For the last month, Sony PS3 online gamers have felt the pain of being disconnected from the Playstation Network (PSN) as the result of a massive network hack.
One of those gamers is Veracode security researcher Chris ‘t0ph’ Lytle, who instead of simply complaining about the outage, began to research what was actually going on. Lytle detailed his findings about the PSN attack during a live Black Hat webcast this week. It’s a story that begins several months before the crippling attack that has disabled PSN and has as much to do with the actions of Sony as it does with the outage itself.
Lytle detailed the history of the PS3 modding scene, which is all about getting the PS3 to run things that it was not originally intended to run. One of those things is the ability to run another operating system, most notably Linux. Initially, the PS3 enabled Linux to run on a virtualization hypervisor on top of the default PS3 firmware. Sony revoked that access which has led to a cat and mouse game for much of 2011.
On January 2nd of 2011, George Hotz, better known in the hacking community as ‘geohot’ discovered the root singing key for the PS3. Lytle noted that with that signing key a modder could sign code that would then run on the PS3 firmware. On January 11th, Sony filed a legal law suite against geohot.
The law suite wasn’t enough to slow down the modding community. On March 3rd, Lytle said that the rebug firmware was released for PS3. Rebug leveraged the geohot code to create an alternate firmware for the PS3 based on a development console. Lytle explained that with rebug, users could take a regular PS3 and then use it to develop homebrew software.
On the same day rebug was released, Sony fired some 205 employees.
Attacks on Sony PSN began in April from the Anonymous group in response to the geohot lawsuit in what is known as “Operation Sony.” On April 20th, Sony pulled the plug and the PSN went dark.
Lytle offered up a number of theories as to what actually took down the PSN. The top theory is that Sony was using unpatched server software. That software includes the open source Apache Web server running Linux as well as the Apache Tomcat application server.
The other theory is that Sony has some form of in-house application vulnerability and since there is overlap between Sony Online Entertainment and Sony Corp, the attack was able to leverage the damage.
“More than likely there were multiple concurrent breaches,” Lytle said.
Lytle noted that multiple Sony sites have been hit in the last month with SQL injection flaws, which leads to another possibile theory.
“Of the attacks where the attack vector was known, they are all things that Sony’s coders are directly responsible for,” Lytle said. “For the other ones, we’re looking at an un-patched server in which case Sony’s IT team would be responsible for it.”
During Q&A, Lytle responded to a question about whether or not PCI compliance would have helped Sony this way: “If their servers were not patched, then clearly they didn’t have a patching strategy, which is part of PCI,” Lytle said.Overall, Lytle stressed that the PSN attacks should be a wakeup call for gaming industry security. He noted that Microsoft’s Xbox Live could also be a target as it performs the same basic features that Sony PSN does.
That said, though Lytle noted that while Microsoft may be seen as a juicy target by attackers, they have made some good choices that Sony has not made.
“It’s worth noting that a lot of people that have been claiming to be the attackers have been saying they attacked because of things like geohot,” Lytle said. “They didn’t’ get attacked because they were weak, they didn’t get attacked for credit cards, they got attacked because of a conscious decision the company made to go after modders.”
In contrast, Microsoft takes a more open view on modding. “The attitude of the company towards the general public is what really played a role in Sony being attacked and why they are continuously being attacked,” concluded Lytle.