India removes ban on VLC media player after cybersecurity concerns addressed

India has removed its controversial ban on VLC media player after the company went through an appeals process and addressed some of the concerns raised by the Ministry of Electronics and IT, according to the company's president.

Since February, the download site for VLC has been banned by internet service providers in India but no reasons were ever provided publicly — although company executives and cyber experts suspect it is linked to alleged vulnerabilities exploited by Chinese hackers.

Human rights lawyers, journalists and VLC executives remained in the dark as to why the platform’s website was barred in the country, despite repeated requests for information from the Indian government since the ban went into effect at the beginning of the year. 

But this week, company president Jean-Baptiste Kempf told The Record that the ban had been lifted after they met with ministry officials. 

“We went through a long legal process against them to lift the ban. And our arguments were listened to,” he said, noting that he could not say more due to the confidentiality of the proceedings. 

Felix Paul Kühne, one of the lead developers of the open source VLC media player, also confirmed that the ban was lifted but added that he was not allowed to comment on the details. 

The Ministry of Electronics and IT did not respond to requests for comment. But a source connected to the discussions said VLC sent a legal notice to the Indian government in October, which led to a meeting with ministry officials who finally provided concrete explanations for the ban of the media player – which is used by more than 50 million people in India. 

According to the source, the Indian government said the ban related to third-party groups and “bad actors” interacting with the website and using it to share user data with other countries. VLC responded to the reasons provided with specific points and were given a hearing at the Ministry of Electronics and IT, which took place last week. 

After that hearing, which the source said was more like a meeting than an adjudication hearing, the ministry decided to unblock the website that allows people to download the program. On Monday, the ministry sent VLC a one-line notice saying they were lifting the ban. 

The source said VLC did not make changes to their website or platform and that the hearing was more about the company clarifying the situation.

VLC was also able to show that the ban on their platform would have other unintended consequences, including pushing millions of users into using less secure, unauthorized video players. 

“Just because hackers are interacting with the VLC website, it doesn't mean VLC is legally at fault in any way,” they said. “They were able to show that.”

It is blocked by your government.

— VideoLAN (@videolan) July 31, 2022

For months, VLC complained about what it called an unfair ban on downloads of its video player in India, which company president Kempf said appears to have started on February 13.

Indian security researcher Sunny Nehra said that when the ban first started, only one or two ISPs blocked the page but that number has slowly increased over the past few months. 

“No one from the government contacted us to explain anything. It seems they took their decision based on incorrect reporting of a security issue,” Kempf said. 

According to him, the source of the company’s trouble is outlined in a report in April from the Symantec Threat Hunter team about a Chinese state-backed advanced persistent threat (APT) group named Cicada or APT10. 

Several researchers, some with connections to the internet service providers, tied the alleged ban of VLC to Symantec’s finding that the attackers were exploiting the legitimate VLC Media Player to take remote control of a victim’s machine. 

Symantec’s Brigid O Gorman told BleepingComputer at the time that the group used clean versions of VLC and attached malicious files to it. The company noted in its report that victims of the attack were found in India.

However, a threat actor would need to install a very outdated VLC version for the attack to work, Nehra explained, because the version that could be vulnerable to attack was patched in 2010. 

Eric Chien, a fellow on the Symantec Threat Hunter team, said it was not common for this kind of abuse of VLC to occur, but noted that the technique was seen across multiple organizations in multiple countries. 

In June, the Internet Freedom Foundation filed an application for more information with the Department of Telecommunications. The group is an Indian digital liberties organization focused on free speech, digital surveillance, privacy and net neutrality.

That request was transferred to the Ministry of Electronics and Information Technology, which told the group in July that “no information is available.”

Tanmay Singh, senior litigation counsel at Internet Freedom Foundation, told The Record that the decision this week “is a fantastic victory against opaque and frequent censorship that is perpetrated on the internet by the government.” 

“This is particularly important because more than 80 million Indians use VLC Media Player as their primary source of accessing audio and video files," he said.

“In the absence of an authorized and reliable source to receive updates and the app itself, the ban was leaving a large number of Indians considerably less secure on the Internet than they were before.”