A pair of vulnerabilities found in hardware and software for playing Blu-ray discs might come in handy for secret snooping by the U.S. National Security Agency.
Stephen Tomkinson of NCC Group, a U.K.-based security consultancy, engineered a Blu-ray disc which detects the type of player the disc is running on and then picks one of two exploits to land malware on a computer. He presented the research at the Securi-Tay conference at Abertay University in Scotland on Friday:
http://securi-tay.co.uk/One of the problems is in PowerDVD, an application made by Taiwanese company CyberLink for playing DVDs on Windows computers. The company’s applications are often preinstalled on computers from manufacturers including HP, Dell, Acer, Lenovo, Toshiba and ASUS, according to its website.
Blu-ray discs can support rich content like dynamic menus and embedded games, which are built using Blu-ray Disc Java (BD-J), a variation of Java for embedded systems. BD-J uses “xlets,” or small applications, for things such as user interfaces.
Xlets are prohibited from accessing a computer’s operating system and file system for obvious reasons. But Tomkinson found a flaw in PowerDVD that allowed him to get around the sandbox that xlets can run in and launch a malicious executable.
The second vulnerability lies in some Blu-ray disc player hardware. Tomkinson wrote that he analyzed a “fairly minimal’ embedded system running Linux with a command-line BusyBox interface although he did not identify the make or model:
http://www.busybox.net/about.htmlHis second attack uses an exploit written by Malcolm Stagg to be able to get root access on a Blu-ray player:
http://www.malcolmstagg.com/bdp-s390.html From there, he wanted to see if it was possible to trick the system into running a command that would install malware.
He found it was possible to write an xlet that fooled a small client application called “ipcc” running within the localhost into launching a malicious file from the Blu-ray disc.
To refine the attack, Tomkinson figured out a way to detect what kind of system the Blu-ray disc is running on in order to know which exploit to launch. To mask the strange activity, the Blu-ray disc is coded to start playing its content after one of the exploits has run.
Disc attacks have been tried beforeDistributing a batch of malicious media has been used in the past to attack specific targets. Last month, Kaspersky Lab wrote about the Equation group, a highly advanced group of attackers suspected to be the NSA that used ingenious ways to deliver malware.
Kaspersky described how some participants of a scientific conference held in Houston later received a CD-ROM of material. The CD contained two zero-day exploits and a rarely-seen malware backdoor nicknamed Doublefantasy.
Tomkinson wrote that NCC Group has contacted “the vendors to resolve these issues with varying degrees of success.” CyberLink officials could not immediately be reached for comment.
There are a few defensive precautions users can take. Tomkinson wrote that people can avoid Blu-ray discs that come from unknown sources and also stop discs from running automatically.
If it is possible, users should also turn off the capability that allows Blu-ray players to connect to the Internet or block it from connecting to a network, he wrote.
(PCW)