How CIA spied on people using fake VLC video player | Lex Fridman Podcast

0:03 Okay, there's this legendary story that you pointed me

0:06 to that it was discovered via WikiLeaks release of all sorts

0:13 of documents the CIA was using a modified version of VLC

0:17 to basically try and trick people what to steal their data?

0:21 Yes, exactly.

0:22 So can you explain what the heck happened with [laughter]

0:26 So so this was a surprise, right?

0:28 Because at some point WikiLeaks mentioned some documents.

0:31 There were a few ones with something related to Blu-rays and VLC,

0:35 but the most interesting one was the CIA Vault 7,

0:39 which if I understand correctly was the CIA had like

0:44 a custom version of VLC where they had a specific plugin.

0:48 Yeah, exactly.

0:49 This is like we had to to write a press release on that.

0:52 VideoLAN wrote a press release saying the only safe source

0:55 for getting VLC media player is the official VideoLAN website.

0:59 I mean I suppose that's a security vulnerability for basically any piece of open

1:05 source software somebody can trick you to download

1:09 in a fake website or targeted advertisement.

1:12 Like that was a targeted advertisement to watch a specific

1:15 file you need to watch with this custom version of VLC.

1:19 And it was the normal binaries of VLC except they added one DLL.

1:23 I think it was psapi.dll which was basically reading

1:28 your your document folder encrypting that and sending that.

1:34 And the thing is this is very clever

1:36 to be honest because once you're watching a movie, right?

1:39 You're going to do that for 2 hours and you're not going to touch your computer.

1:42 And sometimes it's normal because it's HD that your your fans are going up

1:46 and say and there is ton of TCP usage because you're using VLC, right?

1:50 That's normal.

1:51 But the thing is what you don't see is that actually

1:53 a powered version of VLC that is used by CIA.

1:58 Um we had exactly the same problem with Chinese

2:02 hackers that were targeting Indian people and that got VLC

2:08 banned from India until I had to to fight

2:11 in court in India the Indian government to unban VLC.

2:15 They didn't use VLC.

2:16 They took just one DLL because we signed the DLL correctly.

2:21 Um and they used that DLL to do another program.

2:25 So you had the vlc.exe and was calling libvlc,

2:29 but it was calling it into a fake one and they use that to to target.

2:34 There is not much we can do actually to to to block those type of hacks.

2:38 Yeah, and I think people should for all open source software for all

2:42 software in general people should pay attention where they download the thing.

2:45 Yes, because that means that they were not downloading it from our website.

2:49 Do the search engines help you?

2:50 No, they don't.

2:51 Just to clarify cuz you can you know to prevent threats

2:55 from people manipulating SEO to get up there on the links Absolutely not.

2:59 Right?

3:00 We have a big issue for like more than 10 years is that there

3:03 is a fake version of VLC in Germany that was reported for now

3:08 for 12 years and Google basically decides to not They know what's in it

3:14 but the binary is too big for their virus analyzer to analyze it.

3:19 And so well, if you're in Germany,

3:21 you can go to a website that is a fake version of VLC with a custom installer

3:26 and it's very popular in Germany because the website

3:28 is in German and and Google's mentioned that before VideoLAN.

3:32 And the weirdest thing is that it doesn't

3:34 do anything on your machine for 3 weeks.

3:37 Mhm.

3:37 Because that's how they they do the detection.

3:40 And after 3 weeks there is a small program that is a service that installed

3:43 at the same time that wakes up after

3:44 3 weeks and it start downloading spyware and adware.

3:48 And Google knows about it.

3:49 They decided not to do anything.

3:51 The guys used dark SEO in Germany to to to to do that at some point.

3:56 Um And this is very damaging, right?

4:00 Because one of the things that they are downloading is

4:02 actually something that is replacing your ads inside your machine, right?

4:07 It's actually quite surprisingly effective.

4:10 Whoever is doing it with Twitter and X with X,

4:14 I'll get emails about your X account has been hacked.

4:18 And however they phrase it it gets me to like

4:22 at least click on the email not to follow the thing.

4:25 And then you're like, man, whatever they're doing with the psychology

4:28 to try to trick you, they're quite good.

4:31 There is a security version of VLC, right?

4:33 You receive an email saying, hey, there is a security version update on VLC.

4:37 Think about updating right now because it can hack your computer.

4:40 You come It's a website that looks decent

4:43 and and you download it's a new version of VLC.

4:45 Great.

4:46 You don't know a month later you're hacked.

4:48 You have no idea.

4:48 You're part of a botnet.

4:49 Yeah.

4:51 [snorts] So make make sure wherever you're downloading stuff is legitimate.

4:55 part of the botnet.

4:57 Speaking of which, so you've mentioned that VLC sandboxing is

5:01 something you're working on and it's actually something quite challenging.

5:05 Why is it important?

5:06 Why is it hard?

5:07 So VLC is a core with around 500 plugins, right?

5:13 One of them is FFmpeg, but we have we support so many other formats.

5:17 We support new protocols.

5:19 We support new filters.

