Sony PSN Attack: Is the Company accountable for the incident?

Nota: Este post está disponible en Español

The Sony PlayStation Network (PSN), which allows the possibility of on-line gaming, movie and TV program watching among other exclusive contents, went offline and entered into maintenance mode on April the 20^th. On April 26^th the Company released a press statement where they declared that personal information belonging to 78 million users was extracted from their servers during a security breach, becoming this way one of the biggest data breaches in history.

The extracted information consisted of: Full names, full address (city, state, zip code and country), e-mail addresses, date of birth, PSN user and password and Credit card data (presumed in 10 million numbers).

The big question we are all asking ourselves is: how could this happen to Sony? The truth is that in the information security world, no one is excluded of incidents. This is so, because there is no 100% effective safeguard. What one can do is to perform a risk analysis of the IT infrastructure and implement the required safeguards to reduce the risks at an acceptable level for the Company.

So, the real question here is: Is Sony accountable for the incident? Did it execute a Due Diligence and Due Care to prevent this from happening? To answer these questions, I took the liberty to analyze the PSN network and the attack itself.

How does the PSN work?

The PSN uses the Internet (HTTPS protocol) to connect the PS3 consoles to the servers where the user accesses different network functions. The communication between these two is done through the use of Web Services, which is a software that uses a group of protocols and standards that allows applications to exchange data (in this case, between the PS3 consoles and the servers). Because the protocol in use is HTTPS, it requires a Web server like Apache or Microsoft IIS.

The IT infrastructure of the PSN is based on a 3-tier architecture:

1.   Application Layer (presentation or frontend): interacts with the PS3 consoles and communicates with the following layer (logic layer).

2.   Logical Layer: Processes requests from the application layer and requests information from the data layer.

3.   Data Layer (Backend): Database servers. It’s an independent layer and its main function is to store and retrieve data.

Between layers, the PSN has implemented firewalls to control the traffic access flow. This is done because in theory, the application layer should not interact directly with the data layer. These are known as multitier architectures.

The Identification & Authentication process between the PS3 and PSN is as follows:

1.   The PS3 establishes an SSL connection with the PSN authentication server. The PSN server authenticates with the SSL Certificate to the PS3.

2.   The PS3 then sends a passphrase (a long password) as authentication to the PSN.

3.   Then it sends parameters, such as Firmware version (i.e. 3.60) used by the PS3.

4.   Then user credentials are sent among other transactions.

How secure is the PSN?

The Company designed the console in such a way that it could only play authorized games and prevent user’s access and modifications. This made many users disappointed and created a motive for various users and hackers to jailbreak the PS3 in order to execute any game or program. Sony based the PSN security on the foundation that console was secured: Big mistake.

This mistake was confirmed when the hacker GeoHot (which became famous after jailbreaking the iPhone), hacked the PS3 with other hackers and found the private keys (root keys) of the console. These keys allow a user to digitally sign and install software not authorized by Sony, including Operating Systems (like AsbestOS, a compact Linux). This permitted the distribution of custom Firmware (called homebrew) that contained all the necessary hacks for the users to have full control of their PS3.

Sony tried to block the access to the PSN of the hacked PS3 consoles by filtering the Firmware version and by implementing authentication methods (a passphrase). Still, users got access by performing a man in the middle attack, as follows:

1.   First they needed to understand how the protocol worked between the PS3 consoles and the PSN. Since the traffic between them is encrypted with SSL, they implemented modifications to the PS3 in order to intercept the traffic. What they did was:

a.   Created a Certificate Authority (CA) to issue a SSL certificate to the domain auth.np.ac.playstation.net (this domain points to the IP of the authentication PSN server).

b.   Installed a proxy server between the PS3 and the Internet and configured it with the issued SSL Certificate.

c.   Modified the PS3 DNS configuration to point the domain auth.np.ac.playstation.net to the proxy server’s IP address.

d.   Copied the CA public root certificate to the PS3 console, so the certification path was valid.

2.   With this steps, this is what happened when the PS3 connects to the PSN:

a.   The PS3 resolves the domain auth.np.ac.playstation.net to the local proxy IP

b.   It establishes an SSL connection with the Proxy. Since the fake SSL certificate is signed by the CA certificate copied into the PS3 and it was issued to the domain auth.np.ac.playstation.net, the console assumes that the connection is authentic

c.   The Proxy establishes the connection to the real auth.np.ac.playstation.net server and resends all the traffic to that server and backwards.

3.   Now the users can see all the encrypted traffic between the PS3 and the PSN.

4.   From the traffic analysis, the users obtained two important protocol parameters:

a.   The PS3 sent to the authentication server the current firmware version (i.e. 3.66 or 3.56), used to block unwanted consoles.

b.   The latest Firmware sent an authentication passphrase, which was the same for all PS3.

5.   To bypass these controls implemented by Sony, they used the Proxy to modify these parameters on the fly. For example, when the Firmware parameter entered the proxy with value of 3.55, it was changed to 3.60 and sent to the PSN servers. The same happened with the passphrase parameter.

¿How was the PSN attacked?

In the last press conference, Sony did not provide many details on the attack, but they did explain us how it was achieved:

1.   The attackers knew the existence of a known vulnerability in the Apache web servers. We can assume that they obtained this information from the traffic analysis of the PS3 or by fingerprinting the servers.

2.   They sent a valid transaction to the Web Service with a code that executed the vulnerability. This allowed them to install communication software, compromising the logical layer of the PSN. Since it was a valid transaction, the firewalls where of no use.

3.   Once inside the logical layer, the attacker started a privilege escalation attack to obtain access to the data layer.

Due to the lack of information from Sony and analyzing the attack, we can assume that the communication tool was a backdoor and the fact that it was a valid transaction, might imply that a hacked PS3 console and Proxy was used.

Sony’s PowerPoint slide illustrating the attack

Is Sony accountable for the incident?

If we do a quick review of the security infrastructure of the PSN, we could establish the following:

·    The security was based on the concept that the PS3 console was secured: One of the basic Information Security principles is “do not trust the client”.

·    The PSN does not contain a strong Identification & Authentication method: Using the same passphrase for all PS3 consoles was a mistake, since it was easy to obtain.

·    The PSN servers authenticated to the PS3 by using SSL certificates, but the PS3 only by using a shared passphrase: Why they did not implement double authentication mechanisms? Why they did not use Digital Certificates to authenticate the PS3?

·    Servers with vulnerabilities: Why Sony did not patch their servers? Why Sony did not know their servers were vulnerable?

·    Intrusion detection safeguards: Why Sony did not implement an N-IDS (Network Intrusion Detection Systems) and/or H-IDS (Host based Intrusion Detection Systems) in combination with a WAF (Web Application Firewall) to detect and stop the attack?

·    Data encryption: Why critical personal data was not encrypted? Only the credit card numbers were and the passwords were hashed.

·    Application controls: Why the application layer did not detect the incorrect payload in the transaction?

·    Incident Response: Was Sony ready for an incident of this magnitude? Why it took them 6 days to notify the customers?

·    Information Security Governance: Why in the press conference on the 1^st of May they announced that a new CISO position was going to be created to monitor the security of the PSN?

If Sony did not know that they servers where vulnerable, then they were responsible for not executing a proper risk assessment on their IT infrastructure (Due Diligence). If they knew their servers were vulnerable and did not patch them, then they did not execute Due Care and are responsible for that.

By Agustin Chernitsky   

Thanks to: Fer Spettoli, Rami Corletti and Leo Rosso for their input