Koz and Effect

Your PS3 is not transmitting in the clear…

There’s a PDF going around today that’s been getting a lot of attention in claiming that Sony is transmitting user information in the clear:

Unfortunately, the paper is loaded with irrelevant information, dubious claims, and poor understanding of internet transactions. But there is a little nugget of good information in here, which I’ve tried to pick out.

The section on “sensitive information” seems to contain a lot of filler, and doesn’t make too much sense. He claims that Sony uses HTTPS/SSL, but that this “isn’t good enough”. He then goes off topic about how Sony is a large network and that the IP addresses of this large network are all publicly accessible. This is all true, but does not contribute to his argument that the information is not secure. But he does seem to insinuate that there’s a way to phish user data, partictuarly in his mention of SSL, custom certificates, and third-party DNS servers.

Let’s look at the HTTPS/SSL issue.

When an SSL session is negotiated by your PS3 with Sony’s servers, you fetch a certificate from the PS3 server that is authenticated against a CA, verifying that the server claims to be who it says it is. In that certificate is the server’s public key, which is used by the client to encrypt information to send to it. Information cannot be decrypted by the public key, only by the server’s private key, which only it possesses.

So the information being sent to Sony is encrypted, and it’s using SSL, the accepted standard for banks, remote terminal sessions, your gmail, and generally anything else of importance. There are no current flaws in this protocol when implemented correctly.

The ability to forge a client certificate on the PS3 weakens this somewhat, but not directly, and the paper fails to describe this. But I think I can identify what he’s trying to get at.

The PS3 needs to have a trusted root certificate from a Certifying Authority (CA) stored in the console in order to verify that when contacted by a system claiming to be a Sony PSN server, it can verify that is really is a PSN server. (This is the same mechanism that identifies your bank to be who they claim to be.) The ability to create custom firmware (CFW) means that a hacker could distribute a CFW that possesses an altered, additional, or different trusted root CA.

Recall whenever your web browser gave you an alert upon finding an expired certificate, or probably more appropriately, a self-signed certificate. If you’re using HTTPS on a home router, you probably have one of these. Since there is no pre-loaded root CA on your system, you need to decide if you can trust it yourself.

By having a CFW loaded, you’re never prompted for this, and unless you audit the code yourself, you won’t know if there’s other root certificates loaded. Any that are loaded are assumed trusted.

Here’s where we get to the “third-party DNS” that he mentions. Assuming you’re not running your own DNS server (to say nothing of if it’s secured) it is possible that the DNS server you connect to could be spoofed to identify a Sony PSN server’s host name as a different IP. At that point, assuming you’re running a CFW that has a crafted root CA loaded, the PS3 will recieve the spoofed address, the altered certificate will identify the server as legitimate, and a connection will be established. Voila, your information is being sent.

So the short of this:

Your information is not being sent in the clear, but is being sent via industry standard HTTPS/SSL.

For an attack to succeed:

• An attacker must persuade you to load a CFW that has a self-signed root certificate loaded on it
• The attacker must successfully poison the DNS cache of a DNS server that YOU use
• The attacker must then wait/hope/pray that you connect to the server he spoofed so that you can authenticate to him.

That, ladies and gentlemen, is a pretty tall order, though it’s by no means implausible. But it is the sort of issue that gets a lot of attention these days (and is a large part of the reason why certificate validation has become so visible in web browsers as of late.)

Of course, it could certainly be a lot simpler than that. If we can convince someone to load our custom firmware, why not have it contact our servers directly? We could dispense with SSL all together, install our own application data, and pull all of the information we want directly. A CFW allows the writer of it to exercise control of the system if he/she wanted to, just like the writer of a trojan or rootkit gives an attacker control over a PC.

So if you’re not using a CFW, then you’re pretty safe. If you are, then you need to ensure that no other forged or crafted root CAs exist, and that you are using a relativity secure DNS server. In my opinion, any DNS server by a major ISP should be more than sufficient.

If Sony has a good argument for persuading people not to use a CFW, then it’s this one here. Remember the tenant of security: “If a bad guy can persuade you to run his code on your computer, then it’s not your computer anymore”. PS3 hackers are suddenly discovering this. With root access, you can see a lot that you couldn’t previously. Would they be just as surprised to know that this very same information is sent to your bank, or Paypal, or WoW account, every time you use your PC?

I am just as excited as most at the possibilities of running custom code on the PS3 hardware. But with such power comes responsibility, as well as danger. Always ask yourself if you trust the source of your software, and what mitigation are in place. For CFW, those mitigation’s could be few indeed. Keep your personal information off a cracked PS3, and if feasible, off the internet entirely. I have no doubt that Sony will find ways to keep cracked PS3s off PlayStation Network for good, so there’s little to lose here. The important thing is to recognize the risks that follow a CFW, and act accordingly.

(Parts of this post were originally posted here, comments, page 3)