In the wake of David Buchanan’s exposure of flaws in Widevine Level 3, many have been left questioning their content security.
Widevine Level 3 is one of Google’s less secure in-house DRM implementations. Setting software based whitebox crypto as a minimum requirement when using Widevine means that the encryption keys will pass through the CPU and RAM on the client device unencrypted. Widevine are working on a fix for this but it is always a risk when using software based decryption.
So, for those looking for a more secure DRM solution what do VUALTO recommend? VUALTO will always recommend setting a Widevine level that at least requires key material and crypto ops to be performed within a hardware backed, trusted execution environment. If a device has the capability to do hardware decryption this will always be used by Widevine and the flaw from using software decryption will in this case, not be applicable.
VUDRM from VUALTO offers an enhanced level of DRM security through the use of VUDRM tokens. Using our flexible token generation, you can dynamically issue individual user permissions for one piece of content, with no need for re-encryption. You can restrict your content to only be played on devices that support hardware decryption by setting values in the VUDRM token itself. Device agnostic and with support for Microsoft PlayReady, Google Widevine, FairPlay Streaming & Adobe Primetime, VUDRM content protection is trusted and used by broadcasters globally and is supported by all major video players.
If you wish to check what level of security your Android device supports there is an app in the Google Play store that can display that information:
The desired security level is L1.
This means that your device supports hardware decryption and does not expose the flaw.