Recorded on May 28, 2019, 2019 at G-Unit Studios in Rhode Island!
- Register for our upcoming webcasts by going to securityweekly.com/webcasts . If you have missed any of our previously recorded webcasts, you can find our on-demand library at securityweekly.com/ondemand. Also, you can now submit your suggestions for guests in our recently released guest suggestion form! Go to securityweekly.com/guests and enter your suggestions!
Interview: Game Consoles
I don't really know much about video consoles so I went and got one. A used Playstation 4. So, I set this up on my home network and just tried to ping it. I got a reply so it is a TCP/IP device which means it has the potential to be a security threat.
I learned from the nmaps can that it was Cisco AsyncOS esque fingerprint and even said "Sony embedded". It only had two open ports 68/udp and 5353/udp both of which are common services (dhcp and dns). So, basically, it's pretty secure from that point of view (inside my local network). I couldn't find any real exploits against the Playstation on those udp ports and those ports wouldn't even be visible to anyone outside your local network unless you forwarded them from your border router or set up snat. The playstation can certainly talk to the outside world but it uses the PAT setup that all your other devices are using so basically someone scanning for it from outside wouldn't see anything unless you set something up.
It does appear to have wifi capability (which I had not enabled) but was broadcasting bluetooth which has a range of about 10 meters. This was for the controllers (wireless handheld controllers) which again, seems back into "the call is coming from inside the house" and I am not really sure what you could do other than maybe cause the controllers to fail.
So, is this going to be the shortest show ever? No. Then I got curious, where is the threat. Ahh, PSN. So, this thing is linked into something called Play Station Network. That's an online service that you create an account and subscribe to. So, I set one up and started looking at this. Immediately, my playstation connected to a BUNCH of services including music, store, video, etc. It would even support Netflix, et. al. so I could stream content down to the screen I was using for the console. Again, basically, there is no real threat from these services per se, meaning, they are the same services and types of services you use on a computer and, in fact, you can access all these services through a regular computer as well. So, again, other than the inherent threat of the services themselves, there wasn't anything remarkable about the playstation.
So, where's the beef? Well, I did a quick search on malware for playstation and there wasn't much. I didn't find any real CVE type malware that was targetting Playstations from the outside. The reason is that it's really hard to find the targets since they sit behind PAT and SOHO firewalls so there is not real outward facing profile to let someone find them and even if you knew someone had one, you can't access it by IP since it is most likely PAT. So, is it safe?
Well, nothing is safe, I hate to tell you. Zero Day exploits, you know, all that. The real threat from this device is very similar to cell phones I think. The actual device seems pretty hardened from attack. I was able to move a file onto the system but only in a VERY limited context. It had a game on it called MLB The Show 2017 which allowed me to move a file onto the system. The only file type it would read was an mp3 and it had to be in specific folder (MUSIC) on a flash drive and the file was moved into the "shell" of the game. So, you couldn't even see the file from the UI at all, only inside the game shell.
Now, I am not trying to tell you there is no way to "hack" this console. There are plenty of ways to attack the console if you have the console sitting on the table. There are ways to "jailbreak" it, etc. I didn't even try since that's not our purpose here. We are talking about external threats not hardware hacking.
So, I looked at this game (one of MANY MANY MANY games that you could buy) MLB The Show 2017 (there is a current version but I didn't want to pay for it). It looks like the two main threats from a systems perspective are a) inbound messages and b) social engineering attacks.
Inbound messaging. This game had the facilities to allow someone to send you a message that has content. The PSN itself has this facility as well. So, a whole social media web exists with subsets on the PSN. That means that people who subscribe, can construct messages and media that they send to other users and that means threats. Apparently, some sort of malformed message was being sent last year via PSN that bricked the console temporarily. It didn't really brick it, just acted like that. So, the attack did NOT come from layer 3 but rather from layer 7. So, if a game like this theShow game allows inbound constructs, then it is at least possible that any given game could receive some sort of threat embedded in a messaging system. That means that you are at the mercy of whomever wrote the code for that game. Scared? Don't be.
So, computer games have been around forever. The first on I played was in about 1980 on an Apple IIe and ran on a cassette tape (walked is more like it). There are NO controls on local games that are running in windows on your machine. If you install them as administrator, well, they may well have embedded trojans, phone homes, bot nets, you name it. So, review carefully. On the Playstation, much like an Apple phone, the code is restricted to games that are approved. That doesn't mean they are perfect, but Sony is assuming some liability there and that litigation threat, I think, really helps. It may mean some game is not available but it's far more restrictive than even your phone.
