Hacker Drills Hole in iTunes Security Blanket

Apple Computer lured millions of PC users into its online music store when it released a version of its popular iTunes software for Windows, but it also attracted a less savory element — hackers.

Just 10 days after the release of “WinTunes,” a crafty codesman at Trinity College began distributing MyTunes, a program that turns the Apple software into a peer-to-peer pirate ship a la Kazaa, Grokster, Morpheus and BearShare.

And now a hacker of some repute — Jon Lech “DVD Jon” Johansen, who at 15 invented DeCSS, a program that defeats the encryption scheme for DVD movies — has unleashed QTFairUse, an application that can extract the contents of digitally-protected files, such as the DRM AAC files sold at the iTunes store, as they’re played through Apple’s multimedia player QuickTime.

Intercept and Strip

Andrew Orlowski, writing for The Register, explained that Johansen has written a simple command-line utility that installs a type of system file — called a DLL — that can dump the output of a QuickTime stream directly into a separate file without bringing along copyright protection.

The idea is that the application intercepts decrypted AAC data from QuickTime after authorization has taken place and outputs raw ACC data stripped of digital rights management (DRM) protections.

“These output files, however, are unplayable in their raw form in most players,” a bulletin at MacRumors.com said. “The reason for this is that these files represents the true ‘raw’ AAC data that has been passed through to QuickTime to play. All header information has been removed.”

To create playable files from the raw data, a user would have to package the files to add the appropriate MPEG headers. But the stripping application does work as suggested — removing DRM from protected AAC files, “although is not of any practical use in its current form,” said the bulletin on MacRumors. The next step for hackers, then, would likely be to develop an application to automate the creation of the appropriate headers so the extracted files could be played anywhere.

Not a Damper?

Apple’s offices are closed for the week of Thanksgiving and no one from the company was available for comment on QTFairUse.

Johansen’s latest escapade won’t put a damper on the online pay-per-tune business, asserted Tim Deal, a senior analyst with Technology Business Research, a market research firm in Hampton, New Hampshire. “These types of incidents are isolated,” he told TechNewsWorld. “With the ease of download and the low cost for these music distribution sites like iTunes, very few people are going to exploit these weaknesses before Apple is able to respond and make their code more secure.”

Although activity from hackers like Johansen might appear simply to be a nuisance, Deal asserted that Apple might benefit from the mischief. “These hackers keep Apple honest by making its developers write more effective code, more effective security for their programs.”

No Tears Shed

If enthusiasm for the pay-per-tune business were dulled by hackers, no tears would be shed in some corners of the Internet.

“We don’t think that digital rights management is a good deal for consumers,” Greg Bildson, COO of the online file-sharing service LimeWire, told TechNewsWorld. “Paying 99 cents for digitally restricted songs robs the consumer of usability. DRM will always be a target for hackers.”

“We support open systems that don’t hide anything from the user and don’t place artificial restrictions on what an Internet user can do,” he added.

Arms Race Continues

Those kinds of restrictions can only lead to an arms race between hackers and the watch dogs of digital rights, argued Wayne Rosso, CEO of Madrid, Spain-based Optisoft, developers of Blubster, Piolet and MP2P Technology.

“This incident clearly highlights the fact that any technology can be hacked,” he told TechNewsWorld. “I think that the record companies know this, but figure that all they want to do is put speed bumps in the way of the general public.” Once again, he said, this leads to an arms race.

“I’d just like to know what it would take for these guys to finally see the light and agree to a licensing scheme that would give everybody what they wanted — the user experience that still feels ‘free,’ a reasonable sum for artists and content owners, and untethered files,” he said.

1 Comment

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Security

E-commerce Times Channels