Hollywood exposed by software bugs

Hollywood studios could be exposed to serious intellectual property theft via basic vulnerabilities in the software used by the likes of director James Cameron and CGI house Lucasfilm to produce blockbuster hits such as Iron Man 2, Avatar and Star Trek.

A security consultant at Security-Assessment.com, Nick Freeman, was interested in exploring the holes that exist in the production process of his favoured form of entertainment, including software used to perform a range of tasks such as script writing, story boarding, CGI, rendering and editing.

In a simulated demonstration at the Ruxcon conference in Melbourne yesterday, Freeman showed how an end-to-end attack could provide access to a post-production film file.

"I took a wide sample, cast the net really wide to see how easy it is to find bugs in [the] film-making process," Freeman told ZDNet Australia. "And it was really easy."

"The bugs I've shown, if you chain them together to exploit different people with access to different parts of the network, you could be able to get to the end point."

After downloading software he identified bugs and found most could be easily exploited by corrupting the application's memory and forcing it to run code.

"A rudimentary bug like memory corruption vulnerability has been around forever and is well documented since the early mid-90s. It's definitely not new attacks, there's no mad ninja skills, pretty basic stuff.

"I took on this project as a way to broaden my skills in exploiting memory test applications and to learn something new, but everything I found here is at a beginner's level of exploitation.

"I can understand not having security awareness, but it shouldn't be this easy."

Starting with script writing software, Final Draft versions earlier than 8.02, to gain a foothold in the corporate network, he showed how other networks further along the production cycle could be compromised by exploiting similar vulnerabilities in StoryBoard Quick 6, as well as CGI applications Maya and Houdini.

To run the exploit requires some social engineering, but it would be easy to convince non-tech workers, like script writers and story board developers, to open a malware-loaded file.

"You can send a file in format they're used to like Final Draft or Quick 6, something [they] won't treat as suspicious: they're much more likely to open it.

"You could send an email and say 'here's my new script, check it out, it's really good, I'm sure you'll like it', or even spoof it and say, 'I'm James Cameron here's my latest script'."

At later stages, rendering software App Muster and editing software Avid could be exploited remotely, he said, and doesn't require anyone to open a file.

He notified the vendors and, while some responded positively and patched the bugs, there was silence from the developers of Avid and StoryBoard Quick 6, which scored -1/5 and 0/5, respectively, in Freeman's ratings.

Reporting the bugs to Avid was like going on a merry-go-round, he said, as he was transferred from the application security team to the director of product development and then finally ending up at reception. The bugs remain unfixed in three subsequent version updates.

"Most of the vendors are saying, 'this isn't meant to be run on an untrusted network, it's only meant to be run on a trusted network away from all the bad guys. We know it's insecure but it's meant to work, leave it alone'.

"All these vendors have focus on great functionality and great features and the process to meet those deadlines, and with that focus security falls off the radar."

Admittedly, studios use protections such as honeypots, watermarks and monitor networks for unusual traffic, but he said there are too many holes across the production cycle to completely stop all attacks.

The attacks were all simulated and not targeted against any studios and all advisories and exploit code will be released in future.

Avid didn't confirm the existence of the bugs or whether they had been patched, but Avid director of product management David Colantuoni admitted no software was perfect.

"While no software is 100 per cent perfect we strive for excellence in both feature development and to ensure our customers can use their software with the utmost confidence.

"We have a customer problem escalation process and encourage our customers to report issues so that we can properly triage the issues and resolve them as necessary.

"Avid uses modern best practice design and engineering principles in the development of our software. We also follow 'Gold Disk' certification principles for our software to be used by the US Government."

StoryBoard's creator PowerProduction Software was contacted for comment, but had not responded at the time of publication.

Updated at 10:11am 24 November 2011: added comment from Avid