Joshua Brindle

How to Win At Security

Why Blu-Ray scares me

Now that Blu-Ray has all but won the HD format war I guess its a little late to post this but oh well, I'll do it anyway.

Disclaimer: I am an HDDVD owner but this post is not a result of bitterness about my chosen format losing. The reason I'm posting here about (among others) is the actual reason I chose HDDVD. I also don't want to talk about the pro's and con's of DRM or whether the DRM has been cracked and is accessible via other means. I am going to talk about the intentions of the format producers and what it means to consumers.

So, basically the big security problem I have with Blu-Ray is that BD+ (a BluRay specific DRM mechanism) has some scary provisions to make movie producers happy. Basically the idea behind BD+ is that the movie, decoding, etc is done from within a virtual machine.

So the problem with using a virtual machine to protect the data from the person who owns the device is that the host inherently can access and manipulate the virtual machine itself, including the data. This presents a fundamental problem with the idea of protecting the content. So in order to address this the movie producer must be satisfied that the host machine is in a state where the virtual machine is considered safe.

This is where BD+ gets scary. It allows movie producers to package arbitrary host executables with the BD+ virtual machine that is run on the player before the virtual machine unencrypts any content. The idea, of course, is that a vulnerable host (that is, a host that allows unauthorized access to the unencrypted content) can be patched in order to close the vulnerability. This has some serious ramifications including, but not limited to, producers being able to rootkit machines (see sony's recent rootkit fiascos), spyware, broken patches that make systems more vulnerable, broken patches that break machines, patches that affect different OS releases differently, etc.

I almost wish a producer would create a PS3 patch that bricks a bunch of PS3′s just to show how very very dangerous “features” like this are.

So that is one of the features that scared me the most. There are other problems I had that caused me to choose HDDVD such as incomplete specifications for BluRay, fewer features in the original specifications, limits on the layering of the disks and so on. I now have a dilemma about whether to get a BluRay player knowing that, as a consumer, the choices I make validate the behavior of the producers. The most disturbing fact is that the consumers who don't know about these issues have implicitly allowed the format producers and movie producers to build this incredibly anti-consumer system. C'est la vie I suppose.