I loved these series of CCC talks
- https://media.ccc.de/v/37c3-12296-full_aacsess_exposing_and_...
- https://sgx.fail/ and I'm sorry I'm not currently having good luck finding the talk that went along with it
I think that physical media is already known as the weakest link in the chain today and is thus being phased out. While the studios were reticent to adopt streaming initially, I think they've realized it is actually easier to secure, and to keep secure over time.
I don't know if there are exploits against GPUs like those against SGX. It's much easier to update GPU firmware than BIOS/UEFI.
I see more pirated media sourced from streaming services than physical media nowadays.
I've dug into this a bit more, and it seems I got some wires crossed somewhere.
Widevine L1 (the highest level of protection) is still expecting a "trusted execution environment" that is separate from the GPU. This leaves two major paths for exploitation: against the TEE itself, and against the path between the TEE and the GPU. There seem to be published exploits for the former, at least.
Also, Widevine L1 is only really used for "high-value" content, so it's often possible to obtain relatively high-quality streams at lower protection levels, which I'd assume are even easier to break.
Not to put too fine of a point on it, but the crytography behind DRM seems consistently amateurish. They ought to be doing what I said, but maybe for compatibility reasons they can't. I think the gist of what I said remains, though: online streaming is superior to physical media from a DRM perspective because it can use online verfication natively. A physical disk cannot change after it is stamped, but a streaming service can implement tighter rules over time, even for its back catalogue.