By combining different vulnerabilities in Blu-ray players, the resercher has built a single disc which will detect the type of player it’s being played on and launch a platform specific executable from the disc before continuing on to play the disc’s video to avoid raising suspicion. These executables could be used by an attacker to provide a tunnel into the target network or to exfiltrate sensitive files, for example.
The Blu-ray specification supports a richer interactive user experience, with dynamic menus, embedded games and access to the latest trailers downloaded from the Internet. These rich features are built using BD-J, a variant of Java which allows disc authors to build a range of user interfaces and embedded applications, structured into Xlets. Xlets are analogous to the web’s Applets which have long been a source of security concerns.
Xlets run in a Java Virtual Machine secured using the standard security policy mechanisms which are enforced by a SecurityManager class. The exact operations granted to a disc differ from player to player, but generally the security policy will prevent a disc from accessing anything outside of its virtual file system and ensure that a disc is not interacting directly with the underlying operating system.
There is a range of Blu-ray device specifications including BD-Live which is the 2.0 player profile. This profile is interesting as it states the drive has an Internet connection (WI-FI or Wired) and 1 Gb of local storage, typically implemented in physical players via a user-supplied USB flash drive.
Blu-rays have been supported by PowerDVD since 2009 and the security mechanisms haven’t really changed since that early release. PowerDVD comes with a range of additional Java classes which provide functionality internal to the player, but which are still callable by Xlets on the disc. One of these is the CUtil class which provides access to functions implemented in native code which fall outside of the SecurityManager’s control. These functions allow the player to obtain the current licence details, the ability to pop-up windows confirmation dialogs and most usefully for us an ability to read arbitrary files from the disc.
Xlets are prohibited from accessing a computer’s operating system and file system for obvious reasons. But Tomkinson found a flaw in PowerDVD that allowed him to get around the sandbox that xlets can run in and launch a malicious executable.
The second vulnerability lies in some Blu-ray disc player hardware. Tomkinson wrote that he analyzed a "fairly minimal" embedded system running Linux with a command-line BusyBox interface although he did not identify the make or model.
His second attack uses an exploit written by Malcolm Stagg to be able to get root access on a Blu-ray player. From there, he wanted to see if it was possible to trick the system into running a command that would install malware.
He found it was possible to write an xlet that fooled a small client application called "ipcc" running within the localhost into launching a malicious file from the Blu-ray disc.
To refine the attack, Tomkinson figured out a way to detect what kind of system the Blu-ray disc is running on in order to know which exploit to launch. To mask the strange activity, the Blu-ray disc is coded to start playing its content after one of the exploits has run.
Last month, Kaspersky Lab wrote about the Equation group, a highly advanced group of attackers suspected to be the NSA that used ingenious ways to deliver malware.
Kaspersky described how some participants of a scientific conference held in Houston later received a CD-ROM of material. The CD contained two zero-day exploits and a rarely-seen malware backdoor nicknamed Doublefantasy.
There are a few defensive precautions users can take. Tomkinson says that people can avoid Blu-ray discs that come from unknown sources and also stop discs from running automatically.
If it is possible, users should also turn off the capability that allows Blu-ray players to connect to the Internet or block it from connecting to a network.