How Custom Firmware Can Put Your PS3 At Risk

How Custom Firmware Can Put Your PS3 At Risk

What you’re about to read is far from a wide-ranging concern. But it does highlight one legitimate reason Sony has for going after PS3 users installing their own custom firmware on their PlayStation 3 consoles.

A report on Ars Technica, showcasing some digging at the edge’s of the PlayStation Network performed by a team of hackers, reveals that if you start using custom firmware on your PS3, there’s a slight risk that it’ll leave your console (or, to be more precise, your PSN information) vulnerable to theft.

How is this possible? A standard PS3 communicating with the PlayStation Network is entirely secure. Your important information – especially your credit card details – are safe from prying eyes. But that’s only if you’re using an unmodified PlayStation 3.

Users installing custom firmware, on the other hand, are leaving themselves open to the possibility of attack, as this security isn’t there when you foresake Sony’s own updates. As the report states:

The concern raised by the hackers is that custom firmwares could subvert this system. A custom firmware can include custom certificates in its trusted list. It can also use custom DNS servers. This raises the prospect of a malicious entity operating his own proxies to snaffle sensitive data. He would distribute a custom firmware that had a certificate corresponding to his proxy, and that used a DNS server that directed PSN connections to the proxy. His proxy would decrypt the data sent to it, and then re-encrypt it and forward it to the real PSN servers.

This data would basically be everything your PS3 sends to the PlayStation Network. While most of this is relatively harmless (like trophy data), some of it (like credit card info and your address) is not.

Now, as I said at the start, this isn’t a serious concern for everyone. You would have to download and install malicious firmware for this to happen, and those using Sony’s own updates (or trusted/verified custom firmware) would be fine.

But even the possibility of that kind of information being lifted is enough for Sony to say “we told you so”, as one of its big defences in going after PS3 hackers is the position that Sony’s security system is there for a reason: to protect the consumer.

Report: PSN hacked, custom firmware could pose security risk to users (UPDATED) [Ars Technica]


  • Don’t see how this matters? People who hack their ps3s know they would get banned from psn so why would they have a credit card attached to it?

    • funny how the first firmware that can detect if there has been CFW running and all of a sudden there are people getting errors with ‘new’ drives?
      why is it all of a sudden that so many people are upgrading/replacing thier HDDs?
      massive coincidence ftw?
      did i miss anything?

  • And don’t ever buy anything with your credit card off the PS Store. And don’t even log in to PSN if you don’t want to risk having your password stolen, at which point somebody could download games you’ve bought, send abusive messages to others, etc.

    Not really practical. The correct answer was “don’t use custom firmware with your PS3 unless you wrote it yourself.”

  • The article was updated to state that sensitive information is transferred over a secure SSL connection. There’s an alternate risk, however, that hackers can spoof console IDs and PSN usernames and make Sony think your legitimate PS3 has been running CFW/homebrew.

  • This seems more like a Sony scare tactic to me – “Because you use custom firmware and not downloading official Sony updates, your information might be no longer secure”. I would be surprised if this did happen to anyone as it just sounds like sony is trying to scare off some people that are thinking about hacking the PS3.

    • matt, just look at the amount of phishing that goes on.

      The number of people who fall prey to online ID scams.

      Look at the vast numbers of PCs taken over by botnets around the world.

      Or the even greater number infected by virii, worms, trojans, etc.

      Can you honestly say CFW concerns are just Sony “scare tactics”?

      Of COURSE some arseholes are going to try and use CFW to phish/hax/bot your PS3. Why wouldn’t they? The Hacker Code of Honour?

      If you go online with CFW — particularly no-name CFW — you are asking for a world of trouble. Same goes for downloading any random .PKG file from a warez site.

    • Yeah, you might want to actually read the story there, champ.

      This information didn’t come from Sony – it came from hackers.

Show more comments

Log in to comment on this story!