Researchers at the data security firm Check Point recently discovered a PC exploit — hacker-ese for an attack — that infiltrates devices in an ingenious way, through the subtitles playing at the bottom of the screen. The discovery gives rise to a number of cybersecurity hygiene issues, many of which you control.
But First, Something You Can’t Control
You may recall a while back that WikiLeaks released a cornucopia of CIA exploits, which included a way to get access to the microphone of a Samsung Smart TVs to gather information about people of interest. The WannaCry ransomware attack was also the brainchild of the leaked CIA cookbook for cyber sneaks.
Another leaked CIA exploit targeted the VLC player, one the very same platforms featured in this new hacker trick. Given the very public information about the CIA exploits, one has to assume there is a small army of cyber orcs and ogres working on applications, and this latest one is an example of that.
As such, it is now more important than ever to say on top of your cyber security. But before we get into what you can do, let’s look at this latest security threat.
Allow Me to Translate
When you stream a video that comes with subtitles, something digital transpires in the background to make that magic happen. The player you’re using has to go out into the Internets and request a file that contains those subtitles. They are then sewn onto the video, and, voilà, there you have it.
They are called exploits for a reason. Hackers make a living finding security problems. Imagine a fenced garden. They are constantly probing for a chink in that barrier that they can slip past, a divot in the parameter that will allow then to skitter underneath to whatever is being protected on the other side. Sometimes that vulnerability lies in a process, especially if there are third party players in that process, which was the case here.
In this hack, malicious subtitle files were placed on the service that supplies the subtitles to videos. OpenSubtitles.org is a public repository, which at least one of the affected players, Popcorn Time, confirmed that it was using.
The way OpenSubtitles.org works is similar to many public digital depots: A request comes in for subtitles for a particular film — in this instance Disney’s "Frozen" — and the repository serves the most popular file, which is then digitally sewn to the requested movie in your player. It all happens at the speed of things digital. In this case, when the receiving app parses the subtitle file during the download. But it is a process like any other, and during that brief digital moment when the player is stitching the subtitle to the movie it’s about to play, this exploit allows hackers to take control of the machine that made the request. (For a more technical look at how this works, check out this Forbes article.)
Bottom line: With very little effort, the researchers at Check Point were able to game the system so that their subtitle files rose to the top of the list demonstrating the way a hacker could achieve the same outcome.
What You Can Do
This is a cyber security hygiene issue. There are things that are out of your control, but there are others you can. Keep the focus there.
First of all, this attack works when you use one of a few popular media players — VLC, Kodi, Popcorn Time and Stremio — but we have to assume that other media players and platforms are vulnerable. As of yet, Android phones, iOS and anything after Microsoft 10 have not been hacked—but it is important to add, that is so far as we know.
Mind blown? It should be. So what can you do? Pay attention to stories about cybersecurity. Thus far, this particular exploit has been found to work on the above cited platforms and operating systems — so, given this latest discovery, the simple move to make here is to not watch movies with subtitles on a platform where you might be vulnerable. Simple, but you have to be aware of the issue.
While all of the players involved in this exploit have created updates that address the vulnerability, those updates need to be downloaded and executed to be effective. Always check to make sure you are using the latest version of all your systems, apps, and firmware. The alerts can seem like a noisome mosquito when you are doing something else, but swat them away at your own peril. They are there to help you.
Adam K. Levin is a consumer advocate with more than 30 years of experience and is a nationally recognized expert on cybersecurity, privacy, identity theft, fraud, and personal finance. A former Director of the New Jersey Division of Consumer Affairs, Mr. Levin is Chairman and founder of CyberScout and co-founder of Credit.com. Adam Levin is the author of Amazon Best Seller "Swiped: How to Protect Yourself in a World Full of Scammers, Phishers, and Identity Thieves." He is the security and credit expert for ABCNews.com and writes a weekly column for The Huffington Post, Inc. Magazine, The Hill, and Newsmax. Mr. Levin is a go-to expert appearing on many national TV programs including "The Today Show," "Good Morning America," "MSNBC Live," "Fox and Friends," "NBC Nightly News," "ABC World News Tonight," "Cavuto Coast to Coast," "Bloomberg Surveillance," as well as national radio throughout the country. Read more of his reports — Go Here Now.
© 2023 Newsmax. All rights reserved.