Kodi: Users can be hacked through subtitles

People are being urged to download a new update for the software

Aatif Sulleyman
Wednesday 24 May 2017 12:30 EDT
Comments
Hundreds of millions of users could be at risk, as the flaw also affects VLC, Popcorn-Time and strem.io
Hundreds of millions of users could be at risk, as the flaw also affects VLC, Popcorn-Time and strem.io (Facebook/Kodi)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

Kodi has urged users to download a new update after security researchers discovered a vulnerability that could allow hackers to take over people’s devices.

The issue is an unusual one, which allows criminals to attack Kodi users through subtitles.

Millions of people are believed to be at risk, and they don’t need to have done anything wrong in order to be targeted.

Check Point, which discovered the issue, has described it as “one of the most widespread, easily accessed and zero-resistance” vulnerabilities reported in recent years.

“By conducting attacks through subtitles, hackers can take complete control over any device running them,” the company says. “From this point on, the attacker can do whatever he wants with the victim’s machine, whether it is a PC, a smart TV, or a mobile device.

“The potential damage the attacker can inflict is endless, ranging anywhere from stealing sensitive information, installing ransomware, mass Denial of Service attacks, and much more.”

Subtitles are perceived as “benign text files”, allowing this particular attack vector to go unnoticed by users and antivirus software alike.

Kodi was alerted to the issue before Check Point made its announcement, and has had time to create a fix.

“Our developers fixed this secuity [sic] gap and have added the fix to this v17.2 release,” Kodi has announced.

“As such we highly encourage all users to install this latest version! Any previous Kodi version will not get any security patch.” Users can download the latest version of Kodi here.

The open-source software is legal, but add-ons created by third parties can let people use it for access to illegal streams for sports events, TV shows and films.

Check Point says the same issue affects the VLC, Popcorn-Time and strem.io streaming platforms too. All three have issued fixes too, which can be accessed through Check Point’s blog.

“Our research reveals a new possible attack vector, using a completely overlooked technique in which the cyberattack is delivered when movie subtitles are loaded by the user’s media player,” the company explains.

“These subtitles repositories are, in practice, treated as a trusted source by the user or media player; our research also reveals that those repositories can be manipulated and be made to award the attacker’s malicious subtitles a high score, which results in those specific subtitles being served to the user.

“This method requires little or no deliberate action on the part of the user, making it all the more dangerous.”

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in