Pirated 4K Version of ‘Aquaman’ May Reveal a tvOS Security Hole

The appearance of a pirated 4K version of the movie Aquaman has led to speculation that Apple may have a security weakness somewhere within the tvOS operating system used on its Apple TV set-top box that hackers have been able to exploit to crack the digital rights management (DRM) protection on the 4K movies sold available from the iTunes Store.

A new report on TorrentFreak points to the high-quality pirated copy that appeared on torrents yesterday in Web-DL format, labelled in such a way as to suggest that it came from Apple’s iTunes movie store — one of the very few places where the newly released movie is currently available in 4K.

In fact, the timing also points to iTunes as the likely suspect, since the pirated versions of the movie appeared online very shortly after it went on sale on the iTunes Store. While other major streaming and download services such as Netflix and Amazon are also often the sources of piracy, Aquaman has not yet been released in 4K on those services. A 4K version of the movie is now also being sold on Vudu, but this appeared only after the pirated version had already been uploaded.

The appearance of the 4K title has sparked a fair bit of excitement among the torrent community, since if iTunes 4K encryption has in fact been cracked, it could open the floodgates to a lot more high-resolution content appearing on pirate sites.

How This Points To The Apple TV

What’s particularly interesting about this is the fact that Apple still restricts access to its 4K content library to its latest Apple TV 4K set-top box — much to the chagrin of owners of 4K and 5K equipped iMacs, which are limited to playing only the 1080p versions, despite their ultra-high-resolutions screens.

Apple has 4k only on Apple TV running tvOS. I assume they skipped checks, if the device is jailbroken, and someone just dumped the encrypted stream and decrypted it via what’s in memory as keys.

This means that in order to get access to a 4K video stream from iTunes — even in encrypted form — hackers would need to either compromise or impersonate an Apple TV running tvOS 11 or later. An anonymous source who spoke to TorrentFreak suggested a possible vulnerability in tvOS, which can still technically be jailbroken. It’s also conceivably possible that hackers were able to digitally impersonate a tvOS device by supplying the necessary keys and credentials to make the iTunes Store think that it was sending the stream to an Apple TV 4K. However, the resulting stream would still need to be decrypted, which would require some level of reverse-engineering of the encryption keys and algorithms within an Apple TV — much of which relies on identifiers burned into the device’s hardware as well.

Did It Really Come From iTunes?

Even the report on TorrentFreak suggests that it’s too early to assume that this came form iTunes. Some have already suggested that the release could be mislabelled — either intentionally or mistakenly — but the lack of wide 4K availability suggests few other possible sources, although it’s impossible to rule out a leak from somebody inside the movie or streaming industry, who may have deliberately mislabelled the release to implicate iTunes rather than something like a stolen 4K Blu-ray disc or a digital version that’s already been staged internally on another streaming service such as Netflix. However, TorrentFreak also notes that the content has been posted by “reputable sources who are certainly now known for making stuff up.”

Either way, the torrent community shouldn’t be getting its hopes up. If iTunes is in fact the source of the leak, we can be certain that Apple is already aggressively working to scope out and close the vulnerability; the company’s deals with the movie studios make it mandatory for such holes to be addressed very quickly, and it’s Apple’s reputation for dealing with these issues that has allowed it to remain in a favoured position when it comes to striking deals for leading-edge content such as new 4K releases.