Feeds

Uni team claims SDMI cracked, and ‘inherently vulnerable’

Hackers say they'll tell us how they did it RSN...

  • alert
  • submit to reddit

The smart choice: opportunity from uncertainty

SDMI now looks comprehensively hacked, with the release of a report by a group of security and digital watermarking researchers claiming that they successfully beat the Hack SDMI challenge.

Amusingly, the team members are heavily Princeton University, one being none other than Edward Felten, whose previous greatest hit was ripping Internet Explorer out of Win98 for the prosecution in the Microsoft trial.

There's also a guy from PARC - one last go at stopping other people inventing technology and then selling it before they call us off? An unworthy thought...

The researchers haven't - yet - explained how they did it. That's promised for a technical paper to be released next month. But what they've published so far seems fairly convincing, and fairly damning of the future of the application of watermarking technology in the music business.

They participated in the SDMI challenge, "analysed the clips watermarked with the four technologies, and successfully modified them so that the watermarks could no longer be detected, while maintaining a level of audio quality satisfactory to SDMI."

They've no absolute proof that they managed the latter, but there's a nasty little barb that illustrates their confidence, and suggests SDMI is on a hiding to nothing: "As for our standard of audio quality, we have reason to believe that some modifications we performed were no more damaging than the watermarking methods themselves. If consumers consider those modifications too damaging to music, then they might feel the same way about the watermarks."

As we pointed out earlier today, the SDMI has people engaged in trying to detect imperfections in sound caused by watermarks, in addition to the ones involved in checking degradation associated with watermark removal. Sure, Felten & Co probably aren't golden ears, but they should surely have a fair idea.

One possible weakness in their case is that they claim that the SDMI automated systems ("oracles," apparently) told them so. "The oracle would email the submitter if the attack appeared to have rendered the mark undetectable, without significantly damaging the audio quality in the process. SDMI's oracles told us that our attacks have succeeded on all four watermarking technologies."

Previous evidence we've seen suggested that audio quality wouldn't be measured in detail until after that stage of the test. SDMI certainly appears to be relying on the expert "golden ears" to make the final call.

But it does seem clear they passed the first stage, because they know about the shadier stage two of the challenge. In stage two entrants were given additional tracks to defeat, but there was no oracle, so the results were entirely in SDMI's hands. "The SDMI requested that participants send the results of their watermark removal tools along with technical details of how the watermarks were removed. Following this, the SDMI would then offer participants the chance to sign a non-disclosure agreement in return for receiving a fraction of the prize money."

That sounds like a not entirely equitable distribution of round two. But the boffins dismiss it as pointless and invalid: "As academic researchers, we felt the second round of the challenge was unscientific and offered us no further information. Our goal is to understand, document, and study the technologies being used by SDMI. Since the second round provided no oracle access and no further unwatermarked content, there was nothing we could learn from it. In addition, we feel that the second round as designed by SDMI is not a valid test of whether a first-round success is repeatable, since it gives the participant much less information than was available in the first round."

And then it's in with the bayonet. They describe the SDMI challenge as being as much intended to hide the design of the watermarking schemes as to test whether they can be broken. Once the players are out, they can be reverse-engineered, and/or they can be used to check cracks quickly - if it won't play, you didn't crack it. Yet.

SDMI's security model "is inherently vulnerable... no matter how sophisticated their watermarking technologies become... we are confident that we can continue to develop attacks like we have if SDMI updates their technologies." Oh well - back to the old mixing desk? ®

Related Stories

How the hack SDMI challenge was run
SDMI hack: the 'golden ears' ride to the rescue
DMI was cracked, and is doomed: count on it
The researchers' hack FAQ (well worth reading)

Securing Web Applications Made Simple and Scalable

More from The Register

next story
NO MORE ALL CAPS and other pleasures of Visual Studio 14
Unpicking a packed preview that breaks down ASP.NET
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
KDE releases ice-cream coloured Plasma 5 just in time for summer
Melty but refreshing - popular rival to Mint's Cinnamon's still a work in progress
Cheer up, Nokia fans. It can start making mobes again in 18 months
The real winner of the Nokia sale is *drumroll* ... Nokia
Put down that Oracle database patch: It could cost $23,000 per CPU
On-by-default INMEMORY tech a boon for developers ... as long as they can afford it
Another day, another Firefox: Version 31 is upon us ALREADY
Web devs, Mozilla really wants you to like this one
Google shows off new Chrome OS look
Athena springs full-grown from Chromium project's head
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.