Research

Application security testing, analysis, and metrics

Possible PlayStation Network Attack Vectors

Posted by Chris Lytle in RESEARCH, May 13, 2011 | Comments (25)  

Over the last few weeks there’s been a lot of commentary around the breach of Sony’s PlayStation Network. Sadly, there has been no good discussion of how PSN was breached. What this breach means for Sony is largely defined by how it happened. Before we get to that though let’s go over a quick timeline of some of the important points in the breach’s timeline.

Jan 2, 2011: Months of battles between Sony and PS3 hackers reaches a climax when George Hotz aka GeoHot publishes the Root Key for the PS3. Among other things this allows users to sign and run any code they want on the PS3.

Jan 11, 2011: Sony responds to the releases of the Root Key by filing suit against Hotz and several other prominent PS3 enthusiasts in Sony Computer Entertainment of America LLC v. Hotz et al. Sony brought charges against the hackers on multiple charges including violation of the DMCA and Computer Fraud and Abuse Act, breach of contract, and trespass.

March 31, 2011: Rebug custom firmware released. Rebug allows access to many of the features only found in PS3 developer kits (PS3 dev kits were notoriously expensive. At one point the PS3 Reference Tool cost upwards of 10,000 USD.)

March 31, 2011: Sony Online Entertainment lays off 205 employees, an estimated 1/3 of the division.

Early April 2011: Internet group Anonymous responds to SCEA v. Hotz by launching OpSony, a DDoS of PSN and other Sony owned properties with a web presence.

April 20, 2011: Sony detects an intrusion and PlayStationNetwork and Qriocity servers are taken offline.

From there Sony’s missive to Congress pretty well documents what happened.

So, with that background laid, we now need to ask how the attacker actually got in. Sony held a press conference on May 1st 2011, during which they issued this diagram describing how they believed the intrusion happened:

This seems like a roundabout way of saying that there was a SQL injection issue in one of PSN’s applications or that the database server could have been publicly accessible and exploitable from there. That’s not very descriptive or helpful though so let’s take a minute to take a look some of the alternative ideas on how the breach happened. Please take all of this with a grain of salt as some of this is speculation or cannot be confirmed.

  1. Unpatched server: A chat log of several PS3 modders probing PSN has been making the rounds. In it they claim that some of PSN’s webservers were running outdated versions of Apache and Linux (2.2.15 and 2.6.9-2.6.24 respectively). It is a solid bet that if those packages were outdated, the rest of the server hadn’t been patched in the last 5 years either. If that was the case, then the intrusion would have been as simple as firing up Metasploit and going to work. As a side note, Google’s web cache shows that Sony’s servers were up to date, so this whole theory may be bunk.
  2. Physical attack: Several of Sony’s press releases and blog posts have talked about moving the PSN servers into a single secure location. There have been suggestions that this indicates that there was a physical component to the attack. While this certainly is a possibility, it seems much more likely that this was already happening and Sony is merely highlighting it to promote the image of a security conscious company.
  3. Insider attack: While this is a threat actor, not an attack, it still merits mentioning. There is a possibility that one of the 205 SOE employees who were terminated on March 31st could have used their access to attack Sony. The retaliatory attacks over the GeoHot lawsuit would have provided the perfect cover for an employee who was angry with being terminated to leverage their access against Sony.
  4. Leveraging a PS3 against PSN: One of the interesting features of the Rebug firmware was the ability to switch which set of PSN servers the console connected to. For instance, in one attack modders found it was possible to force a PS3 to connect to the prod-qa instance of PSN. On this particular instance, the servers would not authenticate credit card information before adding credit to the account, so attackers could simply add unlimited credit for the PSN store. Much of this information was publicly available before the breach happened. Also an IRC chat log claimed that there were 45 Internet accessible PSN instances at the time of the breach. It is possible that one of the PSN instances meant for internal use only had certain flaws or was configured in such a way that a rogue PS3 could have leveraged it against the rest of Sony’s network.

