PS3 encryption key leaks hours after judge rules Sony not accountable for user security
A coveted encryption key that helps keep media pirates locked out of Sony’s PlayStation 3 game console leaked on the Internet Tuesday night, just hours after a judge ruled that the company may not be held liable for a major security breach that exposed millions of customers’ private details to hackers and left Sony’s Interent gaming service offline for more than a month.
A group of hackers calling themselves The Three Musketeers claimed on a text sharing website that they leaked the key after learning that another group had already obtained it and was already selling software that used the key.
“You can be sure that if it wouldn’t have been for this leak, this key would never have seen the light of day, only the fear of our work being used by others to make money out of it has forced us to release this now,” they explained.
The encryption key is theoretically capable of giving hackers and homebrew developers the ability to run custom instructions for the PS3 hardware, potentially opening up functionality that’s supposed to be reserved for professional developers working on commercial software for paying customers.
That means hackers could create their own custom operating system for the PS3 that allows the system to play pirated media, like copied Blurays or downloaded games — but it also means that tinkerers at home could develop their own unique applications for the PS3 and distribute them free of charge, which is entirely legal.
The key’s release is another in a long string of security setbacks for the company, and comes at a sensitive moment for Sony’s public relations.
A class action lawsuit against the company was dismissed just hours before the key was leaked online, with U.S. District Judge Anthony J. Battaglia ruling that Sony cannot be held accountable for a major hack last year that exposed more than 100 million users’ private information to hackers and left the PlayStation Network gaming service down for a month.
The judge’s ruling pointed to Sony’s own terms of service, which say that the company “cannot ensure or warrant the security of any information transmitted to us.”
The last time the PS3’s core security was conquered, Sony called police and had a SWAT team raid the home of the hacker, George Hotz. Although he ultimately settled, the company’s legal pursuit of Hotz was relentless, and was ultimately cited by hackers as the inspiration for breaking into the PlayStation Network.
The ensuing month of downtime cost Sony more than $2 billion, and they were forced to essentially rebuild the service with new security as hackers mocked them for allegedly keeping passwords stored in unecrypted text files.
Though the ruling Tuesday does mean Sony is likely protected from future losses due to the hack, it could still prove very costly, possibly to the degree of becoming pointless, to fight all the homebrew coders who’ve already pounced on the PS3’s encryption key.
(H/T: Ars Technica)
Photo: Flickr user joo0ey, creative commons licensed.