017). Kodi 2543 2078 2441 CubeRevo 29 306 32 CCcam 273 3341 568 Furthermore, using the Shodan API we were able to draw some Newcamd 4 180 67 additional statistics. In each query we kept the top 20 results in OpenViX 137 1494 2952 terms of operating system, country, city and ISP of the host device. WOOSH 15 53 69 OpenPLi 2655 7270 6033 The aggregated results for cities and ISPs are shown in Table 2, OpenWebIF 8816 30,551 8769 while Fig. 2 illustrates a map with cities having more than 50 users. Enigma 2 4140 16,463 2336 The statistics for the underlying operating system were rather poor TOPFIELD 31 1380 208 as not all queries were successful. Nevertheless, as far as the COOLSTREAM 326 4179 294 collected results indicate, the prevailing OS are *nix based ma- ROKU 12,574 12,294 25,576 KATHREIN 260 1300 172 chines, attributed probably to the fact that Linux based distribu- VUþ 1738 21,241 1145 tions can be installed in many low-end devices. Interestingly MediaTomb 1317 2563 84 though, Shodan reported only Linux machines with old kernels, Emby 744 796 528 mostly 2.6.x and all the others 3.x. Although the latter may indicate DVBViewer Media Server 57 376 28 Tvheadend 5749 4578 84 Android devices, still, if this is not the case, old kernels may imply MythTV 177 1249 413 further exploitation. jriver 34 258 54 nextpvr 6 56 16 The Kodi use case geexbox 2 5 13 Sum 41,637 112,011 51,882 Max sumv 128,411 In what follows, we study the use case of Kodi, mostly because of its large user base and its plethora of available plugins, legal and illegal ones. For instance, as reported in Google Play, there are more than 10 million installations of Kodi in Android devices while there While the case of Kodi will be analysed in the following section, are specific linux-based operating systems, like OSMC, OpenELEC there are also other systems putting users at great risk. For instance, and LibreELEC, which are built to facilitate Kodi's installation in there are many machines using MediaTomb with either no cre- devices with low processing capabilities, like the Raspberry Pi. dentials or with the default ones. Notably, many of these share Nevertheless, many of the reported threats here apply to other copyrighted material (see Fig. 1b) and allow an adversary to control systems as well used by thousands of users, such as Plex and Emby. the system remotely. In the case of Enigma2, although most ma- The outline of possible attacks described hereafter is illustrated in chines require authentication, the use of the default credentials Fig. 3. It should be also pointed out that, apart from lacking native exposes many such systems. Having logged in, the adversary has security mechanisms, many installations of such systems are not full control of the system (see Fig. 1c) and thereby can see and even always up to date with the latest patches allowing thus an adver- manipulate via the web remote the content the user watches sary to easily collect user information. For instance, CVE-2017-5982 (Fig. 1d). In other interfaces such as Kathrein and OpenWebIf (see allows an adversary to read arbitrary files from Kodi 17.1. Fig. 1e and f respectively) one can see the user preferences, watch user recordings, or further manipulate user settings. Malicious remote We consider that a brute force attack for the rest of the systems would recover even more exposed machines as e.g. the combina- By default, Kodi and many of the aforementioned systems allow tions of strings like root, dreambox, “”, and vuplus are reportedly unauthorised connections through HTTP to assist users in con- used by default in many of those. Furthermore, since many users trolling the device. If a device running Kodi is reachable within the tend to use rather insecure passwords, the use of a wordlist could LAN, the user can gain access through the web UI, named Chorus 2, reveal far more machines. However, we deem this step to be by simply connecting to port 8080. The user can then control any beyond the scope of this work, as our research objective is to playing media content by either adjusting the volume or changing highlight the user threats and not to break into every available open the stream source and the content itself. This is achieved through and misconfigured system. Essentially, our work underlines that the provided RESTful interface which consumes unencrypted HTTP users are exposed to the following threats: Post requests in JSON format. Apart from controlling the media content, all Kodi features can be also accessed and controlled Security issues targeted to users. Such issues can vary from through the web UI, thereby creating another attack vector for annoying, e.g. remotely shutting down the device or changing streaming applications and devices. recordings and programs, to remote arbitrary code execution Currently, as there are countless users of smartphones and (more is to be discussed in the following section). desktop computers, the corresponding markets host millions of Security issues targeted to third parties. Compromised user apps many of which, although they had managed to bypass the machines can be used for a number of malicious acts, such as corresponding security checks, they have been in fact reported to Distributed Denial of Services attacks. These attacks are be malicious. An important issue here is to understand that these becoming very popular in the IoT era with smartphones having checks refer to the security of the specific device which host the already been compromised by such acts (Goodin, 2017). The application and not to the security of other similar devices. recent cyber attacks in Ukraine, as well as the Mirai malware Accordingly, millions of smart devices have been infected in global incident (Antonakakis et al., 2017), has firmly stressed that scale and, in many cases, without users’ knowledge. Depending on vulnerable devices with direct Internet access may cause huge the goals of the malware, the infected device may not harm the user security issues. directly but it can be used to attack other devices and applications User profiling. The preferences of the user as well as their (Alepis and Patsakis, 2017a). This trend has recently been exploited sleeping and working patterns or his family status can be easily in Android by the WireX botnet where around 300 apps available in

