14 DAY TRIAL // Some security researchers fear that a recent hack which allows anyone to create code that runs on PlayStation 3 gaming consoles might serve as a catalyst for malware development on the popular platform.
Last week, a group of three hardware hackers called fail0verflow announced at the Chaos Communication Congress (27C3) in Berlin that they managed to recover the private encryption key used by Sony to sign all PS3 games and applications.
The hackers executed a type of collision attack against Sony's own implementation of the Elliptic Curve Digital Signature Algorithm (ECDSA).
A secure implementation requires a secret unique number to be used for each generated signature, however, in Sony's case this number was static.
The private key itself was not released by the hackers. They only demonstrated that they have it and can sign their own code that executes unrestricted on the console.
However, a few days later, renowned iPhone hacker George Francis Hotz (geohot) published it on his own website. He probably reverse-engineered it using the method described by fail0verflow.
At this point, the security of the PlayStation 3 is pretty much non-existent, and if homebrewing (the creation of custom programs) takes off, then it could also lead to malware being developed.
It would be easy for malware distributors to attach a trojan to a legit homebrew application and repackage it.
And since most of these consoles have Internet access, the idea of a PS3 botnet is not far-fetched. iPhone and home router botnets have already been observed in the past.
"Buying games and related content from the online shop via credit card is popular and potentially dangerous if homebrew software is installed, as the software could carry out a man-in-the-middle attack or redirect to phishing sites," notes Christian Funk, a Kaspersky Lab security expert.
"Alternatively, installed games or the respective game scores could be blocked and thus the software would act as ransomware or send out spam via the internal message system... There are many malicious possibilities that the bad guys can utilize for financial profit," he concludes.