Slashdot Mirror

← Back to Stories (view on slashdot.org)

Keeping Secrets in Hardware: Xbox Case Study

Posted by michael on from the peeling-the-onion dept.

BS405397 writes "Here is the just released MIT whitepaper on the security holes in the MS X-Box, and for those who are interested, opens up the X-Box pretty nicely." Update: 06/04 17:13 GMT by M : The server appears to be down at the moment. There is a copy of the paper mirrored here. Reuters and other news outlets have now picked up the story, two days after Slashdot.

6 of 306 comments (clear)

  1. well by martissimo · · Score: 3, Insightful

    the "security holes" this paper are about refer to the authors techniques for breaking the protection of the "secret" boat loader that MS employs.

    it's just his take on where the security could have been improved. all in all MS looks to have relied on the security through obscurity approach (hiding the true boot loader behind a dummy boot loader), just that their obscurity fails when you monitor traffic over a bus with a simple card.

    PS: dreamcasts and playstations have always been hackable, as is the xbox, no real surprise there.

  2. Re:DMCA... by dfn5 · · Score: 4, Insightful

    Then why wouldn't DeCSS fall into that category? I'd say that was a pretty good research project.

    --
    -- Thou hast strayed far from the path of the Avatar.
  3. Abstract by Hast · · Score: 4, Insightful
    A lot of people seem to belive that it's about network security. It is about hacking the boot procedure for the X-Box. This can be grasped just by reading the abstract to the paper.

    Abstract

    This paper discusses the hardware foundations of the cryptosystem employed
    by the Xbox TM video game console from Microsoft. A secret boot block over-lay
    is buried within a system ASIC. This secret boot block decrypts and verifies
    portions of an external FLASH-type ROM. The presence of the secret boot block
    is camouflaged by a decoy boot block in the external ROM. The code contained
    within the secret boot block is transferred to the CPU in the clear over a set of
    high-speed busses where it can be extracted using simple custom hardware. The
    paper concludes with recommendations for improving the Xbox security system.
    One lesson of this study is that the use of a high-performance bus alone is not a
    sufficient security measure, given the advent of inexpensive, fast rapid prototyping
    services and high-performance FPGAs.

    So no need to worry about DDoS or lost savegames. This is about playing unauthorized games, making a DiVX player etc.
  4. very interesting by Dr.+Awktagon · · Score: 5, Insightful

    I read that article and found it very interesting. It seems there's always a weakness in any security system, and a clever person with time on their hands can find it.

    But then it hits me: this "security" is to keep THE OWNER, the PAYING CUSTOMER, out of the product he bought. This "security" doesn't protect my family, me, or my possessions from absolutely anything. It serves no purpose except to make work for somebody at Microsoft and then somebody at MIT. If they left it out, they'd save both parties a lot of effort. I'm sure someone will build on this article and figure out how to easily run arbitrary code on the Xbox, and so the security will be a total waste. So why is it there?

  5. Re:Not there yet by nick+this · · Score: 3, Insightful

    Correct me if I'm wrong, but the article states that:

    1. The bootloader and kernel are stored in flash.
    2. The bootloader is RC-4 encrypted (symmetric, not public/private keypair)
    3. The flash can be reprogrammed either by desoldering the flash, like bunny did, or by using what he calls a "bed-of-nails" jig. (I assume this is merely contact points to connect the test points on the board).

    The RC-4 key is now known, so it appears to me that a custom bootloader (and kernel) can be flashed on the box that will allow unsigned code to run without soldering or expensive equipment.

    Probably the path that will be taken is that a booting linux kernel will be developed using the mod chips that are reported to be on the way, then, once drivers and an xbox kernel are developed, a bootloader will be written to boot it directly off CD-R/RW or HDD. Supposedly the xbox is kinda flakey about reading CR-R's, but DVD+RW won't present a problem.

    I wouldn't be surprised to see a bootloader that would either boot into the xbox or off an untrusted CD or DVD.

    I expect to see a cheap and easy kit for booting linux on xbox in less than six months. Console DivX/MP3/Mame player, here we come!

  6. Re:No, it's legal by Nihilanth · · Score: 3, Insightful

    the difference between something being "legal" and something being "legal, but pisses off a major corporation" is a contrast becoming starkly clear lately.