Fig. 1. Screenshots of remotely controlled machines.

Google Play were used for DDoS using thousands of Android de- it is worth noting that the majority of the networks that such devices vices (Cochran, 2017). are expected to be connected to are most likely insecure. Compared to a desktop, the use of a compromised Android device Taking advantage of the above and for the purposes of this study provides the attacker with an additional advantage: mobility. Con- we developed a simple Android application, named MARCO (MA- trary to typical malware which infects devices in the local network, licious Remote COntrol), that acts as a malicious Kodi remote. in Android an adversary can penetrate more networks than he MARCO is an app which works on every Android with API level 19 initially could, since these devices are ported by the user. Moreover, or greater and does not request any dangerous permission from the

Table 2 unattended based on the status of the web interface, the device Statistics from Shodan. activity and the time-frame. If this is the case, then the attacker has Country Users ISP Users two options. Either to navigate to the home screen and to enable

US 12,406 Deutsche Telekom AG 4333 SSH to send arbitrary commands, or to navigate to the home screen DE 8498 Time Warner Cable 1605 and to install a malicious add on, presuming that Kodi uses the KR 2082 Comcast Cable 1173 default skin. ES 1524 Korea Telecom 929 GB 1438 Vodafone DSL 754 PL 1056 AT&T U-verse 717 Malicious add-on IT 1029 Vodafone Kabel Deutschland 584 AT 1024 O2 Deutschland 556 SE 855 Lg Powercomm 548 The Kodi community offers numerous extensions from re- MT 759 SIA Lattelecom 503 positories that are almost blindly trusted by users who mostly value NL 749 Telecom Italia 476 the provided functionality. The extensions are commonly written in FR 745 SK Broadband 472 Python which supports a respective API that facilitates the whole CA 573 Telefonica de Espana 462 LV 571 Telekom Austria 419 process. As already mentioned, any add-on offering a certain ser- JP 543 Melita plc 408 vice (e.g. movie streaming) could potentially execute malicious PT 495 WideOpenWest 392 code while the user enjoys the service. The problem is well-known CH 479 Pavlov Media 373 and most users are warned about potential dangers of such actions. CZ 469 Spectrum 365 Yet, the add-ons are shared across many repositories with a “word MX 409 GO p.l.c. 333 ” HU 300 Virgin Media 331 of mouth evaluation of what they offer. Summary 36,004 15,733 While add-ons in Kodi operate in the userspace, it is relatively easy to escalate the permissions within multiple Kodi installations,

Fig. 2. World map with cities which were reported with more than 50 users.

