iPod AAC DRM backdoor?
Thursday, Jun 05, 2003
So I've been thinking (always a dangerous sign). With Apple's new Music Store, they enforce digital rights management (DRM) by apparently encrypting the songs they download to you with a key to ensure that only a computer registered to you can listen to the music. Other bloggers have verified that the actual content portion of the song is changed, not just some identifying header, having purchased the same song under two IDs and otherwise identical conditions, and finding no similarity to the data within the song files, though they play identically.

Under Apple's digital rights management scheme (which, by the way, for all the evils of DRM, is the least evil I've seen), an Apple Music Store customer can play their purchased music on a Mac that has been linked to their account, and at any time up to three macs can be so linked. At the same time, any song from the Apple Music Store can be played on any iPod, which brings me to my thought: How does the iPod get around the DRM?

What I mean to say is, if the song file is protected, presumably through some sort of encryption, so that only computers in possession of a decryption key linked to the user's account can decrypt a song, how are the iPods exempt?

It seems to me that there are four possible solutions:

  1. The files are encrypted by the user's personal key and that key is actually included inside the song file, so that iPods can decrypt any song. Mind you, any other application that knows about the key could decrypt any song, too, unless the key itself is encrypted by another key that is stored somewhere in the flash rom of every iPod so that iPods, and only iPods, can decrypt the key in the song, then use that key to decrypt the song. I believe this is similar to how DVD encryption works, though I could be wrong.
  2. Similar to #1, perhaps when a mac uploads a song to an iPod, it tacks on the user's personal decryption key along with the song so the iPod can decode it. A way to test if this is the case is to take a protected song to someone else's mac (that can't play the song because it doesn't have the key), then try and upload it to an iPod and see if the song plays. If it doesn't play, then it means that songs have to be loaded on to iPods from 'permitted' computers.
  3. When uploading to the iPod, the mac might completely decrypt the song and then upload it, obviating the need for any kind of decryption on the iPod side. In this case, as in #2, only a 'permitted' computer could successfully upload a song to an iPod. The difference here is that if two people purchased the same song, then uploaded them to iPods, then copied the song back from the iPod, using command-line copying or another third-party iPod tool, then the two files should be decrypted, and identical to each other. Incidentally, these files would likely be playable on any AAC player, effectively removing the DRM without sacrificing quality.
  4. Maybe the files aren't actually encrypted at all, and are just made to look different by inserting a small amount of random noise, or a digital signature, to the original waveform prior to encoding, so that the files can be tracked, and playability on different computers is solely regulated by a weak honor-based system within iTunes.

With a little time and two Apple Music Store accounts, it should be easy to tell which of these systems is being used (unless it's something other than the possibilities above). I might do it if I have the time in the next week or so, but I'm really just more curious than anything else. I don't feel the need to go around trying to break Apple's DRM and be a new EFF poster child fighting the DMCA.

For now my main hope is that TiVo sends out an update for its Home Media Option so that it can play my Apple-bought music, especially since Apple's courting independent labels today, and many more cool bands could be in the store in the next couple months.

If you like it, please share it.

Hi, I'm Kevin Fox.
I've been blogging at since 1998.
I can be reached at .

I also have a resume.


I'm co-founder in
a fantastic startup fulfilling the promise of the Internet of Things.

The Imp is a computer and wi-fi connection smaller and cheaper than a memory card.

Find out more.

We're also hiring.


I post most frequently on Twitter as @kfury and on Google Plus.


I've led design at Mozilla Labs, designed Gmail 1.0, Google Reader 2.0, FriendFeed, and a few special projects at Facebook.

©2012 Kevin Fox