Is That a Rootkit on Your PlayStation 3?

Oh dear, did Sony quietly slip a rootkit onto the PS3 with its recent 3.56 system update? Did the company apply a suite of software tools designed to conceal (their) surreptitious file manipulation? To hide realtime processes executed without your knowledge or consent? Is your PS3 compromised?

People Say the Darndest Things

Treat this as whatever's categorically subordinate to "rumor and innuendo," but a NeoGAF user apparently respected for his (her?) knowledge of PS3 functionality claims Sony slipped something extra into its recent 3.56 system update.

"Essentially Sony can now remotely execute code on the PS3 as soon as you connect [to the Internet]," writes user N.A. "This can do whatever Sony wants it to do such as verifying system files or searching for homebrew."

According to N.A., the update gives Sony the ability to "change the code and add new detection methods without any firmware updates and as the code executes remotely there is no reliable way to forge the replies."

N.A. surmises this marks the end of using customer firmware online, "as PSN [PlayStation Network] can just check before login that this is active." That, or it means "it will be even easier for Sony to detect and ban users."

Oh No They Didn't!

Oh yes they (quite possibly) did. But even assuming the latter--and bear in mind you'd be doing so based on an unvetted forum claim--let's get a few things straight.

First, Sony's PlayStation Network "Terms of Service and User Agreement," specifically subsection 11, "Maintenance and Upgrades." That's the part where Sony says "it may become necessary for SCEA [Sony Computer Entertainment American] to provide certain content to you to content functioning properly in accordance with SCEA guidelines."

I'm interested in these two lines, middle of the paragraph: "Some content may be provided automatically without notice when you sign in," and "Such content may include automatic updates or upgrades which may change your current operating system, cause a loss of data or content or cause a loss of functionalities or utilities."

For better or worse, there's your answer to "Did Sony do anything without my consent?" Oh no they didn't.

So Is It a Rootkit?

Is what's described above a tool that allows illicit access to your hardware or software? Search on "rootkit" and you'll find that like the term "hack" its definitions are fuzzy and occasionally conflicting. That said, I don't think what's described above fits the bill. Not if we're being charitable. A rootkit is more or less designed to take control of something without your consent or knowledge. According to Sony's terms of service, you acknowledge both (consent and knowledge) when you initially fire up a new PS3, and every time you install a system update thereafter.

But okay, let's say it's not a rootkit and leave the tortured semantics aside. Is all of what's described above legal? Bear in mind we're talking about a tool that allegedly sends information to Sony whether you sign into Sony's PlayStation Network or not. Microsoft employs similar monitoring tools in its Xbox 360, allowing it to ban consoles it deems in violation of its terms of service, but as I understand it, you have to log into its Xbox Live online service first.

Scandals and Exploits

You probably remember the Sony BMG rootkit scandal a few years back that made the word "rootkit" famous, prompting Sony's recall of software sold with the technology and eventual settlement of class action lawsuits. But those suits showed clearly how the technology could be exploited by worms or viruses and compromise private information or cause catastrophic damage to your computer system.

The PS3's a different animal. It's an entirely Sony creature. The sticking point isn't whether Sony has a right to keep tabs on the PS3's systemic integrity, but whether the company can legally compel the device to transmit information back to Sony HQ any time it's connected to the Internet without signing into the PlayStation Network. As far as I know, no one's challenged Sony on the latter.

Legal questions aside, is pulling information off personal technology ethical (forced consent or no)? Let's assume personal information's firewalled, and that what's pulled is strictly technical, akin to a cyclic redundancy check (CRC) that tells some watchdog program on the receiving end whether the device is in compliance. Let's also assume the company that owns the watchdog program intends to use it to block (or brick) devices that fall out of compliance.

What do you think? Ethical or no?

Keep tabs on us: Twitter - Facebook - RSS | Tip us off or get in touch

Shop Tech Products at Amazon