user (Alepis and Patsakis, 2017b) in order to maximize the chances like OSMC, OpenELEC and LibreELEC that install Kodi as part of a of being installed. In principle, most users grant applications many Linux bundle, or “smart TV” bundles that have Kodi installed on top dangerous permissions as they do not seem to take Android per- of an Android device. This is because in the former case the devices missions into heavy consideration. However, an app which does not use the default credentials, while in the latter the underlying request any dangerous permission, and hence it does not alert users Android version is usually rather old, e.g. KitKat or Lollipop, of any possible risk, it is most likely to be installed. Still, although suffering many in the wild exploiting mechanisms. Even worse, in normal permissions are implying, according to Google, the least many cases Android operates in a “rooted” environment providing possible risk for the user, they can actually be rather malicious to malicious apps a wider attack surface. (Peles and Hay, 2015; Kywe et al., 2016; Alepis and Patsakis, 2017a, To demonstrate this threat, we developed a simple backdoor 2017c, 2017d). add-on that we refer to as BAO (Backdoor Add-On). BAO targets Once MARCO is installed, it monitors the available IP address to OSMC, OpenElec and LibreELEC devices that use the default cre- determine whether it is located in a local network where a Kodi dentials osmc/osmc, root/openelec and root/libreelec respectively. application is installed (IP address of the form 192.168.*.*). Since BAO simply displays some images of Baozi while working silently scanning for network identiﬁers requires location permission (a on the background. More speciﬁcally, it launches a reverse shell to dangerous permission in Android), MARCO starts sending web re- the target machine by dynamically attaching the attack code which quests to all the available addresses (65,533 IPs) to determine downloads from the Internet.2 This way, BAO manages to hide the whether a Chorus 2 web interface responds. This way, MARCO uses, malicious code from possible static analysis checks. instead of the dangerous location permission, the normal Internet permission which is automatically granted by Android and cannot be revoked. Following the concept described in (Alepis and 2 Due to anonymity of the review process, the code of BAO will become available Patsakis, 2017a), we try to determine whether the Kodi device is once the paper is accepted.

Fig. 3. Overview of possible attacks.

Subtitles as a backdoor Stagefright vulnerabilities showed that properly crafted media files could exploit the Android media framework (libstagefright) Subtitles are a very common and widely used feature of media to compromise the device completely. The involved risks were players. Most users consider subtitles as a simple text file con- further magnified due to the high fragmentation of the Android taining two kinds of data: the time stamp indicating when the market. According to Google,4 at the time of writing almost 1% of subtitle should be displayed and the subtitle text itself. Nowadays, the devices have the latest version of Android installed, while this simple format has been further extended to provide more around 25% of the devices are exposed to the original vulnera- advanced features such as colors and animations. bilities. Although there is a patch for devices running on Android Depending on the media player and the installed plugins, the 5.1.1 and above, recently5 (CVE-2017-0713) another Stagefright media player may automatically download the subtitles, sync and vulnerability that affect devices running up to Android 7.1.2 has attach them to the media content displayed without any user been disclosed. interaction. Up to recently, subtitles were considered harmless, The above indicate that it is crucial for Android media players to however, recent vulnerabilities like CVE-2017-8314 found in many be aligned with the latest versions of Android. While top notch media players,3 e.g. VLC, Kodi and PopcornTime, allow an adversary devices, like those made by NVidia and Xiaomi, may receive the to remotely execute arbitrary code in the victim's device. By trick- latest updates from Google, most Android Kodi boxes are sold with ing the media player to download an infected subtitle, more than deprecated versions. For instance, widely sold solutions like Sky- 200 million users are being exposed to malicious activities. Stream, EZ Stream Ti8, gembox, Q-BOX, G-box, Minix Neo, and WeTek core and Play, all ship with Android version up to 5.1.1 Backdoored movies leaving them exposed to this kind of vulnerabilities and without having the chance of receiving any of the needed security patches The disclosure of Stagefright vulnerabilities in 2015 (Drake, in the near future due to the heavy fragmentation of Android. In 2015) had big impact not only because the vulnerability was very this regard, another attack vector for streaming apps like Kodi is severe and affected millions of devices, but because it affected a introduced. domain that was considered until then secure. The group of

4 https://developer.android.com/about/dashboards/index.html. 3 https://blog.checkpoint.com/2017/05/23/hacked-in-translation/. 5 https://source.android.com/security/bulletin/2017-08-01.

