Sick subtitles can infect your media player

Evil subtitlesDo you use a media player like VLC, Kodi, Popcorn Time or Strem.io? Perhaps you are using one of those “dodgy” Android boxes? If so you will want to update them to their latest version ASAP because it is possible that they might pick up subtitles that can compromise the machine that you are playing the media on.

According to this, the concept of using malicious subtitle files to compromise a machine goes back to the early 2000’s. However that was not a very widespread phenomenon back in the day.

In this modern era, where every home probably has multiple media players, this could become a very serious problem, because you might not have the media player set to automatically update. In fact in some cases there is no automatic update facility available, only a message to suggest you update the software manually. This is the case with VLC and Kodi for Windows. As we say in our First Commandment, you should always keep your software up-to-date with patches and new versions.

You might ask what kind of impact could a malicious subtitle file really have. The researchers at Check Point posted their research into this attack vector and the following is what they said could happen:

By conducting attacks through subtitles, hackers can take complete control over any device running them. From this point on, the attacker can do whatever he wants with the victim’s machine, whether it is a PC, a smart TV, or a mobile device. The potential damage the attacker can inflict is endless, ranging anywhere from stealing sensitive information, installing ransomware, mass Denial of Service attacks, and much more.

So, yes it is pretty serious alright. The researchers also discovered that it is possible to manipulate sites that host subtitles in order to make a malicious subtitle file more “popular” so the sick subtitles would be more likely to be chosen and loaded by the media player when the video is being played.

They have also provided a video to show, as a proof of concept, how easy it is to take control of the victim’s computer by way of malicious subtitles.

I realised after reading this story that I still have Kodi installed on my home PC, though I have not used it in a couple of years (as I use Plex to watch my media now). It was running version 14.1 whereas the current version is 17.3. So I’ve uninstalled it altogether now and also verified that my Plex installation is fully updated, as well as any installs of VLC. I gotta practice what I preach. 🙏😎