Video nasty as Blu-ray malware routes identified

Blu-Ray vulnerabilities exploited to create 'take-over' disc that also keeps the movie running.

Video nasty as Blu-ray malware routes identified
Video nasty as Blu-ray malware routes identified

The Blu-ray Disc (BD) format is a potential new target for hackers following disclosure of a vulnerability exploit code can be created to run on discs which could be used by an attacker to provide a tunnel into a network or to ‘exfiltrate' files.

Abertay Ethical Hacking Society reported during the Securi-Tay conference  at Abertay University, Dundee in Feburary that by combining different vulnerabilities found in different Blu-ray players they could create a single more ‘intelligent disc' capable of knowing what player it is inserted into. The disc can then launch a ‘platform-specific executable' to initiate the malware while, crucially, also playing the video that the user expects to see, so avoiding suspicion.

One of the vulnerabilities is traced to a software application called PowerDVD made by CyberLink in Taiwan. The usually preinstalled PowerDVD application plays discs on Windows machines and is often pre-installed on computers from big name manufacturers including HP, Dell, Acer, Lenovo, Toshiba and ASUS.

PowerDVD is built around the typical all-encompassing user proposition that includes Blu-ray player software, mobile apps and cloud services. In turn, Blu-Ray has supported PowerDVD since 2009. But, crucially, the security mechanisms behind the technology have not been updated as frequently as the front-end interface functionalities for so-called ‘immersive user experiences' such as embedded games and other dynamic content such as interactive menus. These pieces of software are coded using the Blu-ray Disc Java (BD-J) specification, a variant of Java for embedded systems. 

The software's Java classes provide core functionality for the player, but these same software code classes are still callable by Xlets (a small piece of Java code that supports digital video/TV) on the disc.

Among these, the CUtil class provides access to functions implemented in native code which fall outside of the Java ‘SecurityManager''s control. These functions allow the player to obtain the current licence details, ability to pop-up Windows confirmation dialogs and (most usefully for us) an ability to read arbitrary files from the disc,” said NCC Group consultant and hacker Steven Tomkinson, in his blog.

Oracle's code docs pages explain how: “The SecurityManager is a (Java Software) class that allows applications ... to determine, before performing a possibly unsafe or sensitive operation, what the operation is and whether it is being attempted in a security context that allows the operation to be performed. The application can allow or disallow the operation.”

A second Blu-ray attack vulnerability uncovered by Malcolm Stagg used an Xlet to dupe the Blu-ray player to run a file that was deeply enriched with malware from top to bottom, thereby gaining root access on a Blu-ray player.

Jared DeMott, principal security researcher at Bromium told SCMagazineUK.com  that, “Personally, nothing about this story shocks me.” He explains that all software has bugs and that (very typically) functionally is prioritised over secure coding - what surprised him is that other people are generally shocked by this news. 

“They apparently did not realise that their DVD player, car infotainment system, smart electric meter on their house etc runs code.  All of these devices now run computer code. Generally, for embedded systems, the code is low level C or perhaps C++ code,” said DeMott.

“The C programming language is notorious for memory corruption vulnerabilities.  So why act surprised when someone can hack your refrigerator and spoil your milk? Isn't it time consumers demand some level of protection and security out of every computer they use?”

DeMott noted that 100 percent security need not always be our goal as it is often not cost effective nor good for privacy. 

“Processes on systems need not be 100 percent secure in and of themselves, but a breach should be contained to singular areas, such that an attack against code cannot affect the greater system,” said DeMott. “Why should a poorly written printer driver allow an attacker to control my entire computer? Shouldn't that code run in a safe environment, such that a security failure is trapped?”

Blu-ray specification discs remain a viable media, but users should avoid playing Blu-ray discs from untrusted sources and (of course) also avoid coming into contact with any pirate or counterfeit Blu-ray discs. Users with specific concerns should prevent auto-play functionalities and the discs' ability to connect to the internet.