Forensics evidence deemed necessary. Therefore, the official Kodi repository contains numerous plugins and add-ons to extend its functionality, By default, Kodi keeps track of almost all actions made in its all of which are legal. However, Kodi allows users to use addi- environment. Although normally each add-on has a different tional repositories which provide them with access to even database and a dedicated folder to store its data, the user data more plugins and add-ons. folder is of specific interest for locating the user's history of Addons: This category contains the list of add-ons installed by illegal content streaming. Depending on the underlying OS, this the user. For Kodi, there is a huge list of add-ons that extend its directory can be located in different paths, as illustrated in functionality and enable the streaming of multimedia content Table 3. via aggregators. The role of the latter is to aggregate various stream sources so that users can easily locate the desired stream in terms of content and quality. Table 3 Stream content: This category describes all the content (movies Location of Kodi user data in different OS. and audio) consumed by the device and it represents the true OS Path evidence of the use of copyrighted material. Certainly, there are many copyleft streams available. However, each stream's name, Android Android/data/org.xbmc.kodi/files/.kodi/userdata/ iOS /private/var/mobile/Library/Preferences/Kodi/userdata/ links, watched duration, etc., can evidently help determine Linux /.kodi/userdata/ whether the content streamed by the device was unlawful. Mac /Library/Application Support/Kodi/userdata/ LibreELEC/OpenELEC /storage/.kodi/userdata/ In order to collect the installed add-ons, one can simply use Windows %APPDATA%\kodi\userdata the JSON RPC interface that Kodi provides to execute the POST of Listing 1, which will return a JSON result in the form of Listing 2.

Listing 1. A POST to retrieve installed Addons from Kodi.

In principle, all the information that Kodi keeps is stored in Listing 2. A JSON result containing installed Addons. SQLite in the aforementioned folders as separate db files. It should Within the user data directory there is a sub-directory named be noted here that even if some data are deleted from SQLite da- “Database” containing several SQLite databases. The number and tabases, there are possible ways to be recovered (Jeon et al., 2012; the types of the files found under this sub-directory depend on the Wu et al., 2013). The generic schema of the Kodi database is illus- current Kodi version as well as any previously installed versions trated in Fig. 4. Based on this, one can easily extract valuable in- that may co-exist6. As the name implies, the AddonsXX.db file formation when asked to investigate a Kodi box for copyright found in that sub-directory contains additional information about infringement. To this end, the involved information can be cat- the installed add-ons and it also keeps track of all installed re- egorised as follows: positories (see Table 4). Repositories: Kodi has a big supporting community which maintains several projects. In order not to overwhelm the users with functionalities they do not need, Kodi comes with some baseline features that users can add to and/or remove whenever 6 https://kodi.wiki/view/Database_versions.

Fig. 4. Kodi database schema 4.0a. Source: https://kodi.wiki/view/Database_Schema_4.0/a. Please cite this article in press as: Nikas, A., et al., I know what you streamed last night: On the security and privacy of streaming, Digital Investigation (2018), https://doi.org/10.1016/j.diin.2018.03.004 10 A. Nikas et al. / Digital Investigation xxx (2018) 1e12

Listing 3. A query for SQLite to retrieve watched streams. On top of that, the folder contains many cached fileinfo files (.fi) that represent the recent user interaction with the installed plugins Table 4 and add-ons. Additionally, many subtitle files can be found in the Obfuscated data from Addons27.db repo table. temporary folder providing more evidence of what movies or series 201 repository.un* 123* 02/07/18 03:26 PM 2.0.0 the user recently streamed. 556 repository.s* abc* 02/07/18 03:26 PM 1.1.0 Finally, it is worthwhile to note that add-ons can further have 903 s*.all 321* 02/07/18 03:26 PM 1.7.09 fi 914 repository.e* 222* 02/07/18 03:26 PM 2.2.1 independent log les to record additional information and, as such, 967 repository.xbmc.org 333* 02/07/18 03:26 PM 9.9.9 to keep valuable data for an investigation. This information may vary from subtitles to URLs of streamed content and from fanarts to logs of user interaction, depending always on the specific add-on. Table 5 Obfuscated data from watched content as recorded in Movies107.db. Solutions 7 http://r6dsn-i*.googlevideo.com* webm&upn 1 2017-12-29 11:08:38 ¼ YGvr* Clearly, many of the aforementioned problems can be countered d & 10 http://r6 sn-i*.googlevideo.com* mp4 upn 3 2017-12-29 11:09:52 fi ¼ YGv* with proper con guration of the devices hosting such apps. Some 115 http://art1.ridemy*/swf/1333* 24* 1 2017-12-22 22:07:03 of the countermeasures include, among others, adding new users 122 https://cs*.vk.me/5/u327*/videos/ 56955c* 2 2017-12-23 23:38:39 and removing default credentials as well as removing direct access 128 https://s27.escdn.co/hls/,jg6* master.m3u8* 1 2017-12-26 02:36:08 of these devices from the Internet so that they cannot be accessed directly from an adversary. Nevertheless, these actions cannot counteract the “compromised insider” attack described earlier Similarly, one can perform the query depicted in Listing 3 to under the malicious remote control in Section The Kodi use case. retrieve the list of streamed files. The results are in the form of The reason is that this attack scenario exploits a basic concept in all Table 5, and allow an investigator to determine which file was these applications: ease of use. The target audience of these apps is streamed, the last time it was accessed and how many times the common users who simply wish to use a streaming device and who streaming was performed. Depending also on the installed add-ons, know little about security. one can also recover the original title as well as some hashes that To secure these devices in an easy and transparent way we argue could be used as further evidence. that the current model of remotes which simply use HTTP can still While the aforementioned information is the typical antici- be used for the most part of the functionality apart from system pated, a wealth of additional information can be also discovered access and system controls. This is due to the fact that there is a under the Kodi temporary folder, e.g. ~/.kodi/temp in Linux higher need for proper user authentication when accessing the based systems. As a matter of fact, the issue of Kodi not properly latter. Considering that the use of credentials in such devices hin- cleaning its garbage is a well-known problem within its commu- ders their usability, we suggest using one-time passwords to nity. One of the most important files contained there is kodi.log securely authenticate the remote to the host device. which, along with previous log files, encloses a lot of information Since the remote control is expected to be a mobile device on regarding user's recent activity, e.g. information on add-on updates which it is rather cumbersome to type texts, we argue that a that user might had later uninstalled, information about streams “visual” authentication may be more appropriate. To this end, the user accessed, media that he used, and so forth. The excerpt we propose that users may navigate with their remote to from the Kodi log file in Listing 4 is indicative of the information the settings, the access to which should be locked, waiting for which is logged. user authentication through a QR code which will contain a one

