What makes CDMs such as Widevine hard to reverse engineer?

Question

According to this PDF, Widevine has three security levels. The least secure one, and the one used by Chrome on desktops is level 3 in which all decryption is done outside of a Trusted Execution Environment.

But in that case, what stops someone from opening the Widevine Chrome plugin in IDA and following the video data until they get to whatever function that decrypts it and then write their own implementation of Widevine that just saves the output to a file instead of rendering it?

The PDF does say that "appropriate measures may be taken to protect the cryptographic information and decrypted content on host operating system," but things like video games also use various protection systems, but these still get cracked with some effort.

So, why hasn't Widevine been cracked yet?

Answer 1

I'm guessing that the reason that Widevine hasn't been cracked yet (or at least not that I know of), is that there are much easier solutions out there for bypassing CDM restrictions than cracking Widevine itself.

For instance, you mentioned Chrome's Level 3 Security (no TEE hardware support required). It is well known that the browser itself can be modified to violate any content restrictions that may exist.

"Chrome has long been an open-source project and developers have been able to create their own versions of the browser that, for example, may use a different CDM or include modified CDM rendering paths," the spokesman wrote WIRED in an email.

https://www.wired.com/2016/06/bug-chrome-makes-easy-pirate-movies/

It is possible to start with Chrome's open source project, Chromium, and modify the rendering pipeline to redirect video content to other sinks besides the screen. I assume this is how many pirating tools have been developed as well.