PS4 News on Facebook! PS4 News on Twitter! PS4 News on YouTube! PS4 News RSS Feed!

Home PS4 News - Latest PlayStation 4 and PS3 News

February 17, 2011 // 2:46 pm - Yesterday Sony addressed PS3 circumvention devices, piracy and PSN bans and today PS3 hackers SKFU among others via ArsTechnica have reported on potential security risks for PlayStation Network users.

To quote: While I read about the big ban tsunami and interesting papers like PSN.PDF (Mirror). I gone through a funny theory, I won't publish any details tho:

1) The bans are based on the users' account and console ID's.

2) We can modify all traffic sent and received by the PlayStation 3

What if some skiddies start to modify their sent traffic to appear as another user and use backups?

The PSN servers would recognize the TOS violation and check the online user database for known connections based on the ID's. The user and his consoles who really owns the ID's would be banned.

Even a simple Windows application which goes through ALL ID's may be possible. 24 hours and any console worldwide would be banned. This should definitely be double-checked by SONY.

From Ars (linked above) to quote: "A document written by the hackers has clarified what they did and what privacy and security risks they believe the PlayStation 3 poses. The PS3's connection to PSN is protected by SSL. As is common to SSL implementations, the identity of the remote server is verified using a list of certificates stored on each PS3. The credit card and other information is sent over this SSL connection. So far so good; this is all safe, and your web browser depends on the same mechanisms for online purchases.

The concern raised by the hackers is that custom firmwares could subvert this system. A custom firmware can include custom certificates in its trusted list. It can also use custom DNS servers. This raises the prospect of a malicious entity operating his own proxies to snaffle sensitive data. He would distribute a custom firmware that had a certificate corresponding to his proxy, and that used a DNS server that directed PSN connections to the proxy. His proxy would decrypt the data sent to it, and then re-encrypt it and forward it to the real PSN servers.

Such a scheme would be transparent to PSN users (except for any potential performance reduction caused by the proxying), and would give the attacker access to all the information that the PS3 sends to Sony. This information is shown to be extensive, but apart from the credit card data, probably not too sensitive or unreasonable.

As flaws go, the risks here are not substantial. There is no generalized ability for hackers to grab credit cards from PSN users; only those using specially devised custom firmwares would be at risk. Essentially the same risk could be faced by anyone downloading a pirated version of Windows: extra certificates could be added to those normally trusted, along with suitable DNS entries, to allow interception of any traffic destined for, say, In practice, the risk of either of these is slight, and in any case, trivially avoided: don't use custom firmware.

The original story is below, but note that the claims originally made by the hacker quoted in the article are unsubstantiated.

Sony has officially stated that anyone using hacked firmware or any sort of circumvention technology will have their console banned for life from the PlayStation Network, but how does the company know when such a console logs in? One person claims to have broken into the PlayStation Network, and what he has found is rather shocking. If his findings are accurate, your credit card information is being sent to Sony as an unencrypted text file, and Sony is watching every single thing you do with your system, keeping detailed records all the while.

"Sony is the biggest spy ever... they collect so much data. All connected devices return values sent to Sony's servers," the hacker said. He claims that Sony knows what controllers you're using, what USB devices are plugged in, what sort of television you're using–everything. Here's another section of the chat log:

•user2: another funny function i found is regarding psn downloads
•user2: its when a pkg game is requested from the store
•user2: in the url itself you can define if you get the game free or not. requires some modification in hashes and so on tho
•user3: ..
•user2: is like
•user3: my god
•user2: drm: off

That's not all: your credit card information is apparently being sent as an unencrypted text file. This is how the code is being sent to Sony:

example street%2024%20&

This information is allegedly being stored online and is updated every time you turn on your system. We've been receiving reports from various sources that e-mails are being sent to those with hacked firmware even before they log back into the PlayStation Network, which is even more evidence that Sony is grabbing information from your system just from being connected to your wireless network.

The ability to enable free downloads is likewise unsurprising, as there may be a way for some users, such as press and developers, to access the PlayStation Network without needing to pay for content.

While other console manufacturers may keep free, pre-review content in a separate, closed-off network, it's possible Sony keeps everything in one place, and controls who pays and who doesn't via a simple toggle. That would be unsafe from a security standpoint, but when has that stopped anyone from stupid mistakes in the past?

It's also very possible this is all fake, but much of what the unnamed hacker is saying links up with what we know from other sources about the behavior of the PlayStation Network. It's worth treating this as a very real threat: use PSN cards instead of credit cards on the PlayStation Network, and make sure you don't share any passwords or login information between your PSN account and other accounts.

We've contacted Sony for comment, but have not received a reply at time of publication. The hackers joked that the next update will remove the PlayStation Network, just as Sony removed the Other OS feature when it became compromised."

Finally, Computermaster has tweeted the full log HERE for those interested.

PS3 Hackers Address Potential PSN Security Issues and Bans

PS3 Hackers Address Potential PSN Security Issues and Bans

PlayStation Follow us on Twitter, Facebook and join us at our new site WWW.PSXHAX.COM!

#31 - SinnerShanky - February 18, 2011 // 1:30 pm
SinnerShanky's Avatar
If the cc info really does goto the sony servers in unencrypted form then intercepting that is a piece of cake.. Anyone on your network can use packet sniffers to intercept, view and save the data sent and received by your internet connection.. Moreover if you use a cable connection then everyone who has their cable connected to the same hub or default gateway can intercept that data.

Its a very big issue if the info is sent in txt format.. What is usually done by applications is that they make their own two way algorithm and the decryption end is stored in a highly secure environment so as to prevent its leak and compromise the security of the info.. The cc info received is then decrypted by that algorithm and the transaction is processed.. Also if you want the cc info to be stored on the server then it is stored in encrypted form not a simple text file...!!!