Looking at these possibilities and their likelihoods I think we can form a pretty reasonable idea of what happened beyond the attack shown in Sony’s diagram. It looks like a vulnerability in an application was the initial point of entry for this breach. Whether or not this was done using a modified PS3 is up for debate, and there isn’t any solid proof one way or another. While it is extremely probable some of the machines in PSN weren’t up date on their patches, it seems that if exploiting an outdated web service was the way into PSN for the last 5 years, we would have heard about it much sooner, given all of the automated scan-and-attack tools available today. Also, Sony’s actions that look like responses to a physical attack are probably nothing more than management handing down a blank check to make sure that all of PSN’s defenses are bulked up.

And that’s all working on the assumption that there was just one breach! Perhaps the reason why Sony’s response has seemed a little disjointed is that we keep trying to shoehorn their actions to fit our notion of them responding to a single unrealistically complicated multi-vector attack, and not them responding to a slew of simple attacks that all happen to be coming from different vectors simultaneously. In the weeks that followed PSN being taken down, we have learned that other Sony-owned resources have been compromised and taken offline (e.g. DC Universe Online, Star Wars: Galaxies, Free Realms, EverQuest, and even Sony-run Facebook games like Fortune League) and that more personal information was lost than originally reported (plus an additional 12,700 credit card numbers were discovered stolen on May 2nd). It is unlikely that this is all the work of a single attacker. Even with a best case scenario of there being only two independent simultaneous breaches, so much went on in Sony’s network during those few days that trying to assess, attribute, and respond to what happened is quite a task. Expecting them to know exactly how to best respond to a breach of this magnitude and complexity without tilting their heads a little about what happened is just unrealistic.

Finally, I would bet that this was more a crime of opportunity than a targeted attack. Much of the work that modders were doing on exploring the different PSN instances was publicly available. If someone wanted to attack PSN, the recon was done for them and the tools were already made. Since several less-than-honest modders were using the aforementioned free content trick, someone who wanted to use this information to attack would need to do it before Sony responded and nullified all of that work. Also Sony was still shoring up their defenses from the DDoS of the prior weeks, so there was perfect cover for the attack.

All in all, we probably won’t ever know all of the details surrounding this breach. This should provide a little bit of insight into what probably happened and help a bit to interpret Sony’s response to the breach.

Veracode Security Solutions

Security Threat Guides
25 Comments »

Your point 4 is the correct approach. If the Sony Playstation Network perimeter security was solely based on identifying developer Playstations versus retail Playstations, then a hacker that modded a retail Playstation into a developer Playstation would have the keys to the kingdom. As you point out, it could have happened multiple times from independent attacks based on published hacks.

Lots of Sony employees are in the know. Talk to folks outside Sony Playstation Network who sit next to folks from the Playstation Network.

Comment by KWE — May 13, 2011 @ 11:10 am

What about the remove of the Ps3 Linux installaton option?

Comment by Xan — May 13, 2011 @ 12:33 pm

I was wondering what your take on the situation was, so thanks for the article. I worked in QA for SCEA for a bit, and I recall telling one of my supervisors that we needed more security on qa-prod. He pretty much told me that, while I made good points, there was nothing either of us could do, it was IT’s responsibility. That was years ago.

Comment by Erzengel — May 13, 2011 @ 3:12 pm

Agreed… but also, the problem with having an a free network is it forces users to provide information, thus the leak of personal info to hackers and others…

Most games rely on the online feature to make almost EVERYTHING work, I found while trying to find some good offline multi-player co-op and shooters…

Anyways. Free network, un-encrypted data, and a lack of security… if that diagram is in fact the simple layout. Then it seems anyone who has the ability to download files and whom is in ‘the know’, could hard-wire their system, crack the network and steal a group of persons information by using Sony’s own equipment against them.

