November 2013 marks the final transition from the seventh to eighth generation of home video consoles. Although Nintendo’s Wii U living room console and 3DS portable device have each been on the market for a while, Sony and Microsoft are set to introduce the PlayStation 4 and Xbox One, respectively, two devices that have garnered much attention for their cutting-edge specifications.
Moreover, the latter pair of consoles are differentiated from Nintendo’s eighth-generation offerings by their overarching focus on network services and industry hardware standards. For example, both the PS4 and the Xbox One utilize x86 processors that are similar to the ones found in most PCs and Macs. While these chips will dramatically boost performance compared to the previous generation, they may also open up many new attack surfaces for cybercriminals well-versed in x86 exploits.
However, the more pressing issue may be the extent to which connectivity is baked into these consoles, especially the Xbox One. Consumers have already expressed discomfort at the prospect of an always-on Kinect, the networked motion-detection webcam that supplemented the outgoing Xbox 360 and is now integrated out-of-the-box with the Xbox One.
Additionally, all three eighth-generation living room consoles utilize online services to a greater extent than their respective predecessors, not only for gaming but also for media consumption. They have become computers by another name, but with much of the same cybersecurity baggage. It will be critical that professionals regard them as such and work with vendors in the space to minimize risk for users.
May 2013 Wii U hack a prelude to eighth-generation console vulnerabilities
While it has received less attention than the PS4 or Xbox One, the Wii U has also entered into the cybersecurity spotlight. In early 2013, a group of hackers claimed that it had reverse-engineered the encryption key and disk authentication that the console uses to ensure that it can only run games from trusted sources.
WebProNews explained that the attack could be the first of many on the Wii U’s security mechanisms, if Nintendo’s experience with the older Wii is any guide. The Wii, released in 2006, was often the target of pirates seeking to load games via alternative methods, necessitating a long string of mandatory updates.
Similarly, the recent Wii U breach may allow users to side-load games via USB drive, bypassing the system’s requirements that media be on optical disc or purchased from the Nintendo eShop. While some users may benefit from greater flexibility, the loss of these safeguards could put others at risk of losing data to malicious, unlicensed software.
Kinect, PSN and the privacy issues of next-generation consoles
However, the Wii U incident is relatively mild in light of some of the wide-ranging vulnerabilities that may exist in its competitors. When it was unveiled earlier this year, the Xbox One stirred up controversy because of the inclusion of an integrated, always-online HD video camera called the Kinect.
Initially, the new Kinect was marketed as a mandatory part of the system – users could not turn it off without making the rest of the console unusable. After consumers and media outlets expressed concern about the privacy issues that such a setup could cause, Microsoft backpedaled, announcing that the Kinect could be unplugged and was not required.
Still, the evolution of Kinect – which began as a simple peripheral – demonstrates how video game consoles are maturing and transforming into endpoints that merit serious scrutiny from the cybersecurity community. According to NBC News, the Xbox One Kinect is so sophisticated that it can read a user’s heart rate. In this respect, it is hardly unique, given the wide range of voice and biometric technologies that eighth generation consoles are using to authenticate users.
“Video game consoles pose problems akin to those of mobile phones because users often have very little visibility into what the devices are doing and very little control over the software running on the devices,” Electronic Frontier Foundation technologist Seth Schoen told NBC News. “They increasingly have audio and video sensors watching what goes on in people’s living rooms. And we know that governments have been discussing the idea of being able to tap in-game conversations for years, in keeping with the pattern of trying to develop the ability to spy on each and every communications medium.”
At the same time, the surveillance possibilities of a living room device are enhanced by how new consoles leverage cloud computing to support online play, media consumption and in-game chats. The Xbox One uses cloud infrastructure for dedicated server hosting, but a more worrying prospect may be the recent changes to Sony’s PlayStation Network messaging service.
SiliconANGLE’s Saroj Kar pointed out that the terms and conditions for the PS4 requires users to consent to Sony possibly monitoring their communications. Likewise, the contract stipulates that Sony may collect sensitive information such as name and even IP address and provide it to other parties as part of Sony’s policy enforcement, which the company says is intended to monitor and address piracy and malicious use issues.
Online consoles services have an obligation to protect users and prevent hacking
As network services become more essential to the console gaming experience, users are at increased risk from cybercriminal campaigns. In 2011, the PlayStation Network went dark for nearly three weeks after hackers breached Sony’s systems and may have compromised millions of users’ data. Going forward, such attacks may become more widespread as consoles integrate a wider range of services.
In an article for Polygon, Emily Gera chronicled how both Microsoft and Sony have taken steps to protect online user accounts from unauthorized access. Sony built a new data center in the wake of the PSN breach, while Microsoft has taken steps to improve the security of its Xbox Live subscription services, as well as the data sharing processes between Microsoft and partners such as Netflix that publish connected Xbox applications.
Still, there is widespread concern in the video gaming and cybersecurity communities about the future of console security. Hardware and software have become more sophisticated, putting space between current devices and their simple, mostly offline predecessors.
Sony chief information security officer Philip Reitinger stated that consoles faced an uphill challenge in fending off attacks and building strong defenses. The situation hasn’t been helped by the lack of transparency around the 2011 PSN breach, which left many cybersecurity professionals in the dark about the network’s security.
In light of how much gaming consoles have changed in recent years, it is imperative that they be treated like any other endpoint when it comes to cybersecurity. With millions of new consumers likely to buy a Wii U, PS4 or Xbox One this upcoming holiday season, the time is ripe for continued discussions about how to keep gaming secure.