The AACS Licensing Administrator says several movie titles would be at risk; however, the group says that the integrity of the digital-rights management system remains intact, and the incident is under investigation for possible legal action.
The AACS LA confirmed Web reports that the hacker identified as "muslix64" took advantage of a flaw in a PC software player to obtain the decryption keys for several movie titles. With the keys, the hacker could copy the movie titles, whether they are in Blu-ray or HD DVD formats.
Nevertheless, Michael Ayers, chairman of the business group for AACS LA, said the organization's Advanced Access Content System remained uncompromised, because the flaw was in the player, and not the system itself. "This is an attack on a particular software implementation (of the AACS)," Ayers said. "It's a serious issue, but it does not undermine the value of the technology itself."
The keys discovered by the hacker only apply to the related movie titles, and can't be used universally on any AACS-protected film, Ayers said. The Licensing Administrator was working with the software maker, who was not identified, to the patch the player. The Hollywood studio distributing the movies could also choose to change the keys in subsequent prints.
The AACS did not identify the studio involved. One of the compromised movies reportedly was director Peter Jackson's remake of King Kong, which is distributed by Universal Pictures.
In the AACS LA's view, hacking its licensed technology is illegal, and the organization could decide to seek charges against the hacker. "We're exploring our response, technologically and legally," Ayers said. "We will take all appropriate action, including legal action."
While the recent hack apparently left the AACS intact, the question remains whether the incident was an incremental step toward a potentially major break in of the system. Ayers played down that scenario. "It's impossible to predict the future, but the technology was designed to deal with these one-off attacks," Ayers said. "We can repair breaches and pick up and move on as usual."
"I don't think we're looking at an imminent or major break, because one guy found something," Ayers said. "If that [software] vulnerability hadn't been there, then he wouldn't have been able to do anything."
While the digital keys to unlock the system are not published, the specs of the system are publicly available, Ayers said. So anyone who gets the keys could figure out how to decrypt a movie and copy it.
In an interview with the tech news site Slyck, the alleged hacker, who called his act "fair use enforcement," said he exploited the software flaw on Dec. 26 because he wasn't able to play the movie on any device he wanted. "Not being able to play a movie that I have paid for, because some executive in Hollywood decided I cannot, made me mad," he said.
While acknowledging he didn't crack the AACS protection itself, the hacker said his feat was still significant. "People say I have not broken AACS, but players. But players are part of this system. And a system is only as strong as his weakest link."
The AACS LA is a cross-industry alliance whose founding members are IBM, Intel, Microsoft, Panasonic, Sony, Toshiba, Walt Disney, and Warner Bros.