A group of five researchers from the Indian Institute of Technology in Madras has proven that Netflix is susceptible to side-channel attacks, which could potentially enable threat actors to infer information about the preferences of “Black Mirror: Bandersnatch” viewers. Bandersnatch incorporates a “choose-your-own-adventure” interactive system for the Black Mirror science fiction series, which allows Netflix viewers to choose what will happen next in the episode they are watching. Although Netflix has incorporated TLS (Transport Layer Security) to this communication, and even though the video feed is hidden behind the encrypted and compressed HTTPS protocol, the researchers have proven that these precautionary measures are still not enough.
Netflix is employing JSON (JavaScript Object Notation) to ask the viewer what their story flow choice is. The JSON file is triggered on the browser, and the file itself resembles a text file that contains unobscured content. By monitoring the number and type of these JSON files, the researchers were able to determine the choices of their study participants with an accuracy of 96%. JSON packets can be distinguished from other traffic packets as they feature a different and identifiable SSL record length. This means that no matter the traffic data encryption, it’s still possible to tell the choices of Bandersnatch viewers.
So, why would anyone care about whether their Bandersnatch choices are leaked or not? Simply put, the choices we make in the series can be used for further analysis and the deduction of basic information that characterizes us and defines who we are. What is our affinity to violence? What is our political inclination? What are our food and music preferences? This type of data could be used for a broad spectrum of actions that relate to us, from targeted ad serving to social engineering and full-fledged exploitation.
The researchers suggest that Netflix should split or compress the JSON files so that eavesdroppers can no longer distinguish them. Whatever Netflix decides to do, if anything, this study goes to show that encryption in the traffic is not enough for the determined actor and that platforms should pay more attention to the way they implement interactive data communication systems that ask for the users’ participation.
Are you watching Bandersnatch on Netflix? Do you find the above news concerning? Share your thoughts in the comments below, and feel free to share this story through our socials, on Facebook and Twitter.