Kiwi pen tester hacks Hollywood

A New Zealand penetration tester has found video editing software vulnerabilities that could allow malicious hackers to inject frames in major Hollywood films.

Motivated by a colleague's attempt to assess vulnerabilities in scientific software, Nick Freeman told iTnews he began dissecting software used in the gamut of process for some of Hollywood's most popular films - from script writing to post-production - find their vulnerabilities.

The pen tester, who works for Dimension Data subsidiary Security-Assessment.com in Auckland, found that although no single software vendor controls the end-to-end process of film-making, "every part of the process has software that is vulnerable".

He found most software fell to vulnerabilities within six hours of installation, with only a few test subjects managing to avoid complete failure.

Once a vulnerability was found, Freeman contacted relevant engineers and executives at the companies to notify them of the bug and provide help on fixing the vulnerability. He scored them based on their helpfulness and willingness to help.

But worst of the lot was also one of the biggest.

Nick Freeman ranked non-linear editing software vendor Avid the worst of the bunch in addressing and fixing vulnerabilities.

Avid software was used in several major films including Iron Man 2, Avatar and Star Trek. Freeman was able to compromise a vulnerability in a recent version of its Media Composer suite within an hour of installation.

Freeman discovered a remote listening service in the editing software allowed him to overflow network requests, crashing the software.

While the vulnerability itself was not necessarily important, he said ensuing discussions with the vendor - one of the few tested to have a dedicated security team - proved fruitless.

"It was far too easy to exploit," he said.

"There have been two updates since then but the vulnerabilities are still there. I don't know if they'll ever get around to patching it."

None of Freeman's exploits were available to a remote user but it is believed similar bugs have been used in recent years to gain access to film footage prior to release.

Most were exploitable due to "fundamental programming issues that have been around for a long time".

"The first tutorials on how to exploit these things came out in the 90s - this is nothing new," Freeman said.

"The vendor's main goal I guess is to have products with extensive functionality and with strict deadlines, and security falls off the road map in the process."