Either way it’s taking far too long, but the value of people’s information goes without. I think Sony should issue a command to change information once you login and provide free services. Microsoft is capitalizing..

Comment by jroc — May 13, 2011 @ 7:18 pm

Finally something that makes sense.

Why would sony have such a lax defense and implied trust to its developers. I can understand they bought a product but seperation of resourses should have been a truism, not security through ignorance.

Comment by Charles Russell — May 14, 2011 @ 12:04 am

thanks for making the tech clear to a gamer

Comment by peterspeed — May 14, 2011 @ 5:01 am

Great more speculation. Whatever happened to news and facts? I think the general gaming audience has had their fill of speculation. :-(

Comment by DarthDiggler — May 14, 2011 @ 8:01 am

This pretty much confirms what I suspected, notably the image from Sony themselves. All I can add is that it is not so simple as just having a vulnerable application server/services layer – the attackers placed a ‘communication tool’ (reverse shell?) on the app server and then gained access to the backend database. Weak outbound firewall policies would be the vulnerability which allowed that communication tool to make outward connections. Full intrusions such as this are always a combination of vulnerabilities, web code vulnerable to SQL injection, known exploits for web servers, plaintext db connection strings, weak firewall policies and weakly protected credential storage in the database.

Comment by Matthew Hall — May 14, 2011 @ 12:05 pm

The PSN really didn’t need to go down. Is it true that this group called “anonymous” was the cause of it? I’ve seen it on youtube.

Comment by Make Computer — May 14, 2011 @ 1:24 pm

@Xan

The removal of the Other OS option falls under the “Months of battles between Sony and PS3 hackers” that I mentioned. That part of the article was removed during editing because removing Linux did help to motivate hackers to develop tools that were most likely leveraged against PSN, however it didn’t directly cause the breach.

To clarify for reader’s what this comment is talking about here’s a quick explanation of the timeline before the first bolded date: Originally PS3′s shipped with the ability to have an addition operating system installed on them (this feature was later removed from new PS3s, but those who had PS3s that supported other OS option kept the functionality). However, the operating system was installed under a hypervisor, which meant that it didn’t have direct access to all the hardware it was running on. This inhibited certain functionality and slowed down the OS. Hackers began trying to find a way to run an OS directly on the PS3. Several advances were made by the hackers. Sony looked at how hackers had circumvented their security systems and realized that the Other OS option was being used. They responded by removing the Other OS option from all PS3s. PS3 owners responded by suing Sony. Research continued, now with the additional goal of how to re-add support for other operating systems. That takes us up to the first bolded date.

Comment by Chris Lytle — May 15, 2011 @ 2:29 pm

@Make Computer

Running the numbers on who were the probable attackers could fill another whole article. But let’s look at the specific claim that it was Anonymous. For those of you unversed with the group, Adrian Crenshaw has the best introduction to Anonymous that I’ve yet to read available at http://www.irongeek.com/i.php?page=security/understanding-anonymous

On one hand Anonymous was actively targeting Sony during Operation Sony just before the breach. Sony did also say in their missive to Congress that they found a file on one of their servers named “Anonymous”, which contained the words “We are Legion”. Now note, they never said that it was Anonymous. They just said they found that file and let us draw the obvious conclusion from there. So was Anonymous on one of their servers? Potentially. A DDoS only generates so many lulz. If Anonymous was acting the way they have before, they’d be looking for something embarrassing like a mail spool containing proof of questionable actions on Sony’s behalf, and that requires access to Sony’s network. We certainly know that they’ve got the talent to get in.

On the other hand it is really easy to blame Anonymous. Before we had any details about the breach they were already being blamed. But stealing credit cards is not their style. Could a member of Anonymous be a carder? Of course. But I would say that that was them acting as an individual and not working towards the end goals of OpSony. Also, Anonymous is claiming that they didn’t do it (see http://anonnews.org/?p=press&a=item&i=848 ). There were claims by those who said that the entry point for this breach was an unpatched server that there were over 15,000 people who had shell on Sony’s servers. So it’s entirely possible that they were on when someone else was taking credit card info.

