Hackers Can Use Subtitles to Infect Your Devices Researchers from security firm Check Point said 'hundreds of millions' of devices running media players such as VLC, Kodi, Popcorn Time and Stremio are at risk.

By Angela Moscaritolo

entrepreneur daily

This story originally appeared on PCMag

via PC Mag

Enjoy watching foreign films? We have some bad news.

Security researchers have discovered a new attack vector that could allow online miscreants to gain access to your PC, mobile device and smart TV: malicious subtitles. Researchers from security firm Check Point said "hundreds of millions" of devices running VLC, Kodi, Popcorn Time and Stremio -- four of the most popular media players out there -- are at risk.

"Malicious subtitles could be created and delivered to millions of devices automatically, bypassing security software and giving the attacker full control of the infected device and the data it holds," Check Point vulnerability research team leader Omri Herscovici said in a statement.

He went on to say that the subtitle supply chain is "complex," with more than 25 different formats in use, all with unique features. "This fragmented ecosystem, along with limited security, means there are multiple vulnerabilities that could be exploited, making it a hugely attractive target for attackers," Herscovici said.

Subtitles for films and TV shows are created by "a wide range of subtitle writers," who upload them to shared online repositories such as OpenSubtites.org, where the files are indexed and ranked, Check Point explained. Here's the problem: bad actors can manipulate the repositories' ranking algorithm, so that their malicious subtitles are automatically downloaded by media players. This would allow the attacker to "take complete control over the entire subtitle supply chain" with "little or no deliberate action on the part of the user."

Check out Check Point's proof-of-concept video below demonstrating how an attacker could use malicious subtitles to take over your machine.

Check Point said it followed responsible disclosure guidelines and reported the bugs to the developers of the vulnerable media players. Some of the issues have already been fixed while others are still under investigation.

"To protect themselves and minimize the risk of possible attacks, users should ensure they update their streaming players to the latest versions," Herscovici said. PopcornTime has released a new version, which corrects the problem; it can be downloaded here. The latest versions of Kodi, VLC and Stemio are also officially fixed.

Check Point said there is "reason to believe similar vulnerabilities exist in other media players as well." The company has not yet released full technical details of the flaws to give the developers more time to address the problem.

Part of the issue, Check Point said, is that movie subtitles are often perceived as "nothing more than benign text files."

"This means users, anti-virus software, and other security solutions vet them without trying to assess their real nature, leaving millions of users exposed to this risk," the company said. Check Point estimates that approximately 200 million video players and streamers currently run the vulnerable software, "making this one of the most widespread, easily accessed and zero-resistance vulnerability reported in recent years."

Angela Moscaritolo has been a PCMag reporter since January 2012. 

Want to be an Entrepreneur Leadership Network contributor? Apply now to join.

Business News

Barbara Corcoran Sounds Off on NAR Settlement: 'It's a Scary Time for Real Estate Agents'

The "Shark Tank" star took to Instagram to share her thoughts on Friday's ruling.

Side Hustle

Her 'Crude Prototype' and $50 Craigslist Purchase Launched a Side Hustle That Hit $1 Million in Sales — Now the Business Generates Up to $20 Million a Year

Elle Rowley experienced a "surge of creative inspiration" after she had her first baby in 2009 — and it wasn't long before she landed on a great idea.

Starting a Business

A Side Hustle Consultant Shares the Most Lucrative Gigs Right Now

Plus, he answers the side hustle questions he gets most often from clients.

Starting a Business

She Never Wanted to Start a Business, But Chronic Insomnia Was Motivation — Here's How She Achieved $20 Million in Sales and 8 Hours of Sleep a Night

Dr. Kathrin Hamm, founder and CEO of sleep-wellness company Bearaby, wanted to find a solution for her sleeplessness — and the products on the market weren't cutting it.

Marketing

Why Being Your Own Influencer Is the Key to Success For Entrepreneurs

Are you showing up as a face in your business? If not, here is why you are missing a major opportunity for brand impact and loyalty and what you can do about it.