Monday, January 24, 2011

At the December CCC conference, George Hotz, by the nickname of GeoHot, disclosed that he has discovered the private key used to sign the firmware of all PS3 devices.

Usually a piece of code is signed using a private key. The device checks that the code is properly signed using the corresponding public key. if it is the case, it proves that the software was not tampered and that it was issued by the owner of the private key (here Sony). Normally, there is no way to guess the private key from the public key. The usual assumption is that this private key never ever does leak out. They are usually stored in Hardware Secure Module (HSM) within a safe and with strict security policies. It is the corner-stone assumption of most of the trust models.

It seems that GeoHot and Fail0verflow guessed the private key due to a mistake in the signature software that uses a fixed value and not a true random value, dixit a member of Fail0verflow team in an interview to BBC.

PS3 was already jaibroken. The difference with the previous jailbreak[/url] is that this one is purely software. it does not require to change anything in the PS3.
There is no way to recover. It is now possible to execute any arbitrary code on the PS3, because it is possible to sign any code. The issue is that this checking is done in the loader which cannot be modified in the field (else the hackers could easily change this checking process )

Sony has launched, under the DMCA, a procedure of temporary restraining order that attempts to stop dissemination of jailbreak.

Lessons:
– Proper implementation of cryptography is difficult
– PS1 and PS2 were open to homebrew applications. They were never hacked. PS3 was closed… Blocking the access of a game console for homebrew may be an attractor for crackers.