Potential for PCs and players to be infected with malware just by inserting a Blu-ray disc

ByDiego Correa

It is computer-related security consultant that it is possible to prepare malware for those terminals without being noticed by users simply by inserting a Blu-ray disc in PC or Blu-ray playerNCC GroupIt was revealed by Mr. Steven Tomkinson's research.

Abusing Blu-ray Players Pt. 1 - Sandbox Escapes | NCC Group
https://www.nccgroup.com/en/blog/2015/02/abusing-blu-ray-players-pt-1-sandbox-escapes/


More IoT insecurity: This Blu-ray disc pwns PCs and DVD players | Ars Technica
http://arstechnica.com/security/2015/03/more-iot-insecurity-this-blu-ray-disc-pwns-pcs-and-dvd-players/


This method was announced by Steven Tomkinson of NCC Group, a computer security consultant. Tom KinsonProof of conceptIn the software embedded in the Blu-ray disc, it succeeded to let it run secretly on PC and Blu-ray player. Details of this proof of concept were held at Abertay University in Dundee City, ScotlandSecuri-Tay InfoSec ConferenceThe title of the keynote was "Abusing Blu-ray players" (abuse of Blu-ray players).

According to Tomkinson, "By combining different vulnerabilities existing in the Blu-ray player, it is possible to create a single disc that will keep the program secretly playing while playing the video in the disc" For example, if you exploit this, you will be able to open a hole in the target network from the Blu - ray player, send a detectable file to the outside at random, and so on.

ByStephen Saucier

What kind of vulnerability actually is used is, in case of Windows based devices, software preinstalled as a software for Blu - ray playback in Windows XP or laterPowerDVDBy using, it is possible to sneak malware loaded on a Blu - ray disc into the PC. In this case, it is a variant of the Java frameworkBD-J. This BD-J is used to add trailer video to Blu-ray disc, game, quizzes, bulletin board function etc added. Furthermore, in PowerDVD, code similar to Java applet "Xlets"It is said that it will be possible to add more functions than BD-J by using this. Since Xlets, which is a type of Java class, makes it possible to read arbitrary files from the disk, if this is exploited, it will be possible to execute the executable file embedded in the disk even under a restricted environment like a Blu-ray player ,apparently.

NSS warns you to avoid using unknown media, and at the same time we recommend stopping the AutoPlay section from the Windows control panel to prevent automatic playback when inserting the disc I will. Moreover, "Commenting off the authority to access the Internet from the disk also makes BD-J unable to access the network from the local host and it will be a way to prevent malicious attacks."

In recent years it has been connected to the Internet all the timeIoTAlthough there are an increasing number of devices, Ars Technica points out that the risk should be reexamined once again.