Feeds

Uni team claims SDMI cracked, and ‘inherently vulnerable’

Hackers say they'll tell us how they did it RSN...

  • alert
  • submit to reddit

New hybrid storage solutions

SDMI now looks comprehensively hacked, with the release of a report by a group of security and digital watermarking researchers claiming that they successfully beat the Hack SDMI challenge.

Amusingly, the team members are heavily Princeton University, one being none other than Edward Felten, whose previous greatest hit was ripping Internet Explorer out of Win98 for the prosecution in the Microsoft trial.

There's also a guy from PARC - one last go at stopping other people inventing technology and then selling it before they call us off? An unworthy thought...

The researchers haven't - yet - explained how they did it. That's promised for a technical paper to be released next month. But what they've published so far seems fairly convincing, and fairly damning of the future of the application of watermarking technology in the music business.

They participated in the SDMI challenge, "analysed the clips watermarked with the four technologies, and successfully modified them so that the watermarks could no longer be detected, while maintaining a level of audio quality satisfactory to SDMI."

They've no absolute proof that they managed the latter, but there's a nasty little barb that illustrates their confidence, and suggests SDMI is on a hiding to nothing: "As for our standard of audio quality, we have reason to believe that some modifications we performed were no more damaging than the watermarking methods themselves. If consumers consider those modifications too damaging to music, then they might feel the same way about the watermarks."

As we pointed out earlier today, the SDMI has people engaged in trying to detect imperfections in sound caused by watermarks, in addition to the ones involved in checking degradation associated with watermark removal. Sure, Felten & Co probably aren't golden ears, but they should surely have a fair idea.

One possible weakness in their case is that they claim that the SDMI automated systems ("oracles," apparently) told them so. "The oracle would email the submitter if the attack appeared to have rendered the mark undetectable, without significantly damaging the audio quality in the process. SDMI's oracles told us that our attacks have succeeded on all four watermarking technologies."

Previous evidence we've seen suggested that audio quality wouldn't be measured in detail until after that stage of the test. SDMI certainly appears to be relying on the expert "golden ears" to make the final call.

But it does seem clear they passed the first stage, because they know about the shadier stage two of the challenge. In stage two entrants were given additional tracks to defeat, but there was no oracle, so the results were entirely in SDMI's hands. "The SDMI requested that participants send the results of their watermark removal tools along with technical details of how the watermarks were removed. Following this, the SDMI would then offer participants the chance to sign a non-disclosure agreement in return for receiving a fraction of the prize money."

That sounds like a not entirely equitable distribution of round two. But the boffins dismiss it as pointless and invalid: "As academic researchers, we felt the second round of the challenge was unscientific and offered us no further information. Our goal is to understand, document, and study the technologies being used by SDMI. Since the second round provided no oracle access and no further unwatermarked content, there was nothing we could learn from it. In addition, we feel that the second round as designed by SDMI is not a valid test of whether a first-round success is repeatable, since it gives the participant much less information than was available in the first round."

And then it's in with the bayonet. They describe the SDMI challenge as being as much intended to hide the design of the watermarking schemes as to test whether they can be broken. Once the players are out, they can be reverse-engineered, and/or they can be used to check cracks quickly - if it won't play, you didn't crack it. Yet.

SDMI's security model "is inherently vulnerable... no matter how sophisticated their watermarking technologies become... we are confident that we can continue to develop attacks like we have if SDMI updates their technologies." Oh well - back to the old mixing desk? ®

Related Stories

How the hack SDMI challenge was run
SDMI hack: the 'golden ears' ride to the rescue
DMI was cracked, and is doomed: count on it
The researchers' hack FAQ (well worth reading)

Security for virtualized datacentres

More from The Register

next story
Not appy with your Chromebook? Well now it can run Android apps
Google offers beta of tricky OS-inside-OS tech
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
NHS grows a NoSQL backbone and rips out its Oracle Spine
Open source? In the government? Ha ha! What, wait ...?
Google extends app refund window to two hours
You now have 120 minutes to finish that game instead of 15
Intel: Hey, enterprises, drop everything and DO HADOOP
Big Data analytics projected to run on more servers than any other app
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.