Kodi: Users can be hacked through subtitles

Sign up to our free weekly IndyTech newsletter delivered straight to your inbox

Sign up to our free IndyTech newsletter

Please enter a valid email address

Please enter a valid email address

SIGN UP

I would like to be emailed about offers, events and updates from The Independent. Read our privacy policy

Kodi has urged users to download a new update after security researchers discovered a vulnerability that could allow hackers to take over people’s devices.

The issue is an unusual one, which allows criminals to attack Kodi users through subtitles.

Millions of people are believed to be at risk, and they don’t need to have done anything wrong in order to be targeted.

Check Point, which discovered the issue, has described it as “one of the most widespread, easily accessed and zero-resistance” vulnerabilities reported in recent years.

“By conducting attacks through subtitles, hackers can take complete control over any device running them,” the company says. “From this point on, the attacker can do whatever he wants with the victim’s machine, whether it is a PC, a smart TV, or a mobile device.

“The potential damage the attacker can inflict is endless, ranging anywhere from stealing sensitive information, installing ransomware, mass Denial of Service attacks, and much more.”

Subtitles are perceived as “benign text files”, allowing this particular attack vector to go unnoticed by users and antivirus software alike.

Kodi was alerted to the issue before Check Point made its announcement, and has had time to create a fix.

“Our developers fixed this secuity [sic] gap and have added the fix to this v17.2 release,” Kodi has announced.

“As such we highly encourage all users to install this latest version! Any previous Kodi version will not get any security patch.” Users can download the latest version of Kodi here.

The open-source software is legal, but add-ons created by third parties can let people use it for access to illegal streams for sports events, TV shows and films.

Check Point says the same issue affects the VLC, Popcorn-Time and strem.io streaming platforms too. All three have issued fixes too, which can be accessed through Check Point’s blog.

“Our research reveals a new possible attack vector, using a completely overlooked technique in which the cyberattack is delivered when movie subtitles are loaded by the user’s media player,” the company explains.

“These subtitles repositories are, in practice, treated as a trusted source by the user or media player; our research also reveals that those repositories can be manipulated and be made to award the attacker’s malicious subtitles a high score, which results in those specific subtitles being served to the user.

“This method requires little or no deliberate action on the part of the user, making it all the more dangerous.”