Addressing last weeks Securi-Tay conference hosted by the Abertay Ethical Hacking Society in Scotland, Stephen Tomkinson from the NCC Group detailed how Blu-ray players can do more than play videos; they can open up a new attack surface for the hacker. Tomkinson demonstrated a new tool that had been released in order to enable the investigation of embedded network devices, and used the network exposed features on a common Blu-ray player as an example. He showed how an innocent looking Blu-ray disc can actually circumvent sandboxes and present the hacker with control of the underlying systems. Of course, that innocent looking Blu-ray disc was anything but; it was highly malicious. The disc itself, by combining a number of vulnerabilities discovered in Blu-ray players, was able to both detect the player it was inserted in and then launch a platform specific malicious executable. It also played a movie, to do otherwise would be a tad suspicious. The full technical background is published here but essentially the rich features of Blu-ray interactivity are built using a Java variant called BD-J, this both user interfaces and embedded applications to be structured as Xlets which can be thought of as akin to web Applets. Tomkinson and his team managed to circumvent the JVM SecurityManager controls and gain access to the underlying OS.
Troy Gill, manager of security research at AppRiver, says that while exploits are interesting in as far as showing how seemingly harmless functionality can be leveraged to run malicious executables, avoiding the threat is quite simple. "You could start by disabling Autoplay, uninstall PowerDVD and avoiding DVD’s from unknown origins" he advises, continuing "although it could potentially be used as one additional attack vector for a hacker who is trying various methods to breach a specific network, given the fairly straightforward defense, I do not see this becoming a very widespread issue.” Tim Erlin, director of security and risk at Tripwire, warns that the problem here is that it is all too easy for the average consumer to "forget that the Blu-Ray player sitting next to their TV is really a full-fledged computing platform and member of their home network. While we talk about the Internet of Things as the future, we shouldn’t ignore the embedded devices we’ve already adopted into our lives. There’s a massive supply chain for the production of Blu-Ray discs, and while there are a number of security features in place, it’s worth considering how a compromise early in the chain might allow for distribution of malware at scale via discs themselves. This is a threat model that has national security implications, both for attacks at scale and targeted attacks at specific individuals.”