So there's very little good info floating around on this, and the paper in question is really lacking on details and good info.
The .pdf that is going around outlining this issue is here:
http://demo.ovh.com/download/e1ae850ae7 ... 20/psn.pdf
(from: http://streetskaterfu.blogspot.com/2011 ... -user.html)
The section on "sensitive information" seems to contain a lot of filler, and doesn't make too much sense. He claims that Sony uses HTTPS/SSL, but that this "isn't good enough". He then goes off topic about how Sony is a large network and that the ip addresses of this large network are all publicly accessible. This is all true, but does not contribute to his argument that the information is not secure.
Let's get to the HTTPS/SSL issue.
When an SSL session is negotiated by your PS3 with Sony's servers, you fetch a certificate from the PS3 server that is authenticated against a CA, verifying that the server claims to be who it says it is. In that certificate is the server's public key, which is used by the client to encrypt information to send to it. Information cannot be decrypted by the public key, only by the server's private key, which only it possesses.
So the information being sent to Sony is encrypted, and it's using SSL, the accepted standard for banks, remote terminal sessions, your gmail, and generally anything else of importance. There are no current flaws in this protocol when implemented correctly.
The ability to forge a client certificate on the PS3 weakens this somewhat, but not directly, and the paper fails to describe this. But I think I can identify what he's trying to get at.
The PS3 needs to have a trusted root certificate from a Certifying Authority (CA) stored in the console in order to verify that when contacted by a system claiming to be a Sony PSN server, it can verify that is really is a PSN server. (This is the same mechanism that identifies your bank to be who they claim to be.) The ability to create custom firmware (CFW) means that a hacker could distribute a CFW that possesses an altered, additional, or different trusted root CA.
Recall whenever your web browser gave you an alert upon finding an expired certificate, or probably more appropriately, a self-signed certificate. If you're using HTTPS on a home router, you probably have one of these. Since there is no pre-loaded root CA on your system, you need to decide if you can trust it yourself.
By having a CFW loaded, you're never prompted for this, and unless you audit the code yourself, you won't know if there's other root certificates loaded. Any that are loaded are assumed trusted.
Here's where we get to the "third-party DNS" that he mentions. Assuming you're not running your own DNS server (to say nothing of if it's secured) it is possible that the DNS server you connect to could be spoofed to identify a Sony PSN server's host name as a different IP. At that point, assuming you're running a CFW that has a crafted root CA loaded, the PS3 will recieve the spoofed address, the altered certificate will identify the server as legitimate, and a connection will be established. Voila, your information is being sent.
So the short of this:
- Your information is not being sent in the clear, but is being sent via industry standard HTTPS/SSL.
For an attack to succeed:
- An attacker must persuade you to load a CFW that has a self-signed root certificate loaded on it
- the attacker must successfully poison the DNS cache of a DNS server that YOU use
- the attacker must then wait/hope/pray that you connect to the server he spoofed so that you can authenticate to him.
That, ladies and gentlemen, is a pretty tall order, though it's by no means implausible. But it is the sort of issue that gets a lot of attention these days (and is a large part of the reason why certificate validation has become so visible in web browsers as of late.)
So if you're not using a CFW, then you're pretty safe. If you are, then you need to ensure that no other forged or crafted root CAs exist, and that you are using a relativity secure DNS server. In my opinion, any DNS server by a major ISP should be more than sufficient.