Listing 4. Excerpt from the Kodi log ﬁle.

Please cite this article in press as: Nikas, A., et al., I know what you streamed last night: On the security and privacy of streaming, Digital Investigation (2018), https://doi.org/10.1016/j.diin.2018.03.004 A. Nikas et al. / Digital Investigation xxx (2018) 1e12 11 time password. This password can be used as a key for AES Our future work is mainly aimed towards the Android security encryption in counter mode. As a message could not be and the security assessment of streaming applications. To this decrypted without the proper key each message would be end, we are going to test Android-based streaming devices in authenticated only for the current session, thereby avoiding terms of their security since, apart from the use of deprecated OS replay attacks. The use of the counter mode, instead of e.g. CBC, versions, there are quite often customized versions which may facilitates the exchange of messages in this scenario, because the hinder security for the sake of applicability. Moreover, streaming amount of these messages between the remote and the host apps have not received yet any in depth security and privacy device would be rather low, allowing the devices to easily review, making this task a rather challenging issue. Currently, we withstand potential network errors, e.g. lost messages. In this are in the process of performing forensic analysis for other case, the counter would be increased by a small amount in one streaming platforms, beyond Kodi, and of examining their un- of the devices, so the other could easily catch up by incre- derlying firmware. menting its counter. While the use of HTTPS could significantly improve the afore- Acknowledgments mentioned procedure, the proposed approach bypasses problems that might stem from the use of certificates. For instance, in the This work was supported by the European Commission under HTTPS approach the host device would be expected to create a self- the Horizon 2020 Programme (H2020), as part of the projects signed certificate which the remote control would have to install OPERANDO (Grant Agreement no. 653704) and YAKSHA (Grant and trust, opening this way the door for other man-in-middle at- Agreement no. 780498) and is based upon work from COST Action tacks and UX constraints like notifications in Android for potential CRYPTACUS, supported by COST (European Cooperation in Science monitoring. and Technology). The use of a visual one time password like QR does not protect from The authors would like to thank E. Politou and A. Chryssanthou shoulder surfing attacks, nevertheless, it is considered more robust for their valuable feedback. alternative than typical graphical passwords (Renaud and De Angeli, 2009). In terms of its usability it has been welcomed and widely used for authentication in popularly used services such as WhatsApp, References mainly to the minimum user interaction and knowledge re- quirements. Apart from the fact that this method requires less user Alepis, E., Patsakis, C., 2017a. Monkey says, monkey does: security and privacy on e interaction, it is robust to errors as users of mobile devices are more voice assistants. IEEE Access 5, 17841 17851. https://doi.org/10.1109/ACCESS. 2017.2747626. prone to introduce mistakes while typing. Moreover, the proposed use Alepis, E., Patsakis, C., 2017b. Hey Doc, Is This Normal?: Exploring Android Per- is taking place within a rather constrained environment; most likely missions in the Post Marshmallow Era. Springer International Publishing, Cham, the user's house in which the user can easily determine whether pp. 53e73. Alepis, E., Patsakis, C., 2017c. Trapped by the ui: the android case. In: International someone tries to attack him. In addition, the authentication is only Symposium on Research in Attacks, Intrusions, and Defenses. Springer, required when the user wants to access the device settings, therefore pp. 334e354. it is an action that has to be performed for a limited amount of times. Alepis, E., Patsakis, C., 2017d. There's wally! Location tracking in android without permissions. In: Proceedings of the 3rd International Conference on Informa- Finally, since these systems are used by countless developers tion Systems Security and Privacy - Volume 1: ICISSP, INSTICC. ScitePress, worldwide, we