3

I went on holiday with a friend. He filmed and made a movie from our trip. He put the movie on my usb key.

I was about to plug this, but realised my friend does not have good security practices, so my usb key might now be infected.

I know I should never plug that usb key back into my computer. However, I am wondering if I could put it into a standalone DVD/Bluray player (device not linked to a computer, that plugs into the TV via HDMI).

Can such a device get infected by a malware, and then spread it to my network?

schroeder
  • 123,438
  • 55
  • 284
  • 319
DevShark
  • 331
  • 1
  • 10

2 Answers2

7

This is mostly a question of targeting. In a case like this, we're most likely talking about opportunistic infection. What this means is that some malware may copy itself to any USB stick that is inserted, perhaps with an autorun.ini file that attempts to start the malware when you plug it in (this doesn't work by default on Windows 7 or later), or with some interesting looking file name that it entices you to click on. Generally speaking any malware is going to target Windows.

In an very rare case, the malware may also bundle a payload designed to attack a common smart TV operating system, such as Android TV or webOS. These embedded operating systems used to run some very old Linux packages with vulnerabilities in them; the vulnerable package I most commonly see on these types of infotainment systems is libpng. However, for opportunistic USB stick infection from a Windows host, I don't think I've ever heard of malware that targets one of those platforms.

Technically speaking a standalone Blu-Ray player can suffer the same problems. It's a surprisingly richly featured system, including a Java ME runtime for BD-J content. Since most Blu-Ray players never get software updates it is reasonable to assume that there are vulnerabilities in most of them and they never get patched. However, a standalone Blu-Ray player is exceedingly unlikely to be targeted, for a number of reasons: the chances of you plugging the USB stick into a Blu-Ray player are small; the chances of that Blu-Ray player being the one they happened to target are smaller still; the chances of that Blu-Ray player happening to run the right version of the software for their payload is even smaller; and most of the time the Blu-Ray player isn't connected to the network anyway so there's little point in infecting it - it doesn't have access to anything useful and can't talk back to the attacker.

Usually the way I deal with untrusted devices is to load them in an environment that I can just throw away. Booting from a live Linux USB on a system with no other mass storage devices is a good way to do this. If you've got a spare laptop hanging around you can just pull out the hard disk and use it to scrub everything on the flash drive aside from the one file you care about. Chances are the malware can't run on Linux anyway, and even if it did there's no easy way for it to persist in a live boot environment.

As an aside, I recommend that you update your video player software to the latest version, because video players can have vulnerabilities too.

Polynomial
  • 132,208
  • 43
  • 298
  • 379
0

it is possible, though I guess the malware is not targeting the devices you mentioned.

In such cases I use a live CD of a linux distribution and have it check the media.

If I turn super paranoid, I'd unplug my usual storage media.

mldevw
  • 11
  • 1