5.3
Attacks on the MediaMax Watermark
The MediaMax watermark fails to satisfy the indelibility and unforgeability requirements of an ideal disc
recognition system. Far from being indelible, the mark is surprisingly brittle. Most advanced designs
for robust audio watermarks [8, 7] manipulate the audio in the frequency domain and attempt to resist
removal attempts that use lossy compression, multiple conversions between digital and analog formats, and
other common transformations. In contrast, the MediaMax watermark is applied in the time domain and
is rendered undetectable by even minor changes to the file. An adversary without any knowledge of the
watermark's design could remove it by converting the tracks to a lossy format like MP3 and then burning
them back to a CD, which can be accomplished easily with standard consumer applications. This would
result in some minor loss of fidelity, but a more sophisticated adversary could prevent the mark from being
detected with almost no degradation by flipping the least significant bit of one carefully chosen sample from
each of the 30 watermark clusters, thereby preventing the mark from exhibiting the pattern required by the
detector.
The watermark also fails to satisfy the unforgeability requirement. The mark's only defense against
forgery is its complicated, unpublished design, but as is often the case this security by obscurity has proved
tedious rather than impossible to defeat. As it turns out, an adversary needs only limited knowledge of
the watermark--its location within a protected track and its confinement to the three least significant bits
of each sample--to forge it with minimal loss of fidelity. Such an attacker could transplant the three least
significant bits of each sample within the watermarked region of a protected track to the corresponding
sample from an unprotected one. Transplanting these bits would cause distortion more audible that that
caused by embedding the watermark since the copied bits are likely to differ by a greater amount from the
original sample values; however, the damage to the audio quality would be limited since the marked region
is only 0.4 seconds in duration. A more sophisticated adversary could apply a watermark to an unprotected
track by deducing the full details of the structure of the watermark, as we did; she could then embed the
mark in an arbitrary audio file just as well a licensed disc producer.
As a proof-of-concept, we created a utility called
scmark
that can detect, embed, or remove the Media-
Max watermark. The program is invoked on one or more WAVE audio files as follows:
usage: scmark --detect [-p <pos>] [-c <count>] <file.wav> [files]
--embed [[a] <b>] [-p <pos>] [-c <count>] <file.wav> [files]
--remove [-p <pos>] [-c <count>] <file.wav> [files]
When
scmark
is executed with only the
--detect
parameter on a track ripped from a MediaMax-
protected album, the watermark is detected almost instantaneously. The
-p <pos>
parameter gives a hint
as to the position of the watermark within the file; and
-c <count>
indicates how many mark clusters
to read or write. For embedding, the
a
and
b
parameters specify the two 32-bit values A and B encoded
in the watermark, as described in Section 5.2. The
--remove
switch searches for an existing watermark
and removes it by overwriting it with a random raw watermark that lacks the properties required by the
MediaMax detector.
5.4
Secure Disc Recognition
Having shown that the MediaMax watermark fails to provide either strong resistance to removal or strong
resistance to forgery, we ask whether it is possible to securely accomplish either or both of these goals.
As far as indelibility is concerned, watermarking schemes have a poor history of resisting removal
[8, 20, 26]. This is especially true against an adversary who has oracle access to the watermark detector, as
was the case with a previous application of watermarks to audio copy protection, SDMI [8], and with CD
DRM systems. Making marks that are both indelible and unforgeable is likely much more difficult. There
12