When selling equipment whose primary feature is security, the greatest asset a company can have is the trust of those who rely on its products. Huawei, a manufacturer of communication equipment based in China, has been subject to much scrutiny of late in the US. This, in spite of the fact that there has been no public disclosure of a security issue associated with Huawei equipment. There is now, however, a Hong Kong-based manufacturer of secure cinema servers, deployed for the playout of highly valued first release motion pictures, where there has been public disclosure of a major security breach. The breach led to the theft of dozens of films produced in China and in Hollywood. That company is GDC Technology. This article reviews what is currently known about the threat posed to cinema.
On April 26, I was contacted by an unidentified person within Sina.com, a Chinese online news site, about a security breach that resulted in the theft of a large number of movies over the Chinese Spring Festival holiday earlier this year. Numerous links were provided, many of which are listed at the end of this article. The thefts are said to have contributed to a 22% drop in attendance over the prior year. The email pointed to GDC cinema servers as central to the problem. More was also said, which I’ll come back to.
Three days later, on April 29, a major press conference was held in Yangzhou by China’s Ministry of Public Security announcing the capture of a major piracy ring. The piracy ring admitted to the theft of numerous movies over a span of several years, including the Spring Festival thefts. An elaborate system was employed in which legitimate movie distributions and keys sent to commercial cinemas were stolen and played on a rogue server that could mimic the legitimate servers intended to play the movies. From this rogue server, pirated copies could be made. The rogue server, an older product by GDC, became infamous among Chinese law enforcement and earned the nickname Ghost No. 1.
The technique used in this piracy has never before been publicly reported. In technical language, the DCP, the collection of movie files, is encrypted with one or more secret keys. A KDM, a precision set of movie keys required to enable playback, will authorize only one specific playback server within a cinema complex. The Ghost No. 1 server was cryptographically modified to operate as if it were the legitimate server to which the movie was targeted in the cinema. The Ghost No. 1 server inserted a watermark in the pirated movie copies, as it was designed to do, revealing the server serial number A15591. But there were no records of keys produced for A15591. This led to a three year investigation that was only recently solved thanks to the diligent work of Chinese authorities. Patrick von Sychowski, editor of Celluloid Junkie, covered in detail the extraordinary story that led to the arrest of over 200 people associated with the piracy ring, the shadow network of ‘private cinemas’ screening the stolen film, and the download sites that distributed the film to consumers by means of social media.
To grasp the magnitude of what took place, and the risks that are revealed, the cryptographic technique used to successfully operate the Ghost No. 1 server must be understood. This requires a basic knowledge of public and private key pairs. Imagine a box locked using a key called the “public key”. The public nature of this key correctly conveys that anyone can use it to lock a box. But only the holder of the “private key” can unlock it. Using public and private keys, a package can be sent to me by obtaining my public key and locking the box using this public key. The sender can do so with full confidence that only I can retrieve the package from the box as the sole holder of the private key. This is the essence of public-key cryptography.
In digital cinema, a type of public-key cryptography called RSA is used to supply movie keys to a server. Only the intended server, as sole holder of the private key, can unlock the movie keys. Based on this use of RSA private and public keys, a highly secure and trusted network of over 170,000 digital cinema servers is supported around the world. (More details on digital cinema security and cryptography can be found in Cinepedia.)
For digital cinema security to be trusted, the private RSA keys of servers must never be revealed. The specification that governs the construction and behavior of secure digital equipment is published and managed by a joint venture of major Hollywood studios called Digital Cinema Initiatives, more commonly known as DCI. Compliance to the DCI specification also requires validation to the FIPS 140-2 Level 3 specification. The FIPS specification (Federal Information Processing Standard) is published by the US government for the approval of security modules. Equipment that passes compliance testing is designated DCI Compliant and listed on the DCI website. If all of this sounds Greek to you, then your take away should be that security is not taken lightly in digital cinema.