#30 - NoZart - February 18, 2011 // 8:28 am
NoZart's Avatar
Ooops, overread that they are GUIDs. But how about the User IDs? Those should be collectible somehow, no?

#29 - NoZart - February 18, 2011 // 8:14 am
NoZart's Avatar
First off all: Sony is not intrusive. The sort of data they collect are nowhere out the norm. That is just within the normal logging. And does it really bother you that some machine somewhere knows what TV you have? They do not send videostreams of your living room somewhere, as MS does with kinect.

And regardign CC info: as long as you are on OFW, your Data is secure. When you are on OFW, your CC info is actually a few steps MORE secure then when you shop on your PC. Sony is not responsible for what happens when you decide to mess up your system with a CFW.

#28 - PiMpD - February 18, 2011 // 4:49 am
PiMpD's Avatar
Among other titles.. I am almost sure we used to network the XBOX through Gamespy on our PCs and play HALO 1 online against other players.. and I am almost positive Halo wasnt even an online game. I am sure the devs can think of something as far as a P2P Online community for HomeBrew users.

#27 - BryanNitro - February 18, 2011 // 3:42 am
BryanNitro's Avatar
Quote Originally Posted by y2kkingboy View Post
Could this be enough to call a Class Action suite for reckless endangerment and invasion of privacy?

I plan on going to my lawyer tomorrow if Sony wants to play hardball then we need to make sure we get hit with a pitch if you know what I mean and hey if enough people take hits we can win the game.

Identity theft is VERY BIG right now and Sony doesn't want to back down which one is more of a threat to society.

#26 - nailed - February 18, 2011 // 2:15 am
nailed's Avatar
Let's think about that... really think about it. The PS3's console ID is a GUID. If we look up GUID on Wikipedia, we find: "Today's fastest supercomputer at 2.5 petaflops could generate 2.51015 random GUIDs every second, if it had been dedicated exclusively to this task nonstop since the Big Bang, it still would have odds of less than one in 300,000 of ever having generated a duplicate."

How again are you going to iterate though all possible IDs?
Quote Originally Posted by superste2201 View Post
That fact alone is untrue, a tv cannot send its make or model down scart or HDMI. It's impossible.

I love how confident you are! So confident you couldn't possibly be wrong! So don't Google "EDID"... you'd be disappointed.

#25 - Bishoff - February 18, 2011 // 1:06 am
Bishoff's Avatar
Quote Originally Posted by superste2201 View Post
You guys do realize that in order for a hacker to grab any credit card details they will need to make a unique custom firmware and make you install it on your PS3 then go on PSN and buy something. Highly unlikely to happen. If you are worried just stick to OFW.

Also most of what these 'hackers' say is BS, e.g. He claims that Sony knows what controllers you're using, what USB devices are plugged in, what sort of television you're using everything.

That fact alone is untrue, a tv cannot send its make or model down scart or HDMI. It's impossible.

A TV absolutely can display all it's info to devices via hdmi and dvi...that's how PC's communicate with displays and get all the native resolutions and settings as soon as you plug in a screen. You don't need to install drivers and it displays all this info in your control panel hardware tab. All the devices mentioned are readable/identified as noted in article.

#24 - gygabyte666 - February 18, 2011 // 12:57 am
gygabyte666's Avatar
Christ! Arrrg, I am pissed about this! Why has no one sued them over this yet? I can't believe the kind of thing they are able to get away with. Wish I had billion dollar lawyers too. In all honesty though, this is both unethical and immoral. I really don't know why I am surprised though.

Afterall, they DID take OtherOS support away. That was pretty damn unethical and immoral as well. I guess it's just extremely disappointing to see how little they REALLY care for their consumers and their privacy. Privacy and intrusion are a HUGE thing right now, as they should be. I hope they get torn limb for limb for this crap. They shouldn't be allowed to do this. What starts today with Sony & Microsuck will lead to everyone being 'allowed' to do it tomorrow.

Speaking of Microsuck. I see a few people are trying to dodge this risk by changing topics to M$. Making them seem like they are worse than Sony is. Well, I will admit nothing would make me happier than to see Microsuck fall but the same goes for Sony right now. Both of them are guilty of this. Whats worse is that BOTH of them GET AWAY WITH IT.

I must have been mistaken, I could have sworn that invading others' privacy was ILLEGAL. I thought that's why cameras aren't allowed in public restrooms. Guess I was wrong, as long as you got the money, nothing is illegal. Freakin' GAY!

I had really strong and high hopes for this console when it first came out. I thought "its Sony, they haven't ever really let me down in the past." Lately though, it's just been one sucker-punch after another to the consumer. I will always love my previous PlayStation systems but I am to the point where I really hope a PS4 never sees the light of day, along with this retarded company.

After I read about all this security/privacy intrusion stuff yesterday I am glad I am not on PSN or the internet with this thing. What we need is for some of the genius hackers/coders and reverse engineers to figure all this PSN connection BS out so we can learn to create our own servers that can be used so we can all play online together... completely PSN/Sony FREE!

Bah! I am glad i'm not online anymore. Being banned would probably do me a favor. Screw all this intrusive stuff. No thanks, not for me!

#23 - y2kkingboy - February 18, 2011 // 12:00 am
y2kkingboy's Avatar
Could this be enough to call a Class Action suite for reckless endangerment and invasion of privacy?

#22 - NoZart - February 17, 2011 // 11:54 pm
NoZart's Avatar
i can only speculate but i would say no. doesn't make sense to me that a drumkit, light gun or guitar use encryption to work with the PS3...