5:21 We support weird architectures.

5:23 And in this release of VLC you have

5:27 modules that are going to call your drivers, right?

5:30 Mostly the hardware decoders, which are going to call your Intel,

5:35 your Nvidia, your AMD driver.

5:38 Um and all calling FFmpeg, right?

5:42 And there might be a security issue.

5:43 There might be a security issue in the shader.

5:46 There might be a security issue in VLC

5:48 in FFmpeg that is going to basically crash.

5:51 The issue is that you're running VLC

5:54 like every every other program like Adobe, right?

5:56 You're running it on your machine and it

5:59 has access to all your documents, right?

6:02 So the idea is to be sure that you do a sandbox so that we can

6:06 protect from ourselves because inside the VLC process

6:11 is running some code that is not even ours.

6:13 It's open source other projects that we integrate in VLC or it's

6:17 your GPU driver or something that is provided by someone else inside.

6:22 And so when we crash we want to not allow people to do bad things, right?

6:27 Because one of the common way of hacking people is

6:30 to crash a program very often done with a web browser,

6:33 very often done with PDF files.

6:36 Less often with multimedia, but it could happen.

6:38 And when you crash, you launch something on the on the machine of the person.

6:43 Could be a ransomware.

6:44 Could be a botnet, right?

6:45 So security of desktop application is important.

6:49 On mobile it's a bit different because most

6:50 of the mobile application are running on inside their own sandbox.

6:55 But for VLC we could run it inside one sandbox,

6:59 but the problem is that we need access to so many things

7:02 that is basically we we would do we would have all the permissions.

7:07 Right?

7:07 And so if you have a sandbox and you

7:09 put some holes everywhere it defeats the purpose, right?

7:13 So what we are trying to do and we're

7:14 actually doing is splitting VLC into several processings.

7:19 One is decoding.

7:20 One is demuxing.

7:21 One is filters and all of them run into their own sandbox.

7:27 So that the whole VLC a part of VLC

7:30 crash like Chrome crashes on some on some tab, right?

7:34 It crashes crash, but it did not crash the whole program.

7:37 And this is what we're trying to do.

7:39 And it's difficult because it's a sandbox that needs

7:41 to sustain gigabits per seconds of of mem copies.

7:46 No, it's not a website which is 5 megabytes or 10 megabytes.

7:49 We're talking about hundreds of megabits per seconds.

7:51 So this is why it is quite challenging.

7:53 And this is a research topic that we we are

7:56 working on in order to have multimedia player that is secure.

8:02 This is all the kind of stuff you have

8:03 to think about when millions of people are using.

8:05 You mentioned something somewhere where like all the different features

8:09 of VLC when you have that many people using it,

8:13 somebody will use every single feature and they will tell you about it.

8:19 Best feature in VLC is called the puzzle filter.

8:22 Right?

8:23 So you click the puzzle filter and it

8:26 transforms your video into a jigsaw puzzle, right?

8:29 And you can click and move the pieces, right?

8:32 Yeah.

8:32 Um it's very very useful when you're watching a French movie, right?

8:35 You're bored Oh, yeah.

8:38 because it's like like very long things or love

8:40 triangle like you've seen that so many times.

8:42 Right.

8:43 But but you need to watch it because someone your wife or Yeah.

8:46 told you to do that or your boyfriend told you to do that.

8:50 So you're doing that, right?

8:51 Yeah.

8:51 And you can click and move the pieces around.

8:53 Yeah.

8:54 It's absolutely useless, right?

8:56 Like who cares about that?

8:58 First, it was done by a a math teacher in high

9:02 school in South of France to teach his students about Bezier curves,

9:06 which is something that everyone should know about, right?

9:08 It's very useful.

9:10 But the code was clean.

9:11 So it got in VLC.

9:12 It was merged in 2010.

9:14 5 years later, I received an email saying Hello JB, I have a problem with VLC.

9:19 The puzzle is too simple.

9:21 And I was just like, what?

9:23 And yes, the puzzle was in the UI maximus by 16 by 16, right?

9:28 Only 256 And he says, I'm sorry, but in a movie I love puzzle.

9:34 This is too too simple, right?

9:35 So there is a commit of me.

9:36 You can check it online,

9:38 which is JB changing that the dimensions are 256 by 256.

9:43 Brilliant.

9:44 My point is so many use features are used by a few people, right?

9:50 There is a way to watch VLC movies in common line without any UI, right?

9:56 It's I saw that you can do uh ASCII ASCII art.

9:59 Is it useful?

10:00 Very useful.

10:01 Imagine you're debugging Imagine you're debugging a multicast network, right?

10:05 You have thousands very complex very complex networking stack, right?

10:10 You can SSH to all of the routers and put VLC on it with no UI.

10:15 And you're going to see whether it's black or it's not black, right?

10:18 So, you see if Oh, it's all green or not all green, right?

10:20 So, you can see Right?

10:23 People don't realize there is so many things

10:25 in VLC uh that are useful um and they are

10:31 they have users because once you have hundreds of millions

10:34 of users you have people who use every feature.