reason that it is hightime for developers to start pp. 278e284. https://doi.org/10.5220/0006125502780284. integrating more security measures such as permission levels on Antonakakis, M., April, T., Bailey, M., Bernhard, M., Bursztein, E., Cochran, J., Durumeric, Z., Halderman, J.A., Invernizzi, L., Kallitsis, M., et al., 2017. Under- applications or automated patch management for Android devices. standing the mirai botnet. In: USENIX Security Symposium. The latter is rather important as Android is severely fragmented Balthasar Martin, F.B., 2017. Next-gen mirai. In: DeepSec, p. 2017. with millions of devices not being able to receive critical OS updates. Bodenheim, R., Butts, J., Dunlap, S., Mullins, B., 2014. Evaluation of the ability of the shodan search engine to identify internet-facing industrial control devices. Int. J. Crit. Infrastruct. Prot. 7 (2), 114e123. Conclusions Cochran, J., 2017. The wirex botnet: How industry collaboration disrupted a ddos attack. https://blog.cloudflare.com/the-wirex-botnet/. This work highlighted the security and privacy issues may arise Danaher, B., Smith, M.D., Telang, R., November 2015. The effect of piracy website blocking on consumer behavior. https://ssrn.com/abstract¼2612063. https:// from the usage of a widespread multimedia service, namely the doi.org/10.2139/ssrn.2612063. streaming service. Users of such systems worldwide are exposed to Danaher, B., Smith, M.D., Telang, R., 2017. Copyright enforcement in the digital age: numerous threats, ranging from annoying to very serious ones, all empirical evidence and policy implications. Commun. ACM 60 (2), 68e75. Dhillon, H.S., Huang, H.C., Viswanathan, H., 2017. Wide-area wireless communication harmful. They may further expose other users and services to challenges for the internet of things. IEEE Commun. Mag. 55 (2), 168e174. threats through their compromised machines. User experience and https://doi.org/10.1109/MCOM.2017.1500269CM. https://doi.org/10.1109/MCOM. lack of knowledge on systems’ security are perhaps the most 2017.1500269CM. Drake, J., 2015. Stagefright: Scary Code in the Heart of Android, BlackHat USA. important factors for making these threats real. Durumeric, Z., Wustrow, E., Halderman, J.A., 2013. Zmap: fast internet-wide scan- In this regard, we detailed both a number of streaming plat- ning and its security applications. In: USENIX Security Symposium, vol. 8, forms exposed to security threats and also a number of ISPs pp. 47e53. Durumeric, Z., Adrian, D., Mirian, A., Bailey, M., Halderman, J.A., 2015. A search involved. Using the Kodi use case as a test bed for the purposes of engine backed by Internet-wide scanning. In: Proceedings of the 22nd ACM this study, we examined four attack vectors, two of which are re- Conference on Computer and Communications Security. ported through this work by implementing two respective simu- Ernesto, 2017. The windows app store is full of pirate streaming apps. https:// lated apps. An initial analysis of our results has revealed that the torrentfreak.com/the-windows-app-store-is-full-of-pirate-streaming-apps- 170820/. number of exposed users of streaming services are in the range of Ernesto, 2018. Tickbox must remove pirate streaming addons from sold devices. tens of thousands. However, it is the authors’ strong belief that this https://torrentfreak.com/tickbox-remove-pirate-streaming-addons-180214/. number will increase significantly through extending the described Fischlin, M., Günther, F., Marson, G.A., Paterson, K.G., 2015. Data is a stream: security of stream-based channels. In: Annual Cryptology Conference. Springer, methods, e.g. incorporating brute force attacks. Additionally, we pp. 545e564. provided guidelines for digital forensics in devices using Kodi and Furon, T., Doerr,€ G., 2010. Tracing pirated content on the internet: unwinding ari- we examined the type of collected information. Finally, we pro- adne's thread. IEEE Secur. Priv. 8 (5), 69e71. Gheorghe, G., Cigno, R.L., Montresor, A., 2011. Security and privacy issues in P2P posed a set of countermeasures and possible solutions to the streaming systems: a survey. Peer Peer Netw. Appl. 4 (2), 75e91. https://doi.org/ described security issues. 10.1007/s12083-010-0070-6. https://doi.org/10.1007/s12083-010-0070-6.