Even with the best efforts of studios and testing labs to ensure the security of first release movies, there is no substitute for trust of the manufacturer. When validating compliance, nothing prevents a manufacturer from submitting incorrect or misleading documentation, or from submitting a device for testing that does not represent actual product in the field. Likewise, it is not possible to specify every aspect of security in a manner that is completely watertight. It is necessary for the manufacturer to understand the intent behind specifications and compliance testing, and do their best to meet that intent.
The need to meet industry intent was impressed on me by the former top executives of two companies, each of which produced DCI compliant servers in the 2000’s and early 2010’s. At the outset of digital cinema, in the mid-2000’s, secure digital distribution of highly valued first release movies was unchartered territory. Mistakes were bound to be made. More than one company made them. DCI made them. For example, it was not until April of 2016, 11 years into the digital cinema rollout, that DCI added the specification to generate secure RSA key pairs exclusively within the physically and electrically secured boundary of the server where decryption takes place. At the same time, DCI also added the disallowance of access to the private RSA key. The executives I communicated with each spoke of their recognition, early in the rollout of digital cinema, of the value of trust to their brand and the need to limit liability for their companies. A critical step in that effort was the protection of the private RSA key that ultimately secures highly valued content from direct digital theft. These executives did not wait for DCI to specify that no access is to be allowed to the private RSA key. They implemented it early in the history of their products to protect their company reputations and brand.
The operators of Ghost No. 1 were able to obtain the private RSA keys of GDC servers in the field. Cinemas that legitimately received movies and keys from studios would effectively, and presumably unknowingly, have the security credentials of their equipment stolen, and their movies and keys duplicated, all to enable the Ghost No. 1 server in its role of stealing movie content. This scheme allowed the Ghost No. 1 server to play the encrypted digital files of first release movies that it was never intended to play. Movies were projected onto a screen and camcorded, sometimes prior to opening night. Pirated copies were sent to a network of underground cinemas that would avoid sharing box office with studios, and to online digital distribution networks where consumers could watch the movie for a fraction of the cost of a cinema ticket.
In understanding how this operation was enabled, the most important question is how did the pirates obtain the private RSA keys? There are three scenarios that come to mind. The first scenario could be that GDC maintains a hidden feature in its software that will extract the private key. The second scenario could be that GDC servers in the field do not adequately protect the private key, enabling a skilled hacker to retrieve it. The third scenario could be that GDC maintains externally generated RSA key-pairs on an in-house server, and GDC itself was hacked, placing a massive trove of GDC RSA key-pairs in the hands of others.
The first scenario seems plausible, given knowledge that exhibitors were able to do things that could only be done by transporting the private RSA key from one server to another. As confirmation, an executive from a competitor told of lost sales to GDC when refusing to allow the RSA private key in their product to be changed by the exhibitor, placing reputation first. The second scenario was actually demonstrated in 2011 by a competitor when conducting a security audit of competing products, and reported its results to Hollywood studios. I will vouch for the screen shots that were shown me. It is not known if GDC patched the problem, and if so, the extent to which the patch was actually installed. The third scenario is clearly the worst, but one that at least two experts have deemed possible. It would place an entire trove of RSA key-pairs in the hands of others, exposing to risk any movie distributed to the associated GDC servers in the field. In each of these scenarios, the damage would be limited only up to the point where GDC actually met the DCI April 2016 requirement for securely generating RSA keys and eliminating access to these keys. Importantly, at least one of these scenarios must be true. Otherwise, it would have been impossible for the Chinese pirate operation to exist. But it is also possible that more than one of these scenarios is true, which is why a full disclosure of GDC’s security policies is important.
It should now be evident as to why transparency goes hand-in-hand with security and reputation. Hiding security problems behind NDAs does nothing to fairly treat the owners of highly valued content, or the exhibitors who buy the products. Rumors may not be helpful, but they proliferate due to the lack of trusted information. Sadly, Hollywood studios have been complicit in hiding knowledge of at least one security breach. As far as I know, the results of the competitor’s security audit in 2011 were not validated by a studio, even though they knew of it. I’m told that studios at the time placed a higher priority on growing the digital cinema footprint, and did not want to interfere. I did not ask a studio for comment. And it was, after all, 8 years ago.