So, after spending a lot of time poking around in this baseball game and looking for threats. I decided the real threat was social engineering, imagine that. Inside the game context and inside the PSN context you can use a handle so there is a kind of anonymity achieved right there. You didn't have to pay anything to have a PSN account. You did have to pay to connect to others on the baseball game so that would require a credit card. But, on PSN, it's possible to interact with others via the console and receive data on that console (same with the computer). That means that an embedded or malformed message could be generated but it's tricky and seems far less prevelant than regular pc attacks. But, someone could very easily redirect or try to link to an phishing site or some other site with a message.
Let's try and think about the biggest threats to your family from consoles then:
- If you can access it with a computer, you can probably access it with a console. -- that means you could look at porn all day on this just as well. It has a browser so you can get to web sites. So, supervision of small children is the key to this one. Sitting around all day looking at anything isn't healthy so keep that in mind. Note: PS4 doesn't have anti virus since you can't really install something on this type of operating system.
- Treat this like social media. That means you need to review the settings. PSN allows you restrict who can contact you or your family members. Set it to FRIENDS ONLY so that only people you explicitly allow can send your family members messages. I would actually call this the greatest threat I saw. If this setting is wide open, anyone (and remember PSN allows a kind of pseudo anonymous login) can just send you a link, try and talk to you, make arrangements to meet you in a game, all those sorts of things. Use your social media plan (you have a social media plan right?)
- Be really careful about talking to strangers. Most all games today have interactive MMORPG components. Even baseball will allow you to set up games and talk to strangers. Now, the baseball game did NOT allow you to speak (like fortnight, etc.) but you could interact. I also saw the ability to put messages on logos, links, etc. Very limited compared to the general interweb but still there. That said, most games have the ability to talk, swear, use racial slurs, etc. When my kid was little, I played every game she wanted to play (and that's not as fun as it sounds) to see what risks were there. Most kids games are kind of constructed with restrictions in mind but remember, you can access chat rooms, IRCs, you name it with the console too. This isn't any different than the laptop but it's often overlooked in the family room/gaming basement, etc. Teach your kids not to give out personal information of any sort in any social media environment. Period. Don't let you kids put their ages, birthdays, you name it in their id or make their handle things that imply they are children. There are predators on these sites.
- Grow up. I am always shocked and dismayed at parents who think their 8th graders are innocent. When I was in the 8th grade you could get porn, yes it was on punched cards, but still. Kids got copies of mags, you name it. Today, it's easier, so stop kidding yourself. It's not the fact that your kid saw porn. They are going to see it. The problem is when they have no context, you act like it doesn't exist, and they sit around all day looking at it. Get involved. If your kid wants to play fortnight, then play some fortnight with them until you understand the context and what may happen. That way when someone says the N word, or the F word, or the C word, you can explain your views on those things. (note, when my kid and I were playing Mario Karts, she learned a lot of F words from me). But DONT kid yourself, if your kid is wanting to play these games, well, there's always that friend whose parents work. Trying to keep your child off of technology is going to be about like telling kids not to smoke cigarettes in 1945. Not going to work.
- It's not really possible to download things but you could put in a link to a phishing site. Now is the time to start teaching your kids to NEVER put information out there when it's requested. It's probably a good time to start teaching your kids to use throwaway email addresses, etc. for going to sites. The good news is, you can't really do anything with the console. You can go there but you can't do much. So, your network is not going to get infected (at least currently) from going to a malware site with a console. Now, could someone put a link in a graphic in a game, yes, could that link lead a laptop to a malware site? yes, etc.
- The console is not as risky as a laptop/computer
- Almost nothing can be installed on the console that was not vetted by Sony
- You can get involved in verbal, video, and other live exchanges just like social media so get a plan.
- You can see offensive (who knows what that means) material but far less than you would see on a laptop.
- The console adds little surface to your physical threat likelihood.
- The console is safer than the laptop but understand that predators exist everywhere and they are clever. (if you go to my pet rescue site on your phone/laptop, you can see all the puppies we rescued today. Check it out).
- Teach your children well, their father's hell did slowly go by.
So, in the end, you need a hygiene and social media plan. Same as if you have laptops, tivos, you name it. Your kid is going to be online their whole life, so they need to start learning now how to function. I know it's hard if you grew up in the "silent era" playing with mud but look, it's not going away. You can go live in a cave, but like many cave dwellers would tell you, they don't have fortnight or wifi. Except for that cave Russ found in Latvia on Airbnb. That one has wifi and a bar.