Goodin, D., 2017. One of 1st-known android ddos malware infects phones in Matherly, J.C., Shodan the computer search engine. Available at: [Online]: http:// 100 countries. https://arstechnica.com/information-technology/2017/08/ﬁrst- www.shodanhq.com/help. known-android-ddos-malware-infects-phones-in-100-countries/. Niemietz, M., Somorovsky, J., Mainka, C., Schwenk, J., 2015. Not so smart: on smart Jeon, S., Bang, J., Byun, K., Lee, S., 2012. A recovery method of deleted record for tv apps. In: Secure Internet of Things (SIoT), 2015 International Workshop on. sqlite database. Personal Ubiquitous Comput. 16 (6), 707e715. IEEE, pp. 72e81. Johnson, R., Kiourtis, N., Stavrou, A., Sritapan, V., 2015. Analysis of content copyright Peles, O., Hay, R., 2015. One class to rule them all: 0-day deserialization vulnera- infringement in mobile application markets. In: Electronic Crime Research bilities in android. In: 9th USENIX Workshop on Offensive Technologies (WOOT (eCrime), 2015 APWG Symposium on. IEEE, pp. 1e10. 15). USENIX Association. Kywe, S.M., Li, Y., Petal, K., Grace, M., 2016. Attacking android smartphone systems Reimers, I., 2016. Can private copyright protection be effective? evidence from book without permissions. In: Privacy, Security and Trust (PST), 2016 14th Annual publishing. J. Law Econ. 59 (2), 411e440. Conference on. IEEE, pp. 147e156. Renaud, K., De Angeli, A., 2009. Visual passwords: cure-all or snake-oil? Commun. Lauinger, T., Szydlowski, M., Onarlioglu, K., Wondracek, G., Kirda, E., Kruegel, C., ACM 52 (12), 135e140. 2013. Clickonomics: determining the effect of anti-piracy measures for one- Sicari, S., Rizzardi, A., Grieco, L.A., Coen-Porisini, A., 2015. Security, privacy and click hosting.. In: NDSS. trust in internet of things: the road ahead. Comput. Netw. 76, 146e164. Lee, S., Choi, D., Won, D., Kim, S., 2010. Security analysis on commercial online https://doi.org/10.1016/j.comnet.2014.11.008. https://doi.org/10.1016/j.comnet. music streaming service and countermeasures. In: Proceedings of the 4th In- 2014.11.008. ternational Conference on Uniquitous Information Management and Commu- Sudler, H., 2013. Effectiveness of anti-piracy technology: ﬁnding appropriate solu- nication. ACM, p. 59. tions for evolving online piracy. Bus. Horiz. 56 (2), 149e157. Liu, Y., Guo, Y., Liang, C., 2008. A survey on peer-to-peer video streaming systems. Wu, B., Xu, M., Zhang, H., Xu, J., Ren, Y., Zheng, N., 2013. A recovery approach for Peer Peer Netw. Appl. 1 (1), 18e28. https://doi.org/10.1007/s12083-007-0006-y. sqlite history recorders from yaffs2. In: Information and Communication https://doi.org/10.1007/s12083-007-0006-y. Technology-EurAsia Conference. Springer, pp. 295e299. Maheshwari, S., 2017. That game on your phone may be tracking what you're Zimmer, M., 2010. “But the data is already public”: on the ethics of research in watching on tv. https://www.nytimes.com/2017/12/28/business/media/ Facebook. Ethics Inf. Technol. 12 (4), 313e325. alphonso-app-tracking.html. ZoomEye, 2017. https://www.zoomeye.org/.