My company has signed up for Amazon Prime to watch some videos. They were asked to enable Amazon Prime DRM. Will this open up a security hole in our LAN?
I am worried that they could start scanning everything. I can't find any real information about what Amazon Prime DRM does or how it actually works.
My understanding is the DRM element needs to be able to make an outbound connection and allow a returning reply. I do not believe this causes any more of a vulnerability than any other similar service.
I don't know much about Amazon Prime DRM, but I am familiar with DRM in general.
DRM requires two things:
The ability to access a licensing server to obtain a decryption key for the protected content. The licensing server enforces the business rules, e.g. ensures that you have the necessary rights and that your playback period hasn't expired/your playback counter isn't exceeded/you haven't used too many devices.
The ability to validate the output path. This aspect of DRM is known as Protected Media Path. Without it, a user could supply his or her own video/audio "driver" that captures the decrypted content and stores it for later, unprotected use.
The first requirement is a slight worry. In accessing the licensing server, the licensing client may also access other resources, e.g. validating the chain of trust to authenticate the server, and checking certificate revocation lists. This is all pretty standard stuff that your web browser does every day. But a DRM client must also be able to uniquely identify the machine on which it is running (e.g. to make sure you are viewing the video on up to five devices but not six). This is sometimes done with hardware fingerprinting, e.g. getting your CPU's or GPU's serial number, your computer's MAC address, that sort of thing. A scan of this type requires low level O/S access so potentially the client could be looking at other things that you may not suspect. It would be highly unusual for it to look at network resources, though.
The second requirement definitely requires some pretty low level system access, but it may be gated by your operating system's APIs. If you're curious how it works on Windows, here is some design collateral. Essentially the client will send a request to the O/S to provide a handle to an output device that the O/S guarantees is valid; the O/S is responsible for validating that all the involved DLLs belong to a known publisher (e.g. check their signatures). If the client goes through the API, the O/S is doing the dangerous work, so the additional risk provided by the client itself is very small. This by the way is why it is so hard to get Amazon video to work on Linux.
Amazon is a pretty big company and it would be a massive scandal if it were collecting personal or proprietary information from its clients, so overall I would not worry about this too much, unless you work with extremely sensitive information, such as nuclear secrets.
