Session
Fahrplan 34C3
Security

MQA - A clever stealth DRM-Trojan

A critical look on a new audio Format
Saal Dijkstra
Master Quality Authenticated (MQA) is a new audio format promising studio sound at home and no DRM. We take a critical look both at the sound-quality aspects as well as on the DRM story of MQA.

Master Quality Authenticated (MQA) is an audio format introduced in 2014 promising to deliver studio sound at home.

Marketed aggressively mostly to audiophiles two claims are central to MQA: no DRM and better sound through “deblurring temporal inaccuracies” introduced by ADCs and DACs in the signal chain.

MQA is backed by the three major labels Warner, Universal and Sony and has support by a number of indie label rights agencies as well as by the Recording Industry Association of America.

Rollout has started in 2016 and at IFA 2017 the major labels asserted their backing for the format. Streaming services Tidal, Deezer and Pandora as well as Groovers (Korea) 7digital and HDmusicstream offer MQA-streaming at a higher price-point as their regular offerings (20.- per month instead of 10).

Companies like Onkyo, Pioneer, Sony, Rotel and NAD offer hifi-products supporting MQA and some smartphone makers like LG incorporated it too.

MQA consists of a container format and a licensing regime for audio DACs.

MQA files will play on any redbook-capable device and can be freely copied. The lowest bit of the file is used to store compressed spectral content above 24k and a control bit.

If a MQA licensed DAC detects an MQA file it will “unfold” the high-rez content and turn on a blue light on the DAC.

A lot of effort for a switching on a blue light ;)

This talk will both scrutinize the DRM-regime of MQA and the sound-quality narrative.

In the context of the latter we will look at MQAs assertion that the Shannon-Nyquist theorem is inadequate for audio-sampling as it purportedly introduces “temporal inaccuracies.” MQA claims to have incorporated “new psychoacoustic research” and advances beyond Shannon-Nyquist in sampling theory. The exact nature of this innovations remain unclear as MQA technology is proprietary and no independent third-party research is available.

We will discuss these claims and show the status of the numerous MQA reverse-engineering efforts. So far it is know that MQA is PCM-based, uses minimum-phase filters and destructive compression for parts of the spectrum. It also lowers the available dynamic range and exhibits no behaviour proving any of their claims made in the marketing material. Still MQA at least managed to get the almost unequivocal support of the audio-press and at the same time is hotly debated online.

With regards to the DRM aspect we will look at the marketing strategy of MQA and show how the company so far successfully controlled the narrative by narrowing the understanding of DRM to copying. The MQA DRM uses a both symmetric encryption as well as a PKI-component to authenticate files and devices. The DRM involves a clever mix of permissive licensing towards behaviour like copying while discriminating access by level of quality.

Here we will discuss in how far such licensing design might be a model for future DRM-deployments and marketing.

Finally we will discuss the systemic dimension of MQA in the context of music-streaming and control over assets like content, playback-devices (DACs) and licenses. With the platforms controlling the streaming market and playback devices (iPhone, Amazon smart speakers etc) on the one side, the record companies owning the content on the other side, MQA seems to attempt to establish licensing leverage for the content owners.

Additional information

Type lecture
Language English

More sessions

12/27/17
Security
oranav
Saal Dijkstra
How I hacked Sasmung eMMC chips: from an indication that they have a firmware - up until code execution ability on the chip itself, relevant to a countless number of devices. It all started when Samsung Galaxy S3 devices started dying due to a bug in their eMMC firmware. I will cover how I figured out there's a firmware inside the chip, how I obtained it, and my journey to gaining code execution on the chip itself — up until the point in which I could grab a bricked Galaxy S3, and fix it ...
12/27/17
Security
Mathias Dalheimer
Saal Adams
Wir retten das Klima mit Elektroautos — und bauen die Ladeinfrastruktur massiv aus. Leider werden dabei auch Schwachstellen auf allen Ebenen sichtbar: Von fehlender Manipulationssicherheit der Ladesäulen bis hin zu inhärent unsicheren Zahlungsprotokollen und kopierbaren Zahlkarten. Ladesäulenhersteller und Ladenetzbetreiber lassen ihre Kunden im Regen stehen — geht das schnelle Wachstum des Marktanteils zu Lasten der Kundensicherheit?
12/27/17
Security
Filippo Valsorda
Saal Dijkstra
The Go implementation of the P-256 elliptic curve had a small bug due to a misplaced carry bit affecting less than 0.00000003% of field subtraction operations. We show how to build a full practical key recovery attack on top of it, capable of targeting JSON Web Encryption.
12/27/17
Security
Artem Kondratenko
Saal Clarke
Year 2017 was rich in vulnerabilities discovered for Cisco networking devices. At least 3 vulnerabilities leading to a remote code execution were disclosed. This talk will give an insight on exploit development process for Cisco IOS for two of the mentioned critical vulnerabilities. Both lead to a full takeover of the target device. Both PowerPC and MIPS architectures will be covered. The presentation will feature an SNMP server exploitation demo.
12/27/17
Security
Saal Borg
Positive Technologies researchers Maxim Goryachy and Mark Ermolov have discovered a vulnerability that allows running unsigned code. The vulnerability can be used to activate JTAG debugging for the Intel Management Engine processor core. When combined with DCI, this allows debugging ME via USB.
12/27/17
Security
argp
Saal Clarke
This talk presents the technical details and the process of reverse engineering and re-implementation of the evasi0n7 jailbreak's main kernel exploit. This work was done in late 2013, early 2014 (hence the "archaeology" in the title), however, it will provide insight into the kernel debugging setup for iOS devices (iDevices), the encountered difficulties and how they were overcome, all of which can be useful for current iOS kernel vulnerability research.
12/27/17
Security
Saal Dijkstra
Do you want to learn how modern binary code obfuscation and deobfuscation works? Did you ever encounter road-blocks where well-known deobfuscation techniques do not work? Do you want to see a novel deobfuscation method that learns the code's behavior without analyzing the code itself? Then come to our talk and we give you a step-by-step guide.