How Custom Firmware Can Put Your PS3 At Risk

What you're about to read is far from a wide-ranging concern. But it does highlight one legitimate reason Sony has for going after PS3 users installing their own custom firmware on their PlayStation 3 consoles.

A report on Ars Technica, showcasing some digging at the edge's of the PlayStation Network performed by a team of hackers, reveals that if you start using custom firmware on your PS3, there's a slight risk that it'll leave your console (or, to be more precise, your PSN information) vulnerable to theft.

How is this possible? A standard PS3 communicating with the PlayStation Network is entirely secure. Your important information - especially your credit card details - are safe from prying eyes. But that's only if you're using an unmodified PlayStation 3.

Users installing custom firmware, on the other hand, are leaving themselves open to the possibility of attack, as this security isn't there when you foresake Sony's own updates. As the report states:

The concern raised by the hackers is that custom firmwares could subvert this system. A custom firmware can include custom certificates in its trusted list. It can also use custom DNS servers. This raises the prospect of a malicious entity operating his own proxies to snaffle sensitive data. He would distribute a custom firmware that had a certificate corresponding to his proxy, and that used a DNS server that directed PSN connections to the proxy. His proxy would decrypt the data sent to it, and then re-encrypt it and forward it to the real PSN servers.

This data would basically be everything your PS3 sends to the PlayStation Network. While most of this is relatively harmless (like trophy data), some of it (like credit card info and your address) is not.

Now, as I said at the start, this isn't a serious concern for everyone. You would have to download and install malicious firmware for this to happen, and those using Sony's own updates (or trusted/verified custom firmware) would be fine.

But even the possibility of that kind of information being lifted is enough for Sony to say "we told you so", as one of its big defences in going after PS3 hackers is the position that Sony's security system is there for a reason: to protect the consumer.

Report: PSN hacked, custom firmware could pose security risk to users (UPDATED) [Ars Technica]


Comments

    SOLUTION: DON'T ADD YOUR CREDIT CARD AND PERSONALLY IDENTIFIABLE INFORMATION TO YOUR PS3.

      Im not 100% sure- but dont you need CC details to register any PSN acct? And a PS3 without actively utilising PSN is, well, kinda retro and shit.

      In either case, people hacking their PS3s are prob too *cough* L337 to worry about being hacked themselves. I wish I was as cool as them.

        You don't need a CC.

        No, they're free to set up & don't require anything more than a (fake, if you want) email address, and if you use PSN cards you never need to put your credit card in at all.

      SOLUTION: Stop Hacking.

    Don't see how this matters? People who hack their ps3s know they would get banned from psn so why would they have a credit card attached to it?

    How official firmware can put your PS3 at risk:

    http://community.eu.playstation.com/t5/Technical-Support-Help-Advice/System-Update-3-56-Data-Corrupted-after-Swap-HDD/td-p/12309619/highlight/false

    I really wouldn't mind if Kotaku did some research on this issue and made a post on it. The more people that know about this the better.

      Or if Kotaku could contact Sony for an official response, as they up to this point have not made one.

      funny how the first firmware that can detect if there has been CFW running and all of a sudden there are people getting errors with 'new' drives?
      why is it all of a sudden that so many people are upgrading/replacing thier HDDs?
      massive coincidence ftw?
      also:
      "JOIN MY CLASS ACTION AGAINST SONY!"
      did i miss anything?

    And don't ever buy anything with your credit card off the PS Store. And don't even log in to PSN if you don't want to risk having your password stolen, at which point somebody could download games you've bought, send abusive messages to others, etc.

    Not really practical. The correct answer was "don't use custom firmware with your PS3 unless you wrote it yourself."

    The article was updated to state that sensitive information is transferred over a secure SSL connection. There's an alternate risk, however, that hackers can spoof console IDs and PSN usernames and make Sony think your legitimate PS3 has been running CFW/homebrew.

    A good hacker will get into your system no matter what your firmware, official or unofficial. Point is moot...

    This seems more like a Sony scare tactic to me - "Because you use custom firmware and not downloading official Sony updates, your information might be no longer secure". I would be surprised if this did happen to anyone as it just sounds like sony is trying to scare off some people that are thinking about hacking the PS3.

      matt, just look at the amount of phishing that goes on.

      The number of people who fall prey to online ID scams.

      Look at the vast numbers of PCs taken over by botnets around the world.

      Or the even greater number infected by virii, worms, trojans, etc.

      Can you honestly say CFW concerns are just Sony "scare tactics"?

      Of COURSE some arseholes are going to try and use CFW to phish/hax/bot your PS3. Why wouldn't they? The Hacker Code of Honour?

      If you go online with CFW -- particularly no-name CFW -- you are asking for a world of trouble. Same goes for downloading any random .PKG file from a warez site.

      Yeah, you might want to actually read the story there, champ.

      This information didn't come from Sony - it came from hackers.

Join the discussion!