Microsoft Windows DRM issue could be exploited to uncloak Tor Browser users

Pierluigi Paganini February 06, 2017

HackerHouse researchers have discovered that media content protected by Digital Rights Management (DRM) can be used to uncloak Windows Tor Browser users.

The anonymity of the Tor users is threatened by a new issue related the Microsoft’s DRM. Windows users running the Tor browser can be de-anonymized with a trick based on the Microsoft DRM (Digital Rights Management) mechanism.

The discovery was made by researchers at Hacker House while they were conducting a study on social engineering attacks made by using a content protected with DRM.

Tor users can be unmasked by clicking on a media file revealing the user’s real IP address.

“DRM is a licensing technology that attempts to prevent unauthorised distribution and restrictive use of a media file. It works by encrypting the video and audio streams with an encryption key and requesting a license (decryption key) from a network server when the file is accessed. As it requires network connectivity it can cause users to make network requests without consent when opening a media file such as a video file or audio file. WMV is using Microsoft Advanced Systems Format (ASF) to store audio and video as objects. This file format consists of objects that are labelled by GUID and packed together to make a media package.” reads the analysis published on

Simplifying the problem, DRM-protected content has to fetch a license key from a server in order to be displayed. Windows raises a dialogue to the user is the content If isn’t signed properly.

Windows DRM Tor

“However, this warning DOES NOT appear if the DRM license has been signed correctly and the Digital Signature Object, Content Encryption Object and Extended Content Encryption Object contain the appropriate cryptographic signing performed by an authorised Microsoft License Server profile”

Windows DRM Tor

Researchers at Hacker House highlighted that Microsoft requests an expensive fee to users that want to sign media.

“DRM is expensive business and unless you use the SDK to develop your own application you will likely need to make use of a license provider to encrypt your WMV files using these tools and also for signing purposes. If you want to build your own Microsoft DRM signing solution the price-tag is around $10,000.” states Hacker House.

The experts have discovered online serviced managing to generate signed content avoiding a so expensive payment. These Windows DRM providers that could be used to sign user media can decloak Tor users.

“There are several free DRM providers who could sign your media for you however as the barrier to entry to the DRM market is the aforementioned price tag, it makes you wonder how these files are being signed in the wild!” continues the analysis.

“As these “signed WMV” files do not present any alert to a user before opening them they can be used quite effectively to decloak users of the popular privacy tool TorBrowser with very little warning”, they write.

Experts at the Tor Project are aware of the possibility that hackers track Windows Tor users leveraging on Windows DRM issue. They invite users to run Tails if they need to run media files.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Windows DRM, Tor)

you might also like

leave a comment