Slashdot Mirror

← Back to Stories (view on slashdot.org)

Blu-Ray Players Hackable Via Malicious Discs

Posted by Soulskill on from the physical-media-increasingly-sketchy dept.

An anonymous reader writes: Some Blu-Ray disc interactive features use a Java variant for UIs and applications. Stephen Tomkinson just posted a blog discussing how specially created Blu-Ray discs can be used to hack various players using exploits related to their Java usage. He hacked one Linux-based, network-connected player to get root access through vulnerabilities introduced by the vendor. He did the same thing against Windows Blu-Ray player software. Tomkinson was then able to combine both, along with detection techniques, into a single disc.

12 of 107 comments (clear)

  1. I should think so! by drinkypoo · · Score: 3, Insightful

    My Blu-Ray player runs Linux and hasn't had a firmware update since 2011. I'd be shocked if it didn't have remote root holes accessible via network, let alone local privilege escalation exploits in Java.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    1. Re:I should think so! by fuzzyfuzzyfungus · · Score: 4, Insightful

      I suspect that there are a number of ways in, given the usual attention given to firmware quality; but blu-ray isn't helped by having a security model marked by absolute paranoia about the precious 'content' escaping, combined with some amount of incompetence and a lot of pure apathy about any other security concern.

      With both the BD+ vm and the BD-J stuff, there is a lot of attention paid to 'ooh, the an unauthorized player attempting to do unauthorized things with the content on the disk?!'; but the contents of the disk are largely treated as trusted and the playback device is treated almost entirely as a potential adversary, not as a potential target, either from the disk side or the network side.

    2. Re:I should think so! by Dutch+Gun · · Score: 4, Insightful

      That was my first thought as well. "It uses Java (probably an older, unpatched version), so of course it's got massive security holes." But seriously, does anyone think there's even a remote chance that in 2015, malware is going to be transported by Blu-ray disc? This is an interesting tech demo, and it's always good to be aware of the potential of these things, but it doesn't seem to be a likely threat vector.

      --
      Irony: Agile development has too much intertia to be abandoned now.
    3. Re: I should think so! by bill_mcgonigle · · Score: 4, Interesting

      but it doesn't seem to be a likely threat vector.

      Do some traffic analysis on your target's porn habits at the ISP, leave a compromised disc about his favorite kink in a bag on the ground near where he parks his car, and use his "connected" player to zero-day the other equipment on his LAN, installing the APT without even needing to pretend about premesis warrants or anything.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    4. Re:I should think so! by fuzzyfuzzyfungus · · Score: 3, Interesting

      It doesn't rank terribly high on the list of choices, given that it would be a pain in the ass to get your malware pressed into a reasonable number of disks(without suitable insider access to the later stages of disk manufacture process, in which case you might have some real room for fun); but there is one little detail that might get rather ugly:

      With 'BD Live', disks can be authored to include access to network resources, as well as locally stored assets, in their Java-driven interactive content stuff. Now, there is no way for an attacker to change the URLs a disk requests; but nor is there a way for anyone else to do so. Whatever was stamped into the disk at production will remain until the disk leaves use.

      Given that companies come and go, and company interest in specific products tends to wane even faster, I would be very, very, very, surprised if the various companies releasing 'BD Live' disks have managed to always retain control of the domain names that their disks will attempt to access. It wouldn't be a terribly high value exploit; but since a disk will attempt to access exactly the same URLs until it dies, you might be able to score a steady trickle of reliable re-infections by snapping up any lapsed domains associated with BD Live disks and adding a little 'bonus content'.

    5. Re: I should think so! by greg1104 · · Score: 4, Funny

      Wow, there's an unexpected back-door entry at every step of that plan.

    6. Re: I should think so! by fuzzyfuzzyfungus · · Score: 3, Insightful

      I think that the apps are supposed to be signed(at least to get useful elevated priviliges, like access to the network or to the player local storage); but if a signed, legitimate, app makes a network request to a server that is no longer friendly, then it becomes a question of input validation, even if the application signing scheme is 100% in order and nobody screwed any part of that up.

