Not so long ago, we heard news of a “Playstation 3 rootkit” which turned out to be rumours based on misinterpretation of comments made in IRC.
Today, we wake up to the alleged relevation that your “credit card info is not secure” on the Playstation 3 network. This all stems from a five page research document entitled “Call of Privacy: Modern Spyware by Playstation network”.
As a result of the above document mentioning unencrypted credit card data, reports quickly spread that your payment information was being sent unencrypted across the network, which seemed strange (what happened to SSL?) – and sure enough, it seems initial reports were inaccurate. The (theoretical) danger to your payment details is an issue when using custom firmware – otherwise, you should be fine. Even then, the attacker would apparently have to use custom firmware, certificates, proxies and third party DNS.
The research document above did mention that custom firmware was the reason payment information was being sent unsecured, but that seems to have got lost in the background noise – even though the sole reference to credit cards takes up one single page out of the five. The rest of the document mainly talks about banhammers, the fact that SONY may know what kind of television you have connected to the PS3 and provides links to the (completely unrelated) rootkit story from 2005.
Ars Technica has an updated article which sheds some light on the confusion. For now, if you’re running non custom firmware on your PS3 you shouldn’t panic too much about this one.
Christopher Boyd