Slashdot Mirror
Keeping Secrets in Hardware: Xbox Case Study
BS405397 writes "Here is the just released MIT whitepaper on the security holes in the MS X-Box, and for those who are interested, opens up the X-Box pretty nicely." Update: 06/04 17:13 GMT by M : The server appears to be down at the moment. There is a copy of the paper mirrored here. Reuters and other news outlets have now picked up the story, two days after Slashdot.
My favorite game protection of all time was quake 2. First Id software makes this incredible game, with 0 protection against copying, and then release quake 3 with online copy protection and online gameplay only. Thus, suckering in a bunch of people into buying the new version. I wonder if the struggle between companies and consumers will ever end, because the companies always lose :P
- tristan
First of all, do you spumrags even bother trying to read the links or getting some context before you go off half-cocked? Obviously not. Your message would be better informed if it said "Frost Pist Bitches!"
Second, it should be obvious to anyone with 2 working braincells that the security problem facing the XBox is not network security but instead security against the local user. Particularlly, preventing them from booting non-approved software.
the "security holes" this paper are about refer to the authors techniques for breaking the protection of the "secret" boat loader that MS employs.
it's just his take on where the security could have been improved. all in all MS looks to have relied on the security through obscurity approach (hiding the true boot loader behind a dummy boot loader), just that their obscurity fails when you monitor traffic over a bus with a simple card.
PS: dreamcasts and playstations have always been hackable, as is the xbox, no real surprise there.
The security discussed in the paper isn't intended to protect the user, it's intended to protect Microsoft's control over the platform -- it's the lockout that keeps software that isn't blessed by MS from running on the XBox. If companies can bypass it, they can ship XBox games without paying royalties.
Then why wouldn't DeCSS fall into that category? I'd say that was a pretty good research project.
-- Thou hast strayed far from the path of the Avatar.
I wasn't aware security was a big issue in gaming consoles.
It never has been, because:
a) Most systems only kept data related to the game in a very limited space. (On a memory card say or a cartridge its self in the past) - the X-Box is fitted with a hard drive, so there is access to alot of data beyond the scope of individual games since all the data is likely to be in one place.
b) Once you hook something up to the internet, (Which the X-Box plans to do, or at least a network of some kind) then it opens the door to the data stored on your system. This also means that as well as game data, users are likely to at the very least have emails stored on their systems.
I saw the light at the end of the tunnel... But it was just someone with a flashlight bringing more work.
So no need to worry about DDoS or lost savegames. This is about playing unauthorized games, making a DiVX player etc.
Security is a huge issue in gaming consoles, particularly as they become similar in capability and more competitve with each other.
It's widely agreed that the making or breaking point for any console is the software library available for it. Console makers therefore spend a lot of time, money and effort attempting to win over software developers to their platform.
And regardless of how enticing an offer the developer receives, developers need to sell software to stay in business. The main advantage of the console market (as opposed to the PC gaming market) is that the platforms are closed and proprietary, and (ideally) make piracy virtually impossible without modifying the hardware. The main problem with the security holes isn't that malicious users can compromise a user's data; the problem is that even casual users will be able to pirate games.
This prospect scares the living hell out of developers, and rightfully so. Witness the demise of the Sega Dreamcast, which occurred a surprisingly short time after someone figured out how to boot CD-R's on the console.
The bottom line is that developers won't produce for a platform that facilitates piracy. That is very bad news for Microsoft, particularly in light of their bleeding money out of each console they sell.
I read that article and found it very interesting. It seems there's always a weakness in any security system, and a clever person with time on their hands can find it.
But then it hits me: this "security" is to keep THE OWNER, the PAYING CUSTOMER, out of the product he bought. This "security" doesn't protect my family, me, or my possessions from absolutely anything. It serves no purpose except to make work for somebody at Microsoft and then somebody at MIT. If they left it out, they'd save both parties a lot of effort. I'm sure someone will build on this article and figure out how to easily run arbitrary code on the Xbox, and so the security will be a total waste. So why is it there?
Correct me if I'm wrong, but the article states that:
1. The bootloader and kernel are stored in flash.
2. The bootloader is RC-4 encrypted (symmetric, not public/private keypair)
3. The flash can be reprogrammed either by desoldering the flash, like bunny did, or by using what he calls a "bed-of-nails" jig. (I assume this is merely contact points to connect the test points on the board).
The RC-4 key is now known, so it appears to me that a custom bootloader (and kernel) can be flashed on the box that will allow unsigned code to run without soldering or expensive equipment.
Probably the path that will be taken is that a booting linux kernel will be developed using the mod chips that are reported to be on the way, then, once drivers and an xbox kernel are developed, a bootloader will be written to boot it directly off CD-R/RW or HDD. Supposedly the xbox is kinda flakey about reading CR-R's, but DVD+RW won't present a problem.
I wouldn't be surprised to see a bootloader that would either boot into the xbox or off an untrusted CD or DVD.
I expect to see a cheap and easy kit for booting linux on xbox in less than six months. Console DivX/MP3/Mame player, here we come!
You have it backwards.
No, you have it all wrong. The Xbox encrypts the flash with RSA's RC4 symmetric cipher (i.e. not a public key cipher). The remainder of this post is (strictly) off-topic because the Xbox boot process does not use public-key encryption.
The private key decrypts.. the public key encrypts.
In a public-key secrecy scheme, you're correct. But in a public-key authentication scheme, the private key encrypts the hash into a signature, and the public key decrypts the signature for comparison with the hash.
He has the private key. And you can derive the public key from the private key.
No, you can't do that in (for example) RSA.
Will I retire or break 10K?
> I wasn't aware security was a big
:-)
> issue in gaming consoles.
Security has it's place in THIS gaming console
a) it's intended to be connected to the internet
b) it has a HDD
imagine someone writes a nice virus/worm with evil intentions (e.g. download a tiny linux distro, and then take over your XBox , store child pronography on you HDD or start a DOS on www.microsoft.com
Sometimes, it is just easier (and arguably better) to use the standard equipment rather than have to create something totally new.
-CPM
---You're all I need, When the water runs deep, You're all I need, Now I cry my soul to sleep -- Collective Soul, Needs
the difference between something being "legal" and something being "legal, but pisses off a major corporation" is a contrast becoming starkly clear lately.