Sony PS3 hacked again

The PS3 has been hacked before, notably by a hacking group called fail0verflow which discovered the ECDSA cryptographic key used by the console to authorize high-level operations. This allowed users to run any code, rather than just Sony-allowed code. Sony responded with the release of the 3.60 firmware, which plugged most known security holes. Only users willing or able to run older firmware and forgo access to the Playstation Network could continue to run their own software.

Now, a group called the Three Muskateers has leaked the LVO decryption keys. According to Eurogamer, “the reveal of the LV0 key basically means that any system update released by Sony going forward can be decrypted with little or no effort whatsoever.” This doesn’t necessarily mean game permanently over for Sony’s software control of the PS3, Nate Lawson of Root Labs told Ars Technica; but it certainly makes it more difficult. “They're going to have to depend on obfuscation as their primary security measure to keep people from decrypting their updates,” he said. “It’s a cat-and-mouse game that's now more closely in the favor of the attackers. But Sony has plenty of things they can still do. It's just another link in the chain.”

The Three Muskateers apparently found the keys some time ago, but had not made them publicly available. In doing so now in a rather cryptic message on Pastie, they express disappointment in certain people and say that “only the fear of our work being used by others to make money out of it has forced us to release this now.” The clear implication or claim is that the keys have been stolen or leaked from them by the ‘certain people’, and that others are now trying to profit from the knowledge.

Although the Three Muskateers say nothing further, Eurogamer has no doubts. “The information leaked,” it reports, “and ended up being the means by which a new Chinese hacking outfit - dubbed "BlueDiskCFW" planned to charge for and release new custom firmware updates. To stop these people profiteering from their work, the "Muskateers" released the LV0 key and within 24 hours, a free CFW update was released.”

What’s Hot on Infosecurity Magazine?