[ISN] iTunes wireless music streaming cracked

From: InfoSec News (isn@private)
Date: Fri Aug 13 2004 - 10:02:39 PDT


http://www.newscientist.com/news/news.jsp?id=ns99996282&lpos=home1

Will Knight
13 August 04 
NewScientist.com news service 

Apple's wireless streaming technology for iTunes has been cracked to
allow it support non-Apple software platforms.

Norwegian computer programmer Jon Johansen released a program called
JusteForte that defeats the encryption used on Apple's Airport Express
on Thursday. Johansen was made famous in 1999 for breaking the
encryption used in software called CSS that prevented DVD copying.

Airport Express is a small base station that wirelessly connects a
computer to the internet or to a local network. It also has an audio
socket that can be used to link a computer to a conventional stereo or
pair of speakers. This allows music stored digitally to be played
remotely.

Until now, however, this feature has only been compatible with Apple
computers and an add-on for Apple's iTunes audio software called
AirTunes.


Encryption algorithms

Johansen figured out the secret encryption key used to secure the
wireless link between a computer and an Airport Express base station
and lock other systems out. His program, JusteForte, uses this key to
send MP4 digital audio files from a Windows computer to an Airport
Express base station.

Johansen has also published the encryption key online, opening the way
others to design software that can access the base stations. He says
Airport Express uses a combination of two encryption algorithms AES
and RSA. But precisely how Johansen succeeded in cracking the key is
unclear.

Cryptographic algorithms encode information by jumbling it up using
mathematical formulas and a key consisting of a string of characters.  
Both algorithms have stood up to extensive testing, so Johansen is
likely to have found a weakness in the way these algorithms are
implemented rather than the algorithms themselves.

"There are lots of ways to break an encryption system," says Bruce
Schneier, a renowned cryptography expert. "The lesson is that it's
hard to do."


Software update

Schneier told New Scientist Apple could change the key Airport Express
uses via a software update, but that Johansen would probably be able
to obtain the new key using the same undisclosed method.

Schneier also defends Johansen's actions explaining that he is it is
important to test the security of any system. "It's interesting
science," he says. "He does it because that's how you learn and we are
more secure because he does it."

Apple declined to make any comment when contacted by New Scientist.

In 1999 Johansen co-authored a program called DeCSS, which defeats DVD
encryption, making it possible to play DVDs on any computer and copy
movies. He was accused of enabling copyright infringement and taken to
court in Norway but acquitted following two court cases that took
place in December 2003 and January 2004.

Apple has been beset by assaults against its proprietary music
technology. Johansen has released two other programs designed to
defeat the copy controls implemented by iTunes, called Fairplay and
FairKeys.

And, In July 2004, competitor RealNetworks developed a way for songs
bought through its Harmony music service to play on iPods. Apple
designed the iPod to play only songs bought through the iTunes store,
as well as those created by users themselves.
 
 

_________________________________________
Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/



This archive was generated by hypermail 2.1.3 : Fri Aug 13 2004 - 11:41:53 PDT