For more than a decade, malicious hackers have used booby-trapped USB sticks to infect would-be victims, in rare cases to spread virulent, self-replicating malware on air-gapped computers inside a uranium enrichment plant. Now, a security researcher says he has found a way to build malicious Blu-ray discs that could do much the same thing—without any outward signs that an attack was underway.

Stephen Tomkinson, a security consultant at NCC Group, said he has devised a proof-of-concept exploit that allows a Blu-ray disc to compromise both a PC running Microsoft Windows and most standalone Blu-ray players. He spoke about the exploit on Friday at the Securi-Tay conference at the Abertay University in Dundee, Scotland, during a keynote titled "Abusing Blu-ray players."

"By combining different vulnerabilities in Blu-ray players, we have built a single disc which will detect the type of player it’s being played on and launch a platform-specific executable from the disc before continuing on to play the disc’s video to avoid raising suspicion," Tomkinson wrote in an accompanying blog post. "These executables could be used by an attacker to provide a tunnel into the target network or to exfiltrate sensitive files, for example."

The Windows-based exploit targets PowerDVD, the media player software bundled with the OS Blu-ray-equipped PCs since at least Windows XP. The Blu-ray specification uses a variant of Oracle's Java framework known as BD-J that allows disc creators to offer various user interfaces and embedded applications. The PowerDVD software offers additional Java classes that provide still more functions and can be invoked using "Xlets," which are small snippets of code analogous to Applets found on websites.

One of the Java classes that Xlets call is a CUtil class that has the ability to read arbitrary files from the disc. Tomkinson discovered a way to manipulate the list of objects the software reads so he could add his own malicious code. "As Blu-ray discs will auto-play on systems with PowerDVD installed, we now have a mechanism to bypass Windows' auto-run mitigations," he noted.

To compromise standalone Blu-ray players, Tomkinson turned to the extensive amount of already existing research on rooting players, including this exploit, which makes use of a programming debugging process that allows the launching of a Web browser. Using some Xlet wizardry, the researcher found a way to run executable files embedded in the disc from the player's supposedly limited environment.

NCC is working with software and hardware makers on a fix. In the meantime, the company recommends that people avoid using removable media drives from unknown origins and that they use the AutoPlay section of the Windows Control Panel to stop discs from playing as soon as they're inserted. NCC also recommended using any available settings to prevent discs from accessing the Internet, since in many cases that will disable BD-J network access, including to the localhost. And as always, users should think long and hard before connecting standalone Blu-ray players, or any "Internet of things" device, to the Internet. If there's not a clear benefit, it's not worth the added security risk.

Listing image by Alemosa