- Fotolia

How can hackers use subtitle files to control endpoint devices?

New media player vulnerabilities have been exposed that enable hackers to use subtitle files to control devices. Expert Judith Myerson explains how this happens.

Vulnerabilities in various media players enable hackers to use subtitle files to control devices. How is this possible, and have the media player vulnerabilities been patched?

In order to control a device via subtitle files, an attacker crafts a malicious subtitle file that opens the door to remote control of a victim's PC, smart TV or mobile device.

With a couple of clicks, an attacker can upload the malicious file in any subtitle file format to an online repository. The ranking algorithm is then manipulated to ensure that the malicious files get higher ratings than the legitimate files, which are then downloaded to a media player.

As soon as the media player opens, the victim unknowingly loads subtitle files from a repository that is treated as a trusted source. Before displaying the subtitles on the screen, the media player parses the infected files. While this is common, the method of downloading subtitle files varies from one media player to another.

For example, Popcorn Time lets a victim choose a movie over the internet and, while playing the movie, the victim unknowingly loads malicious subtitles. The attacker then remotely opens the command prompt screen and waits for the connection to occur. Upon a successful connection, the attacker gains full control of the victim's endpoint device.

Another approach is exhibited through Kodi, as it lets the user select a movie from a given library. If the library is maliciously or legitimately empty, the victim is asked to populate it with personal media. After playing the media, the player then asks the victim to choose and download subtitles from After waiting a certain amount of time, the attacker takes over the victim's device.

In addition to running on popular platforms, Kodi can be installed on a Raspberry Pi or Amazon Fire TV Stick. Likewise, VLC can capture DirectShow body-worn camera videos, and Stremio can run YouTube and Twitch.TV media.

While the newer software versions for these four players have fixed the known vulnerabilities, the risk with lesser known media players in unknown, and users should check to see if similar security holes exist.

Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Learn how to protect sensitive data with mobile encryption

Discover what encryption tools can secure data for internet of things devices

Read more about securing your connected devices

Dig Deeper on Application and platform security

Enterprise Desktop
Cloud Computing