Call of Privacy: Modern Spyware By PlayStation Network

[The Central Scrutinizer]

On the hells, of the mightly BanHammer being throw around by Sony now, along with tons of Warning emails to millions of PSN account holders, a group of hackers called The Anonymous Data Protection Officers have produced a PDF on Playstation Network that shows it is totally lacking in Security even your Credit Card is transmitted in plain text format over the 'net ever time you use your PS3 console!

Update:
A document written by the hackers has clarified what they did and what privacy and security risks they believe the PlayStation 3 poses. The PS3's connection to PSN is protected by SSL. As is common to SSL implementations, the identity of the remote server is verified using a list of certificates stored on each PS3. The credit card and other information is sent over this SSL connection. So far so good; this is all safe, and your web browser depends on the same mechanisms for online purchases.

The concern raised by the hackers is that custom firmwares could subvert this system. A custom firmware can include custom certificates in its trusted list. It can also use custom DNS servers. This raises the prospect of a malicious entity operating his own proxies to snaffle sensitive data. He would distribute a custom firmware that had a certificate corresponding to his proxy, and that used a DNS server that directed PSN connections to the proxy. His proxy would decrypt the data sent to it, and then re-encrypt it and forward it to the real PSN servers.

Such a scheme would be transparent to PSN users (except for any potential performance reduction caused by the proxying), and would give the attacker access to all the information that the PS3 sends to Sony. This information is shown to be extensive, but apart from the credit card data, probably not too sensitive or unreasonable.

As flaws go, the risks here are not substantial. There is no generalized ability for hackers to grab credit cards from PSN users; only those using specially devised custom firmwares would be at risk. Essentially the same risk could be faced by anyone downloading a pirated version of Windows: extra certificates could be added to those normally trusted, along with suitable DNS entries, to allow interception of any traffic destined for, say, amazon.com. In practice, the risk of either of these is slight, and in any case, trivially avoided: don't use custom firmware.

Original story:
Sony has officially stated that anyone using hacked firmware or any sort of circumvention technology will have their console banned for life from the PlayStation Network, but how does the company know when such a console logs in? One person claims to have broken into the PlayStation Network, and what he has found is rather shocking. If his findings are accurate, your credit card information is being sent to Sony as an unencrypted text file, and Sony is watching every single thing you do with your system, keeping detailed records all the while.

"Sony is the biggest spy ever... they collect so much data. All connected devices return values sent to Sony's servers," the hacker said. He claims that Sony knows what controllers you're using, what USB devices are plugged in, what sort of television you're using—everything. Here's another section of the chat log:

Code:

•user2: another funny function i found is regarding psn downloads
•user2: its when a pkg game is requested from the store
•user2: in the url itself you can define if you get the game free or not. requires some modification in hashes and so on tho
•user3: ..
•user2: is like
•user8: :D
•user3: my god
•user2: drm:off

That's not all: your credit card information is apparently being sent as an unencrypted text file. This is how the code is being sent to Sony:

Code:

creditCard.paymentMethodId=VISA&creditCard.holderName=Max&creditCard.cardNumber=45581234567812345678&creditCard.expireYear=2012&creditCard.expireMonth=2&creditCard.securityCode=214&creditCard.address.address1=example street%2024%20&creditCard.address.city=city1%20&creditCard.address.province=abc%20&creditCard.address.postalCode=12345%20

This information is allegedly being stored online and is updated every time you turn on your system. We've been receiving reports from various sources that e-mails are being sent to those with hacked firmware even before they log back into the PlayStation Network, which is even more evidence that Sony is grabbing information from your system just from being connected to your wireless network.

The ability to enable free downloads is likewise unsurprising, as there may be a way for some users, such as press and developers, to access the PlayStation Network without needing to pay for content. While other console manufacturers may keep free, pre-review content in a separate, closed-off network, it's possible Sony keeps everything in one place, and controls who pays and who doesn't via a simple toggle. That would be unsafe from a security standpoint, but when has that stopped anyone from stupid mistakes in the past?

It's also very possible this is all fake, but much of what the unnamed hacker is saying links up with what we know from other sources about the behavior of the PlayStation Network. It's worth treating this as a very real threat: use PSN cards instead of credit cards on the PlayStation Network, and make sure you don't share any passwords or login information between your PSN account and other accounts.

We've contacted Sony for comment, but have not received a reply at time of publication. The hackers joked that the next update will remove the PlayStation Network, just as Sony removed the Other OS feature when it became compromised.

Attached is original PDF that been making the rounds on the 'net!

News Source: Report: PSN hacked, custom firmware could pose security risk to users (UPDATED)

Sorry for delay in posting the news, I had major problems getting into the site via IE, now I fixed the broken attachment also!

[Noxside]

If this is all true, i god hope people in the US sue the **** out of Sony for this. Glad that i removed my credit card details from PSN when the first jailbreak dongle came out, since i planned to have it jailbroken. In the end PS3 got ****ed and your details is then at risk.

[juanmiglesias]

i was surprised at first... then i remember its SONY what we are talking about..LoL big fail...

[Peppers]

The lead of this news post is missleading.

If you continue to read you see that if your ps3 has not been modified specifically for the purpose of stealing your personal information your ok, an unmodified ps3 is not at risk. Your regular computer is far more likely to be a target of such an attack.

[PhaReelDoa]

you guys do realize the vulnerability lies wthin using cfw right. make sure of your download sources.

[braders1986]

Can't believe the cheek of people on here moaning that they got banned lol
WTF!.... do you actually expect to get away with it.
You went against there policy now you pay the price


****ing deal with it

[ModderFokker]

Why the F would someone use a CC on a modded PS3 ...pmsl

[Wutangrza]

Wow, this is such FUD and should be deleted. Are you kidding me?

Being only protected by SSL and being sent in plaintext aren't even close to the same ****ing thing. The only way this is a vulnerability is if you install malicious software on your PS3. This isn't Sony being evil.

For example, if I distribute a CFW or a self signed cert and tell you to install it on your PS3, then I also tell you to use my server as a proxy server, yes, I could scrape your details including your CC info, but news flash, installing random software you find on the Internet is a bad idea and as the devs have been saying for MONTHS it's a bad idea to route your traffic through someone's proxy you don't trust.

This should be deleted from the frontpage immediately or at least edited to make clear this only poses a risk to someone if they install malicious software on their PS3.

edit: To clarify, your credit card is never sent in plaintext over the net. It's sent over https and encrypted with SSL. The user in that chat log is simply saying that it's not encrypted twice (ie, encrypted and then also sent over https). The only way this is dangerous is if you install malicious software on your console. Essentially it's like saying, "WARNING IF YOU INSTALL THIS VIRUS YOUR COMPUTER WILL GET MESSED UP, SONY EPIC FAIL LAWL!"

[erexx]

Many probably didn't think about this when putting their JB consoles online
but its not necessary to have a credit card to sign up for a PSN account or buy PSN content.
There is absolutely no need to input your CC information for PSN
An email address is all you need.

[patmorita]

This is like telling the phisher kids where the candies are and how to get them. I can see in the near future a lot of "CFW" with "stealth" internet access ala fudgepsn...all for free (even scammed for free lol)