The humble Blu-ray disc has, this week, been identified as a possible source of attack as well as a viable means of government snooping.
Stephen Tomkinson, a researcher with UK-based security consultancy NCC, took to the stage at the Securi-Tay conference at Abertay University, Dundee, in February to explain how vulnerabilities found in different Blu-ray players could be combined to make a single “intelligent disc” that could ascertain the model of player it was inserted into.
With this knowledge, the disc could then launch a “platform-specific executable” to place malware into the system. At the same time, the disc would also play the movie or other user-selected files on the disc, thus leaving the owner unaware that anything untoward had occurred.
One of the issues is linked to PowerDVD, a software application made by Taiwanese company CyberLink. The disc-playing software is often found pre-installed on new systems from manufacturers including Hewlett Packard, Dell, Acer, Lenovo, Toshiba and ASUS.
One of the key selling points of the Blu-ray format is its ability to support additional content including dynamic menus and embedded games. Such content is coded with the Blu-ray Disc Java (BD-J) specification which is a variation of Java used for embedded systems.
The BD-J specification uses “Xlets” – small pieces of Java code – which are normally prevented from accessing computer file systems and operating systems for reasons that are fairly obvious.
Unfortunately, however, the security mechanisms behind PowerDVD have not been updated as frequently as they perhaps should have been, which allowed Tomkinson to circumvent the sandbox that Xlets are normally confined to and run a malicious executable file.
Writing on his blog, Tomkinson explained how one of the additional Java classes found in PowerDVD was still callable by Xlets on a disc:
“One of these is the CUtil class which provides access to functions implemented in native code which fall outside of the SecurityManager’s control. These functions allow the player to obtain the current licence details, the ability to pop-up windows confirmation dialogs and most usefully for us an ability to read arbitrary files from the disc.”
According to Oracle, the SecurityManager is a class that allows applications to determine whether an operation is safe or not before attempting to run it, and whether or not that operation is being attempted within a security context. Based on its findings, SecurityManager can then either allow or deny the operation.
The second Blu-ray vulnerability uncovered by Tomkinson, based upon the work of hacker Malcolm Stagg, takes advantage of debug code to launch from an external USB device.
In this way, an Xlet can be used to fool a small client application called “ipcc” running within the localhost into executing a malicious file, prompting Tomkinson to say:
“This gives us a working exploit to launch arbitrary executables on the disc from the Blu-Ray’s supposedly limited environment”.
Given how the Equation group used CD-ROMs to spread the DoubleFantasy backdoor, it is not inconceivable that such vulnerabilities within the Blu-ray ecosphere could also be used for more than just spreading malware – it is also theoretically possible that such an attack vector could be used to snaffle up sensitive data – something a government near you may well be interested in.
To counter the risks potentially posed by Blu-ray discs, Tomkinson suggests users should prevent discs from auto-running, deny them internet access and never trust discs that have come from unknown sources.