Worst DRM scheme ever? Sony BMG CDs install unremovable hidden software that leaves users

Samuelson Law, Technology & Public Policy Clinic, November 05, 2005

Abstract: It was a cold day for music lovers when security experts discovered that recent CDs released by Sony BMG Music Entertainment contain a DRM scheme that threatens to compromise the security of consumers’ computers. The DRM scheme is enforced by the automatic installation of a software program the first time a user inserts one of the protected CDs into a computer. Unfortunately, the poorly executed software leaves a significant security hole on users’ computers that may be exploited by malicious programs, and is difficult to remove because it employs methods similar to those used by spyware and other malicious software to thwart detection and removal. Removal of the software, provided that a user actually manages to figure out how, disables the CD-ROM drive on the computer. After much outcry, Sony BMG has released a “fix”; however, questions linger as to the software update, which does not actually remove the DRM software.

As if the music industry’s persistence in pursuing DRM schemes isn’t already bad enough for consumers and fair use rights, Sony BMG Music Entertainment, the newly merged record behemoth with 25% of the global music market, has ratcheted up the stakes by releasing CDs that install hidden software on users’ computers to enforce its DRM scheme. Unfortunately, the software also opens a gaping security hole on users’ computers, and is extremely difficult to remove by end users. It’s winter time for those who love music, at least those who love corporate rock.

Unlike traditional audio CDs which may be played on a computer using a variety of music playback software—including popular applications such as WinAmp, iTunes, or Windows Media Player—consumers must use a proprietary player to listen to a Sony BMG CD. When a Sony BMG CD is inserted, the user is greeted by an End User License Agreement (EULA) which the user must accept before the player appears. The player that appears then subjects the user to various use restrictions. For instance, the user is allowed to make only three copies of the CD, and if the user wishes to “rip” the CD into encoded song files to listen on a computer or portable media player, he has only the options of copying the songs in either Microsoft’s proprietary WMA or Sony’s proprietary ATRAC formats. Neither format is compatible with Apple’s popular iPod players.

More nefarious than the use restrictions themselves is the technical implementation of the DRM scheme. The DRM scheme installs what in techie parlance is called a “rootkit,” which is a set of technologies that alter some of the basic inner workings of a computer operating system in order to cloak the presence of a particular program. The software then runs continually in the background, hidden from view, taxing system resources even when a user is performing tasks on his computer only than listening to Sony BMG CDs. Such techniques are commonly used by spyware, viruses, and other malicious software (“malware”) to thwart detection and removal. As a result, most users are unlikely ever to notice the software running on their machines, and those who do notice it face extreme difficulties in attempting to remove it. The software does not come with an uninstall command, nor does it appear in the “Add or Remove Programs” feature of Windows. In fact, removing the software even has adverse consequences beyond the inability to listen to corporate rock on one’s computer—a number of users have reported that removal of the cloaked files disabled their CD-ROM drives. Users who remove the DRM software may also be potentially subject to legal consequences under 17 U.S.C. § 1201(a)(1)(A), the anti-circumvention provision of the Digital Millennium Copyright Act.

On top of its intentionally malware-like technical features, the DRM software also inadvertently introduces vulnerabilities into users’ systems. The software implements its cloaking feature in part by instructing the operating system to hide file and processes with names beginning with “$sys$” as a prefix. The implication is viruses and other malicious software named in accordance with this convention would be virtually undetectable on computer systems running the Sony BMG DRM software. Such a scenario is not mere speculative fancy—hackers have already utilized the DRM scheme to run “cheat” software for the “World of Warcraft” online role-playing game to give a player enhanced capabilities within the game. The DRM’s cloaking technology allows gamers to run unauthorized applications without detection by the game’s anti-cheat detection tool. Although perhaps a relatively innocuous example, the fact remains that the DRM scheme leaves users’ computer open to exploitation.

In response to mounting criticism, Sony BMG has issued public statements denying that its DRM scheme is malware or compromises security, and also pointing out that the EULA of its CDs indicates that “a small proprietary software program” would be automatically installed on a user’s computer. However, the language of the EULA is vague and does not reveal the security risk posed by the software, that it would continue to run in the background as a user conducts his normal business on his computer, or that the software would be difficult to detect or remove.

Sony BMG has also released a software update said to remove “the cloaking technology component” of the DRM scheme; however, the fix does not remove the DRM scheme itself, but rather appears to install new components. In now typical Sony BMG fashion, the literature accompanying the software update provides no details as to what it would actually do to a user’s computer. In the view of Sony BMG, apparently, the way to save the music industry is by punishing those consumers who actually still buy its CDs.

A detailed technical discussion of the Sony BMG DRM scheme: http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html

Sony’s FAQ: http://cp.sonybmg.com/xcp/english/updates.html

Chilling Effects Clearinghouse - www.chillingeffects.org

Chilling Effects Clearinghouse page printed from: https://www.chillingeffects.org/fairuse/weather.cgi?WeatherID=526