Home media player software Kodi (formerly known as XBMC) has been found vulnerable to man-in-the-middle attacks that may jeopardize the security of home users, according to Bitdefender research.
Kodi is mostly used by those who want to build their own home media centers without investing in dedicated hardware or software. This open-source solution is compatible with a wide range of operating systems (Linux, OS X, Windows, iOS, and Android), and it’s the preferred choice for many enthusiasts.
Although Team Kodi, a group of volunteers located around the world, have successfully developed and maintained the software for years, we have analyzed Kodi from a security point of view and identified several attack scenarios based on man-in-the-middle attacks.
Team Kodi has been notified about the vulnerabilities found and they’re working on issuing patches. No time of release has been estimated.
Kodi features a set of add-ons that allows users to access popular services such as YouTube, Dropbox, Grooveshark, etc. Every time Kodi is launched, it automatically checks if installed add-ons have updates. When a new add-on version is found, it is automatically downloaded and installed. A pop-up notifies users that the add-on has been updated.
The add-on update check and communication is handled entirely over HTTP, with no encryption. Here’s the update process, step by step:
1. The software asks the md5 hash for the latest “addons.xml” file, containing information about add-ons, including their latest version numbers;
2. If the md5 of the latest “addons.xml” file is different than the one stored locally by Kodi, it requests the actual file;
3. The local versions of the installed add-ons are compared against the ones in the latest “addons.xml” file;
4. If a new version is available for an add-on, a request is made for the md5 of the latest add-on package;
5. The new add-on is downloaded, which consists of a zip archive containing Python modules and configuration xml files;
6. An md5 hash is obtained from the downloaded zip file and compared against the md5 received previously. If they match, the add-on is installed.
Because of the lack of encryption and authentication during the above process, an attacker who intercepts the network traffic can modify add-ons to execute code on the system Kodi is installed on. Specifically, when the request for the latest “addons.xml” md5 file is made, the attacker will send a random md5.
This doesn’t need to be the exact md5 hash for the file that will be sent, as it seems this is not verified. Afterwards, the attacker sends a crafted “addons.xml” file containing a higher version of a specific add-on he’s targeting. In the end, he will have to send the correct md5 hash for his add-on package and the actual zip archive with the malicious add-on. Once the add-on is installed, the attacker’s malicious Python code is executed.
What did we achieve?
On Windows, an attacker will have the same privileges as the user under which Kodi is running. We were able to download the executable and place it in the startup directory under the user with these privileges.
On OpenElec, (a Raspberry Pi Linux distribution with Kodi installed), we focused on retrieving sensitive user data. To this end, we modified the YouTube add-on to retrieve user credentials.
The official add-on uses the OAuth2 authentication method, meaning that no username or password need be entered into the add-on itself. We added a fake dialog to the add-on we sent – displayed at startup – asking the user to sign in with his YouTube credentials. The obtained credentials were sent to a remote site using a GET HTTP request.
Interestingly, although the legitimate YouTube add-on uses HTTPS for authentication, it doesn’t check if the certificate used for the communication is actually trusted. This can easily be observed when analyzing the add-ons code, as certificate validation is disabled.
All calls are made with “Verify=False”, meaning no certificate validation is triggered.
An attacker who intercepts network traffic can obtain the refresh token used for authenticating a device and, along with the client secret ID, which is hardcoded into the add-on, he can access content, such as private videos, from the user’s channel. This can be achieved without modifying any add-on – by only sniffing traffic. Because Kodi has its own Python package (the analyzed version has v2.7.8), other add-ons that don’t explicitly check the validity of the SSL certificate and rely only on checks made by utllib2 could be susceptible to this type of attack.
We have also modified the Dropbox add-on (Dbmc) so that each time the add-on is launched or it syncs files, it uploads all content from the local Dropbox directory to an FTP server of our choice. By default, the Dropbox add-on syncs only media files but, because the code can be modified, it can be forced to download all available files from the Dropbox account.
The problems described here rely on the lack of encryption and authentication when updating add-ons and not in the actual add-ons themselves. The lack of certificate validation in the YouTube add-on is an entirely different problem.
Our research has shown that not only a man-in-the-middle attack would be successful, but also that it doesn’t take impressive skills to pull it off. Implementing a secure communication channel for any application that connects through the internet to any server or marketplace should become a standard. Otherwise, any information passed back and forward could easily be tampered with by anyone eavesdropping.
The implications of the lack of encryption or strong authentication methods could potentially involve a complete takeover of the targeted machine or the loss of critical and sensitive user data (e.g. passwords, files).
Note: This article is based on technical information provided courtesy of Bogdan Timofte, Bitdefender Researcher.