Finally, it could be one big frame up. It seems that Anonymous has surpassed the APT has the current Internet boogie-man. A thief could have easily left the Anonymous text file as a way of pushing the blame to someone else, notably the group with the scary masks that everyone can easily identify as troublemakers.

Comment by Chris Lytle — May 15, 2011 @ 3:21 pm

[...] aggiuntive finora disponibili soltanto nel PS3 Developer Kit venuto a 10.000$: l’azienda Veracode teorizza che tale firmware potrebbe aver consentito degli accessi a parte del network dedicate agli [...]

Pingback by PSN Hacking lanciato da Amazon EC2 | Devix Security Blog — May 16, 2011 @ 6:46 am

[...] discusses several theories in a recent blog post and notes that information from Sony would indicate that a SQL injection was used to exploit a hole [...]

Pingback by Expert: Sony attack may have been multipronged | Graham Integration Management Inc. — May 18, 2011 @ 3:14 pm

I suspect that this incident is an internal attack. Well, the PSN has been attacked more than twice for a span of only a month or so. Sony has one of the most intricate and sophisticated IT security tools in the industry today. How come they’ve become too vulnerable? It made me wonder why?

Unpatched server is also a great possibility, but physical attack sound far-fetch to me. For one, Sony has been contemplating for quite some time now to migrate to the cloud.

The PSN attack is a lesson to everyone.

Comment by Amelia@ Ethical Hacking — May 23, 2011 @ 10:48 am

nice explanation, chris. There must have something related with the inner firewall, I think.

Comment by PeterPatrickGo — June 22, 2011 @ 4:28 am

Learn the facts before posting as Security Researcher. You should probably resign.

Comment by Anonymous — June 29, 2011 @ 1:22 pm

[...] May 13th, Veracode Researcher, Chris Lytle published a blog post which you can read [here] that revealed several details regarding why Sony took this decision to shutdown their popular [...]

Pingback by Sony PlayStation Network Breach [Infographic] on Study by Chris Lytle — July 1, 2011 @ 1:12 am

nice chris. anonymous shouldn’t attack the ones in pain, like the japanese

Comment by playstation 3 ylod — November 1, 2011 @ 11:20 am

[...] be the first to hear about it. You can expect more great posts like Chris Lytle’s analysis of the Sony PSN breaches and Tyler Shield’s deep dive into Pandora’s mobile application. And we’ll never shy away from [...]

Pingback by Veracode Blog — December 6, 2011 @ 10:33 am

I realy dont care about the psn, but ive been searching for an answer of my data on the ps3 hd is save..
I started to run linux on my ps3, and wondered if my data is safe for hackers ?

Comment by Daan — January 6, 2012 @ 11:55 am

Is my data from WoW safe connecting through my ps3? hackers can do anything these days…

Comment by Danie — January 15, 2012 @ 2:44 pm

gamekeys…

[...]Veracode Blog » Possible PlayStation Network Attack Vectors[...]…

Trackback by gamekeys — April 9, 2012 @ 8:49 pm

ok nice one Chris, but what about the inner Firewall?

Comment by playstation 3 reparatie — November 7, 2012 @ 5:25 am

Thanks for information sharing about PS network attack have to becarefull what i press then hope they improve the protection for it on PS3.

Comment by Sunny — January 27, 2013 @ 7:13 am

[...] infographic sums up a Chris Lytle blog post from [...]

Pingback by Image of the Day: Visualizing the PlayStation Network Hack | Threatpost — March 24, 2013 @ 10:01 pm

RSS feed for comments on this post. TrackBack URI

Leave a comment


Schedule Demo Veracode Trial
Mobile Security

Sql Injection

cyber security

Categories

Archive

Powered by WordPress