Expert warns Sony’s firmware updater poses major security risk
Sony shooters, if you use a Mac, there’s a rather concerning issue regarding the Sony firmware update application. First highlighted by software expert Lloyd Chambers back in October 2017, Sony’s updater essentially forces you to give it root access to your system. This could potentially pose your entire system and data it contains at risk.
I’m not 100% sure on how big a deal this one is yet. From a security standpoint, it’s absolutely huge. But from a more real-world impact perspective, it possibly isn’t going to be a huge issue. In theory, root access means the software could do anything it likes to your computer. Install keyloggers or malware, for example. Not that Sony would do that, but who’s to say that somebody won’t compromise their software?
Nikon, Canon, Sigma and many other camera manufacturers allow in-camera firmware. You can update it just fine without the need to even connect it to a computer. Just stick the firmware update on a memory card, slot it into the camera, and sift through menus. Sony do not, only allowing you to update the firmware through use of the desktop software.
But Apple has been tightening up the security in MacOS. And Sony even stated late last year that the latest security updates in macOS 10.13 High Sierra may cause the firmware updater to not work.
Rather than confining themselves to the new Apple security restrictions, however, Sony responded by releasing a tutorial on bypassing them. A method which essentiallys give the software complete administrator access to your system.
Chambers told PetaPixel, that right now, the user must assume that Sony’s software is free of malware. And, I think that it probably is (although I wouldn’t take my word for it). The software is “signed”, although that only guarantees that it was signed by Sony. Somebody could potentially inject malware code into the software before Sony sign off on the final thing.
If Sony software is ever compromised (including at the source code level!), that malware would have unfettered root/kernel access to the system until the system were wiped out (assuming such an infection did not overwrite firmware in various places, in that case the machine becomes dumpster material).
He goes on to say that given the Sony Pictures hack in 2014, no user should ever trust what is essentially a “rootkit” firmware updater. Also, given the PlayStation Network hack a couple of years before that, Sony doesn’t really have a great track record for keeping people out of their systems. And given that they don’t even seem to care about the security restrictions Apple have put into the OS itself, that they instruct you to workaround, they don’t care about keeping your systems safe, either.
The ONLY acceptable solution is an in-camera firmware updater. Even that is not risk free (the download process), but it does not directly expose the computer at the kernel level, or even admin level.
Personally, I had no idea that Sony didn’t allow you to update the firmware through SD. The manufacturer of just about every other camera system I’ve used over the past decade or so allows this. Nikon, Canon, Sigma, Panasonic, even the little YI M1 mirrorless lets you update from SD.
If you do have to update your Sony camera firmware, Chambers suggests installing the update using a temporary Virtual Machine and then deleting it afterwards.
John Aldred is a photographer with over 20 years of experience in the portrait and commercial worlds. He is based in Scotland and has been an early adopter – and occasional beta tester – of almost every digital imaging technology in that time. As well as his creative visual work, John uses 3D printing, electronics and programming to create his own photography and filmmaking tools and consults for a number of brands across the industry.