It has been a full week now since the news about hacking group FailOverflow’s discovery of the PS3 “root key”, which would allow homebrew developers to sign their own applications, began to filter out of the 27C3 (Chaos Communication Congress) Hacker Conference 2010. It seems that Sony executives either hadn’t been paying attention to the reports, or simply discounted them as another easily-corrected security hole, as they had not released any type of statement regarding the discovery until today.
After reading the statement that Sony provided to Edge Magazine, it appears that it is more likely the latter scenario.
“We are aware of this, and are currently looking into it,” a Sony representative told Edge. “We will fix the issues through network updates, but because this is a security issue, we are not able to provide you with any more details.”
But statements that have been made by the Fail0verflow team, and were reiterated to the BBC yesterday by group member pytey, indicate that there is no simple fix this time around, as there was with the USB key hacks such as PS Jailbreak.
“The complete console is compromised – there is no way back,” pytey told the reporter. “This is as bad as it gets – someone is getting into serious trouble at Sony right now. The only way to fix this is to issue new hardware.”
Pytey also explained how the Fail0verflow team was able to calculate the key, which he described as something that is “supposed to be the most secret of secret of secrets – it’s the Crown jewels,” and exactly where Sony went wrong:
“Sony uses a private key, usually stored in a vault at the company’s HQ, to mark firmware as valid and unmodified, and the PS3 only needs a public key to verify that the signature came from Sony,” he said. “Applied correctly, it would take billions of years to derive the private key from the public key, or to make a signature without knowing the private key, even when you have all the computational power in the world at your disposal. The signing recipe requires that a random number be used as part of the calculation, with the caveat that that number must be truly random and not predictable in any way. However, Sony wrote their own signing software, which used a constant number for each signature.”
From there, it was just a matter of using “simple Algebra” to uncover the key.
It’s quite likely that Sony lawyers are very busy at the moment trying to figure out a way to put a stop to this, but pytey says he’s not worried. “I haven’t stolen anything,” he said. “It’s my own hardware, I can run whatever I like on it.” If the ruling in last month’s Xbox 360 mod chip trial in California is any indication, these guys should be on safe legal ground.