Skip to content

GoI’s VLC ban is a security and privacy risk

  • by
  • 4 min read

The Indian government has been blocking apps left and right to protect its internet space and data security from China for quite some time. The latest victim of this active precaution against Chinese state-backed hackers seems to be the massively popular VLC media player. 

VLC’s website has reportedly been inaccessible on the Indian internet since February 13. Six months later, there’s still no word from VLC or the Indian government over why the ban was issued in the first place. The media player itself hasn’t been blocked completely and will continue to function if you’ve already downloaded it, but the government has restricted access to VideoLAN’s website, the creator behind the project. The player’s Android and iOS apps are also available for download from the respective app stores.

The ban reportedly stems from Symantec’s April research claiming that China-backed threat actor Cicada was using the VLC media player to deliver malware to targets as part of a massive cyber espionage campaign. The campaign targeted government or NGO organisations in the U.S., Canada, Hong Kong, Turkey, Israel, India, Montenegro, and Italy.

Since the attackers were using VLC’s website to target users, the ban seems to be the Indian government’s response to the situation.

Another alleged reason was that the VLC media player is a Chinese product which would sit in line with India’s recent crackdown on Chinese apps and software providers. That said, the VLC media player is made and maintained by the VideoLAN organisation based in France. 

In the News: Android 13 review: Privacy, Security and Interface updates

Is the VLC media player actually vulnerable?

The attackers were found using DLL injection methods to launch a custom malware loader by exploiting the media player’s exports function and using the WinVNC tool to remotely take over the target machines. 

While DLL injection is a widely used method to inject malware into legitimate programs, reportedly, this requires an outdated version of VLC, older than version 1.1.4, in order to work. Any versions above that, including the version that was on VLC’s website before the ban, aren’t vulnerable to this. 

However, since VLC is an open-source project, people can make their own versions of the software, which can be vulnerable to DLL injection. That said, official versions downloaded from the original site are safe. 

Indian government’s response

The VideoLAN organisation hasn’t taken the ban well, for good reason. For starters, there was never an official order issued by MeitY, and no notification was given to VLC before issuing the ban. Indians account for around 10% of all VLC users worldwide, and the website’s traffic has seen a drop of around 20% as a direct result of the block, said VideoLan president and lead developer Jean-Baptiste Kempf in conversation with TechCrunch

A Right to Information application filed by the Internet Freedom Foundation on June 7 to the Department of Telecommunications, which was then transferred to the Ministry of Electronics and IT, revealed nothing. The ministry denied knowing about the situation, clearly stating that it had no information regarding the VideoLAN website. A second RTI application filed by the SFLC also received the same response. Both organisations have filed appeals asking for more clarification. 

The situation has worsened as reports of Indian Internet Service Providers impersonating VideoLAN to spy on user traffic using man-in-the-middle techniques. Two major ISPs in India, ACT Fibernet and Reliance’s Jio, are reportedly doing this. 

Blocking sites or programs without advanced warning or conversation with the project owner does two things. First, Indian looking to download the VLC media player will now find themselves on third-party sides, which increases the chance of an unsuspecting user downloading an infected version of the player.

Secondly, it pushes the Indian government’s rather dictator-like stance on internet censorship that already stirred controversy when it announced new IT rules regarding how VPNs are expected to act in the country and how organisations should report cybersecurity incidents, among other things back in June. 

In the News: Whatsapp finally has a native Windows app

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

>