British hacker Stephen Tomkinson has found two Blu-Ray-borne attacks.
His first exploit relies on a poor Java implementation in a product called PowerDVD from CyberLink. PowerDVD plays DVDs on PCs and creates menus using Java, but the way Oracle's code has been used allows naughty folk to circumvent Windows security controls.
The result, the NCC Group consultant says, is that it's possible to put executables onto Blu-Ray disks and to make those disks run automatically on startup even when Windows is set to stop that outcome.
Users would have no reason to suspect the whirring of an optical drive indicated unknown software was running, making this a potentially nasty attack.
The second attack borrows, in part, from hacker Malcom Stagg's Blu Ray rooting process that takes advantage of debug code to launch from an external USB. A Java Xlet can be written to replay a TCP stream to the net inf daemon, which provides a means of exploitation from a Blu ray disc.
“This gives us a working exploit to launch arbitrary executables on the disc from the Blu-Ray’s supposedly limited environment,” Tomkinson says.
Attackers need to first determine what model of DVD player their target is running, a feat possible by looking at a generated security exception.
Tomkinson recommends concerned users avoid playing Blu-Ray discs from untrusted origins, and prevent discs from auto-playing and accessing the internet.
His work follows the popping of Blu-Ray region locks by Free Software Foundation board member Matthew Garrett who in December revealed how punters could break out of DCMA controls on players built before 2014. ®