      Call me a pessimist; but I'd bet nontrivial money that a lot of the 'interactive' cruft that is pumped out to bulk up 'special edition' releases is barely up to the challenge of presenting a helpful error message if it gets a 404 from the remote host, much less not falling over and wagging its tail against moderately clever malice. In that case, it'd be a fully signed and approved app doing the work, but taking action based on (ill-founded) trust in content it downloaded.

    7. Re:I should think so! by Dutch+Gun · · Score: 3, Interesting

      With 'BD Live', disks can be authored to include access to network resources

      I'm in a many-years-long battle with my PS3, which may be the best example of my irrational stubbornness that I can think of. Every time I play a Blu-ray disk, it asks me if I want to give it internet access. Every. Damn. Time. Why even make a setting called "BD Internet Connection: Allow/Confirm"? Seriously, I can't just set it to "no"?

      For years now, each time that question comes up, I select "no" and think to myself "Screw you, Sony!" There's no way to rationally explain it, but hell will freeze over before I select "yes".

      Now I just have another reason to keep selecting "no". Faith in my cause renewed, the battle continues...

      --
      Irony: Agile development has too much intertia to be abandoned now.
  2. Re:Best defense is not to care by txoof · · Score: 5, Interesting

    I suppose not caring works, but it seems like this is a great vector to turn hardware players into Zombies. If I were a criminal, I could think of a lot of things that could be done with even 1% of the world's internet connected players. Do you really want your Blu-Ray player to be part of a botnet sending spam or participating in denial of service attacks?

    If for no other reason, think of the impact on your bandwidth and electric bill. I certainly don't want a house full of hackable hardware. When (if) the internet of things arrives without security and 10% of the fridges, air conditioners, electricity meters, washing machines, pet doors, TVs and driers are all hacked because manufacturers couldn't be bothered to secure them, I think you'll probably care. It will bring the interwebs to its knees.

    --
    This one's tricky. You have to use imaginary numbers, like eleventeen... --Hobbes
  3. Re:Best defense is not to care by arth1 · · Score: 3, Interesting

    If you can, have the "computer" that you use for such things not matter if it gets hacked. If your blue ray player has no writable storage or network access and you power it off after every use, there is no danger

    I don't think there's a single BD player out there that doesn't allow for either software updates or updates to the BD codes that allow/disallow you to decode disks.

    One I have requires a USB key to be present to cache validity information for disks you have already watched - without it, it still works, but requires contacting the mothership through Internet whenever re-inserting any disks newer than the latest firmware update.

    BD disks these days even come with extras like links to youtube videos, that play on the BD player. That's an attack vector right there. Do they all use https and check the validity of the cert to avoid MITM attacks, using only name servers with signed entries? I highly doubt it.
    If I wanted to hack it, I feel fairly confident that I could do so. I'd start by hooking up to the (convenient) JTAG interface, and learn as much as i could that way, before starting to probe from the outside, i.e. through discs, USB or TCP/IP. But it would be low on my list if things I own that I want to hack. My car is more interesting.

  4. Wanna know a secret? by Solandri · · Score: 4, Interesting

    I'll let you in on a little secret. I own lots of Blu-ray discs, but I don't actually own a Blu-ray player. I buy the disc (whatever my thoughts on Copyright, it is the law and the content producers do deserve to be paid), then I download a Blu-ray rip of the movie from a torrent site. Toss the file on my media server, and call it a day. They get their money, I don't have to deal with their forced previews and FBI warnings. I really have to wonder what they're thinking. First they complain about piracy, then they respond by making their products worse for legit customers than for pirates.

  5. Re: Best defense is not to care by Malc · · Score: 4, Informative

    Most BD players do have storage. BD-Live depends upon it for instance.