An international cybersecurity expert has uncovered a vulnerability that allows a malicious software program to exploit an Electronic Pool Game (EPG) software flaw to steal data from the PlayStation 4.
Erik Osterholm of the security firm Arbor Networks told the Associated Press news agency that his research found a vulnerability called a “remote code execution vulnerability” that allows an attacker to remotely execute code on a PS4 that then executes code on another device.
“The exploit is very small,” Osterholm said, “but it does have significant security implications.”
The vulnerability, which was discovered by Osterhovs research team in March, has been publicly disclosed by the Electronic Entertainment Software Association (EEA) in response to a complaint from Sony.
The exploit “allows remote code execution by exploiting a vulnerability which allows a program to be executed remotely, regardless of the context,” the EEA said.
“This means that an attacker could take control of an affected PS4 remotely, modify it, and then remotely execute malicious code.”
The EEA warned that the exploit could allow remote code to run on the system even if the PS4 was not connected to a network, allowing attackers to “take control of the affected system and use it to execute code that exploits the vulnerability.”
“In some cases, the exploit allows an administrator to modify or even take control over a PSN account that may have previously been compromised by an attacker,” the EA added.
The vulnerability is only found on the PS3 version of the game, which has been patched with the latest version of security updates for the system, and has been identified by Oesterholm’s research team.
The bug has been present since the release of the PS2 version of EPG, which also released with the new PS4.
The vulnerability has been reported in more than 10,000 games since the original PS2 release, and Osterheim said that the number of vulnerabilities discovered had doubled since that time.
“A total of 9,828 vulnerabilities have been disclosed by us to date,” he said.
“This means the number has quadrupled since we released our patch for the PS1 version in 2014.”
While Ostersson said that a patch for EPG would be available within a week, he also noted that the patch would be “quite expensive” given the security requirements for the software.
“We have to have a good security strategy, which means we need to have some sort of security strategy for the devices,” he told the AP.
“The cost for a patch like this is very, very high.
The cost of that patch would exceed $100 million, which is almost $1 billion dollars.”
The Electronic Entertainment Entertainment Software (EES) Association, which represents game developers, said that it was working with Sony on a fix for the vulnerability.
“Sony has confirmed that it has a fix that is ready for the PlayStation 3, and is working with EES to deploy it in the PlayStation Home and PlayStation Network for PlayStation 4,” EES CEO Rob Pardo said in a statement.
“We are pleased that the PSN, the PlayStation Network, and the PlayStation Store have been updated to include a patch to address the vulnerability as soon as possible.”
Sony’s decision to fix the vulnerability was not the only security flaw found to be a result of the bug.
The Electronic Entertainment Network Association also reported the discovery of another vulnerability that could allow a malicious program to run code on the device.
A Microsoft spokesperson told the Wall Street Journal that it did not have any information about the discovery.
“Microsoft has worked with Sony and EES on an update to address these vulnerabilities, and Microsoft has released a patch that is currently available for the Xbox 360, PlayStation 3 and PlayStation 4, and for the Windows PC,” the spokesperson said.