Kimberly Cannon
For the FAST research project, my team conducted research on the Sony PlayStation 4 gaming console. The purpose of the research was to detect and exploit any security vulnerabilities if possible. While the research may have not yielded any major security flaws in the gaming system, it did provide our team with insight into the methods used to secure the PS4 and experience on how to conduct research as an undergraduate student.
From this research project, I have learned just how secure the PlayStation 4 really is. Quite a few security flaws were found in all of the earlier renditions of the PlayStation, however, since its release in 2013 no major holes have been found in the PS4. The operating system of the PS4 is a mystery itself. The actual structure of its underlying operations is mostly unknown. The only clue that we have into the software that makes up the PS4 is that it was based upon the free, open source operating system FreeBSD. There were several other open source programs that Sony listed which were used to make up the PS4, but Sony did a thorough job in ensuring that this did not allow for any holes. Possibly the most vital part to the PS4’s encompassing security is the fact that the hard drive is encrypted. This prohibits users from analyzing the hard drive in any useful capacity. I was able to make a copy of the PS4’s hard drive, but because of this encryption, was not able to read its contents.
The PS4 also allows you to connect a USB drive to the console which is intended to save game data on. The player can take screen shots or even videos during the game and upload them to a flash drive to save. Typically USB ports can be a great “way in” to a device. If you can upload specialized code to a flash drive, connect the flash drive to the device, and then download the code onto the device you may be able to gain access to the system. This approach did not pan out for the scope of our project though because the PS4 is not designed to download content from the USB to the console. If, however, Sony releases an update in the future which allows a player to upload data from a USB to the PS4 (say for instance, to upload gaming pictures that you saved from one PS4 onto another), there would be much greater potential for this type of exploit.
From working on the FAST research project I gained invaluable experience on conducting research. I was put into a new way of thinking than what is typical during classes. Instead of being given a problem and working on a concrete solution, I was had to come up with the questions and ways to test them. Not every question produces the sought after answer in research. For the project I had to independently determine how security in the PS4 could be tested. Since there is little research that has previously been conducted on the PS4 and no major security flaws that had been reported, there were no documented standards to base our methods on. Instead I had to use the small amounts of information that were present on the PS4 and then resources for older models, such as the PlayStation 3, to study any potential weaknesses. Unfortunately, for our sake, Sony did a thorough job in patching the vulnerabilities present from older models.
Although our research did not reveal any security flaws in the PlayStation 4, this does not mean that there are none present. Security researchers generally agree that no system is absolutely secure. It is more so a matter of time and research efforts until a major security issue is released. Regardless of our findings, the research project benefitted me with new skills that I will be able to further cultivate in my final semester at Sam Houston State University for my career.