Lessons from the Sony CD DRM Episode
J. Alex Halderman and Edward W. Felten
Center for Information Technology Policy
Department of Computer Science
Princeton University
Extended Version
February 14, 2006
Abstract
In the fall of 2005, problems discovered in two Sony-BMG compact disc copy protection systems,
XCP and MediaMax, triggered a public uproar that ultimately led to class-action litigation and the recall
of millions of discs. We present an in-depth analysis of these technologies, including their design, im-
plementation, and deployment. The systems are surprisingly complex and suffer from a diverse array of
flaws that weaken their content protection and expose users to serious security and privacy risks. Their
complexity, and their failure, makes them an interesting case study of digital rights management that
carries valuable lessons for content companies, DRM vendors, policymakers, end users, and the security
community.
1
Introduction
This paper is a case study of the design, implementation, and deployment of anti-copying technologies.
We present a detailed technical analysis of the security and privacy implications of two systems, XCP and
MediaMax, which were developed by separate companies (First4Internet and SunnComm, respectively) and
shipped on millions of music compact discs by Sony-BMG, the world's second largest record company. We
consider the design choices the companies faced, examine the choices they made, and weigh the conse-
quences of those choices. The lessons that emerge are valuable not only for compact disc copy protection,
but for copy protection systems in general.
Before describing the technology in detail, we will first recap the public events that brought the issue
to prominence in the fall of 2005. This is necessarily a brief account that leaves out many details, some of
which will appear later in the paper as we discuss each part of the technology. For a fuller account, see [10].
The security and privacy implications of Sony-BMG's CD digital rights management (DRM) technolo-
gies first reached the public eye on October 31, 2005, in a blog post by Mark Russinovich [29]. While
testing a rootkit detector he had co-written, Russinovich was surprised to find an apparent rootkit (software
designed to hide an intruder's presence [16]) on one of his systems. Investigating, he found that the rootkit
was part of a CD DRM system called XCP that had been installed when he inserted a Sony-BMG music CD
into his computer's CD drive.
{jhalderm, felten}@cs.princeton.edu
Revision 1, February 15, 2006
1