Feeds

PANDA chomps through Spotify's DRM

Tough slog to free ogg

Beginner's guide to SSL certificates

Music can be ripped from Spotify using a tool that cracks digital rights management copyright protection, a Georgia Tech University researcher says.

Code dubbed Platform for Architecture-Neutral Dynamic Analysis - aka PANDA - posted to GitHub does the job, says researcher Brendan Doln-Gavitt.

"[The technique] by itself is just the starting point for what you would need to really break Spotify's DRM," Dolan-Gavitt (@Moyix) said, noting that he does not condone content piracy.

"It doesn't give you a way to obtain the key for each song and decrypt it wholesale ... Although I can certainly imagine more efficient processes, I think for now this is a nice balance between enabling piracy and showing off the power of PANDA."

Georgia Tech University researcher Brendan Doln-Gavitt

Brendan Doln-Gavitt

Wholesale theft would be constrained by Spotify packing and anti-debugging techniques which could make hooking a necessary function difficult.

The PANDA tool was developed between Georgia Tech, Northeastern University and Massachusetts Institute of Technology's Lincoln Laboratory under funding from the US Air Force.

It was built on the Quick Emulator and Low Level Virtual Machine and was used for dynamic software analysis.using a variety of plugins.

The targeted Spotify function could be found because of three traits which the Dolan-Gavitt's script identified based on prior research including a paper titled Steal This Movie: Automatically Bypassing DRM Protection in Streaming Media Services.

PANDA works by reading and writing lots of equal data, with the byte entropy of read data being high yet less random, while the byte entropy of write data was both high and very random.

Once the function was identified, the data could be dumped through another PANDA plugin which dat files, one containing the sought after tunes in the lossy Ogg audio format.

Attempts have been made to rip songs from Spotify, notably with the development of the since scuppered Downloadify Chrome extension in May last year. That tool worked because Spotify did not then apply DRM to its web player tool, allowing users to pilfer any song from its catalogue of then 20 million songs. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
Ello? ello? ello?: Facebook challenger in DDoS KNOCKOUT
Gets back up again after half an hour though
Desperate VXers enslave FREEZERS in DDoS bot
Updated Spike malware targets Asia
Heatmiser digital thermostat users: For pity's sake, DON'T SWITCH ON the WI-FI
A stranger turns up YOUR heat with default password 1234
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.