But there is plenty to worry about today. As one friend calls it, we are approaching the Chernobyl-Fukushima moment for cinema. An exposed RSA private key, in the hands of a knowledgable pirate, can be used to unlock many, many movies. The captured Chinese pirates were clever, but not sophisticated. A sophisticated operation would gain access to the unencrypted movie files using the private RSA key. Playing the unencrypted DCP does not require a secure digital cinema server: a quick browse through You Tube reveals multiple videos that will teach you how. Colorspace conversion is needed, as well as encoding to the final format, probably MP4. All of this can be done in a computer without the burden of generating a DCI watermark. Think of it as Ghost No. 0, or No Ghost Server. To underscore the point, while writing this, I was reminded by a friend of the discovery, elsewhere (not China), of pirated movies without a watermark. Time to don your radiation suit.
Many people do not expect the Hollywood studios, who oversee DCI compliance, to take action in regards to this breach. It is much easier to do nothing, or remain in the background, than take visible action that will lead to consequences for others. But there will likely be consequences either way. The unidentified person from Sina.com had this to say (an excerpt):
This causes 5 billion of box office loss.
After investigation and arresting some guys, Copyright Bureau and Ministry of Public Security trusted that the source is GDC. They use ghost GDC server to decode the movies. They don’t protect private key of server, and through this way they have destroyed the DCI/SMPTE security.
We suggest that DCI investigate this and revoke the DCI certification to GDC.
Clearly, this person wants to see action from Hollywood studios. Importantly, the sender underscores the reliance on DCI security. In fact, when going through the many news articles linked below, one gets the sense that respect for intellectual property rights in China is on the rise. Conversely, another source indicates that, following the announcement, Chinese pride for GDC products appears to be dissipating. Not surprising given there was damage to Chinese-produced blockbusters during the most lucrative movie season of the year. The very real risk for Hollywood is for the Chinese government to shore up its emerging content industry by issuing its own security specification, forcing equipment manufacturers to comply. It would be a big step, but it is by no means impossible. Hollywood studios have a lot to think about.
What can be done? GDC may not be the only place where action is needed, but it is certainly the place to start. The difficulty is trusting information that is revealed. For GDC, the road to trust begins with an independent third party security audit. It may not be pretty. In all likelihood, some (possibly a lot of) product in the field will need to be replaced. The most extreme action would be to cut off all GDC equipment from receiving movies. There may be some filmmakers that choose to take such drastic action. My advice to GDC (and to be fair, to its competitors): when in crisis, the faster you act, and the more transparent you are, the better your long term outlook will be. Conversely, the more hidden you are, the more rumors you will encourage, and the worse your long term outlook will be. Digital cinema is not broken. However, a manufacturer that doesn’t take security seriously could be.
As long as there are RSA private keys in the wild and old servers to be found that can accept them, there is nothing to prevent Ghost No. 1 from being replicated elsewhere. And as pointed out, in the hands of more sophisticated pirates, there is no need for a ghost server at all. To highlight DCI’s April 2016 requirement for secure generation of RSA keys, servers compliant to the revised spec will be impossible to hack and extract RSA private keys. Servers developed prior to 2016 by manufacturers that put reputation first should also make it impossible to hack RSA private keys. But we have a lot more to learn about GDC.
I have many people to thank for their generous assistance in researching this article. I thank the two Patricks, Patrick von Sychowski and Patrick Zucchetta, for your encouragement in writing this. Thank you PVS, for your welcome edits. Thank you Patrick Zucchetta for sharing your insights and invaluable information, some of which I chose to not share because, as they say, we would have to shoot the reader. There are many others that asked to not be named and for whom I vouch that we never spoke. Thanks to each of you.
Links to additional information about the Ghost No. 1 piracy effort (Chrome browser recommended if not able to read Chinese):