Following the news that the Blu-ray Disc (BD) format could be a new target zone for hackers according to a keynote talk at the Securi-Tay conference http://www.theregister.co.uk/2015/03/02/bad_movie_hackers_can_raid_networks_with_burnt_blurays/ Tim Erlin, director of security and risk, Tripwire and Troy Gill, manager security research, AppRiver explain how this works and how to avoid the threat:
Tim Erlin, director of security and risk, Tripwire says: “It’s easy for the average consumer to forget that the Blu-Ray player sitting next to their TV is really a full-fledged computing platform and member of their home network. While we talk about the Internet of Things as the future, we shouldn’t ignore the embedded devices we’ve already adopted into our lives. This research demonstrates how an attacker can subvert a very normal operation to compromise a computer or Blu-Ray player. In most cases, the user would see nothing out of the ordinary as their machine is taken over. There’s a massive supply chain for the production of Blu-Ray discs, and while there are a number of security features in place, it’s worth considering how a compromise early in the chain might allow for distribution of malware at scale via discs themselves. This is a threat model that has national security implications, both for attacks at scale and targeted attacks at specific individuals.”
Troy Gill, manager security research, AppRiver writes: “These DVD exploits are quite interesting in that they show how an attacker could leverage a seemingly harmless functionality to run malicious executables. However, avoiding this potential threat would be quite simple. You could start by disabling Autoplay, uninstall PowerDVD and avoiding DVD’s from unknown origins. Although it could potentially be used as one additional attack vector for a hacker who is trying various methods to breach a specific network, given the fairly straightforward defense, I do not see this becoming a very widespread issue.”