So-called Ultra HD (UHD) Blu-ray ‘friendly’ drives send data to a server when the drive is used to rip discs. The application responsible for data collection and submission of the data, appears to be loaded from a hidden partition on UHD Blu-ray discs, that can only be seen with UHD Blu-ray ‘friendly’ drives.
A security researcher that goes by the alias sl00f04 contacted us about the issue. He has been analyzing Windows 10 telemetry data for the last couple of weeks because of privacy concerns. He noticed that every time he had ripped an UHD Blu-ray disc, his computer ‘phoned home’ to a specific server that appears to be operated by the AACS-LA. The server seems to be collecting ‘Extended Telemetry’ (E.T.) data when phoning home through an encrypted connection.
For monitoring telemetry data, sl00f04 uses software called Fiddler. This software offers the ability to decrypt HTTPS. This is possible as the Fiddler website explains, “Fiddler2 relies on a man-in-the-middle approach to HTTPS interception. To your web browser, Fiddler2 claims to be the secure web server, and to the web server, Fiddler2 mimics the web browser. In order to pretend to be the web server, Fiddler2 dynamically generates an HTTPS certificate.”
This ensured sl00f04 could not only monitor encrypted telemetry traffic from Microsoft, but also the encrypted traffic to the AACS-LA operated server. The servers appear to be collecting the software used for the UHD Blu-ray rips, the firmware and drive, the disc and specific details of the computer such as IP address, longitude and latitude (when available), to which network the computer is connected and the drive used for the rips and its firmware version. Also, the total number of discs ripped on the computer is collected and transferred.
When the computer is disconnected from the internet, the data is still collected and transmitted once the computer comes back online with an UHD Blu-ray disc inserted.
Using the same test setup as sl00f04 described to us in his email, we were able to confirm our computer indeed submitted the described data to an online server after ripping an UHD Blu-ray disc. When using an official UHD Blu-ray disc, we didn’t see the same behavior.
In his email, sl00f04 concludes, “although the collection of this data could harmless, I would recommend blocking the IP address of the server. If you add the IP 9126.96.36.199 to your hosts file, you should be safe from any eavesdropping.”
The collection of the data doesn’t entirely come out of the blue. Leaked documents from Sony that were published by Wikileaks already indicated that an internet connection would be required for some discs.
Update: As some of you already stated, this was our annual April Fools joke.
- sl00f04 -> 04 fools (April is the 4th month)
- Phone home ‘Extended Telemetry’ -> reference to E.T.
- The numbers from the IP address correspond to letters of the alphabet, when converted properly it says ‘itsfake’