A hacker has managed to hack into a Sony Entertainment Network account and take control of the console’s PlayStation 3.
According to security researchers at Kaspersky Lab, the hack was discovered by the hacker known as “Gone” and published on the security blog KrebsOnSecurity.
A post on the blog describes how a remote attacker had successfully exploited the console and taken control of its user interface, using an exploit called “Misdirection of the Mind”.
KrebsOnSecurity said it was not able to authenticate the user, so the hackers were able to gain access to the console using a “smartcard” that would have been used by an administrator to log in.
The hacker claimed to be an employee of a US entertainment company.
Kreber said it believed the hacker was working for Sony and said he was “highly likely” to be connected to the group.
It said he had used the same exploit in the past, but this time he had taken advantage of a vulnerability in Sony’s network to access the console remotely.
“The attacker may have used a remote-access technique known as an RAT, which is an attack on a remote system using a virus, worm, or any other type of malicious software to gain unauthorized access to a server, network, or computer,” the company said in a statement.
“This attack requires an attacker to have access to at least one of the following: a machine on the network that is used to administer or run an affected program or service, a device running a program or services on a network that contains affected software, or a device connected to a network with affected software.”
To demonstrate the vulnerability, we’ve published the exploit code on the Krebs On Security blog and embedded it in an exploit of our own called Misdirection Of The Mind, which uses an ROTM (remote-object Trojan) exploit to steal the username and password of a PlayStation 3 user and run a malicious program to gain control of it.
“Our analysis shows the vulnerability is likely a Microsoft vulnerability and we are actively working to identify and mitigate the vulnerability.”
The security researchers said they had not identified any evidence that the attack had been carried out by a third party.
Kaspersky’s report said the exploit was also able to exploit a flaw in the Xbox 360 and PlayStation 3 versions of Sony’s software that allows remote control of devices.
“In order to gain remote access to these devices, the attacker would need access to one of these machines and then use an ROP (remote procedure call) vulnerability to gain full remote control over the device,” the report said.
“However, it is not known whether or not a third-party attacker could successfully exploit these vulnerabilities to control a device.”
Krems reported that a remote access tool that could be used to access a PS3 console’s user interface could be downloaded from the Internet for free.
“A malicious user could use this tool to upload a malicious firmware update to a device and download it, either locally or remotely, to a compromised device,” it said.KREBS said that the vulnerability existed because the exploit itself had been made available for free online by Sony.
“We were not able at this time to identify the attacker, the developer of this vulnerability, or the source of the vulnerability,” the researchers said.