Blu-Ray Players Hackable Via Malicious Discs

An anonymous reader writes: Some Blu-Ray disc interactive features use a Java variant for UIs and applications. Stephen Tomkinson just posted a blog discussing how specially created Blu-Ray discs can be used to hack various players using exploits related to their Java usage. He hacked one Linux-based, network-connected player to get root access through vulnerabilities introduced by the vendor. He did the same thing against Windows Blu-Ray player software. Tomkinson was then able to combine both, along with detection techniques, into a single disc.

Re:I should think so!

[fuzzyfuzzyfungus]

I suspect that there are a number of ways in, given the usual attention given to firmware quality; but blu-ray isn't helped by having a security model marked by absolute paranoia about the precious 'content' escaping, combined with some amount of incompetence and a lot of pure apathy about any other security concern.

With both the BD+ vm and the BD-J stuff, there is a lot of attention paid to 'ooh, the an unauthorized player attempting to do unauthorized things with the content on the disk?!'; but the contents of the disk are largely treated as trusted and the playback device is treated almost entirely as a potential adversary, not as a potential target, either from the disk side or the network side.

Re:I should think so!

[Dutch+Gun]

That was my first thought as well. "It uses Java (probably an older, unpatched version), so of course it's got massive security holes." But seriously, does anyone think there's even a remote chance that in 2015, malware is going to be transported by Blu-ray disc? This is an interesting tech demo, and it's always good to be aware of the potential of these things, but it doesn't seem to be a likely threat vector.