UW Computer Security Research and Course Blog

Summary

FairPlay is an encryption scheme (DRM) developed by Apple to  prevent users from further distributing playable content to other users. It  has been cracked numerous times in different ways to create unrestricted/unencrypted versions of the content. The technology has since  been renamed “Hymn”.

Assets and Security Goals (from Apple’s perspective)

• Maintain sole ownership of content, content-distribution
• Control of users’ media-player choices (only works with iTunes)
  
• Keep customers satisfied with Apple, for sake of reputation and customer-base

Potential Adversaries

• Anyone who wants free music/video
• Hackers who dislike DRM restrictions on moral grounds, or just want the recognition for breaking DRM
• People hosting any media-distribution network that would benefit from having more content to distribute

Potential Weaknesses

• The original version of FairPlay would decrypt the song and load it in RAM, which was then readable and could be used to create a non-DRM version. (The user needed to already have the license.)
• The song always reaches some unencrypted form, since today’s hardware needs such a data stream
• Songs are encrypted on the client-side, so iTunes simulators allow users to buy the song online, but then fail to encrypt it as iTunes would do

Potential Defenses

• Encrypt files on the server-side before sending
• Obfuscate how iTunes downloading/buying occurs, so that developers cannot create fake iTunes programs like PyMusique that trick the server into thinking it is iTunes and sending over the unencrypted songs
• Update the encryption methods regularly, even before hackers break it, essentially beating hackers to the punch in the cat-and-mouse game being played – as long as the iTunes dev cycle is faster than the cracker dev-cycle for the corresponding update, Apple wins out
  

Risks

If users are able to purchase their music via iTunes or other programs and have it decrypted, they might migrate to other platforms, i.e. users could migrate to other media players. This could result in loss of revenue for Apple and lessen the number or user-computers on which their software is deployed. Furthermore, they could lose revenue if their music is decrypted and then shows up on bittorent sites or other distribution networks. Lastly, if typical computer-users ( which represent the majority of their client-base) become upset with DRM limitations, Apple will lose money as users switch to other technologies.

Conclusion

DRM continues to evolve and is getting more complicated, so that hacks too become more complicated. It is possible that eventually DRM will be unbreakable, particularly if encryption is maintained all the way through to hardware (as was mentioned recently as a possibility by one of our guest speakers). However, Apple and other DRM-developers should be careful not to aggravate their client-base with overly restrictive DRM.