DIY Photography

Your one stop shop for everything photo-video

  • News
  • Inspiration
  • Reviews
  • Tutorials
  • DIY
  • Gear
Search

Submit A Story

Expert warns Sony’s firmware updater poses major security risk

Feb 2, 2018 by John Aldred 3 Comments

  • Share
  • Tweet
  • Flipboard
  • WhatsApp

 

Sony shooters, if you use a Mac, there’s a rather concerning issue regarding the Sony firmware update application. First highlighted by software expert Lloyd Chambers back in October 2017, Sony’s updater essentially forces you to give it root access to your system. This could potentially pose your entire system and data it contains at risk.

I’m not 100% sure on how big a deal this one is yet. From a security standpoint, it’s absolutely huge. But from a more real-world impact perspective, it possibly isn’t going to be a huge issue. In theory, root access means the software could do anything it likes to your computer. Install keyloggers or malware, for example. Not that Sony would do that, but who’s to say that somebody won’t compromise their software?

Nikon, Canon, Sigma and many other camera manufacturers allow in-camera firmware. You can update it just fine without the need to even connect it to a computer. Just stick the firmware update on a memory card, slot it into the camera, and sift through menus. Sony do not, only allowing you to update the firmware through use of the desktop software.

But Apple has been tightening up the security in MacOS. And Sony even stated late last year that the latest security updates in macOS 10.13 High Sierra may cause the firmware updater to not work.

Rather than confining themselves to the new Apple security restrictions, however, Sony responded by releasing a tutorial on bypassing them. A method which essentiallys give the software complete administrator access to your system.

Chambers told PetaPixel, that right now, the user must assume that Sony’s software is free of malware. And, I think that it probably is (although I wouldn’t take my word for it). The software is “signed”, although that only guarantees that it was signed by Sony. Somebody could potentially inject malware code into the software before Sony sign off on the final thing.

If Sony software is ever compromised (including at the source code level!), that malware would have unfettered root/kernel access to the system until the system were wiped out (assuming such an infection did not overwrite firmware in various places, in that case the machine becomes dumpster material).

He goes on to say that given the Sony Pictures hack in 2014, no user should ever trust what is essentially a “rootkit” firmware updater. Also, given the PlayStation Network hack a couple of years before that, Sony doesn’t really have a great track record for keeping people out of their systems. And given that they don’t even seem to care about the security restrictions Apple have put into the OS itself, that they instruct you to workaround, they don’t care about keeping your systems safe, either.

The ONLY acceptable solution is an in-camera firmware updater. Even that is not risk free (the download process), but it does not directly expose the computer at the kernel level, or even admin level.

Personally, I had no idea that Sony didn’t allow you to update the firmware through SD. The manufacturer of just about every other camera system I’ve used over the past decade or so allows this. Nikon, Canon, Sigma, Panasonic, even the little YI M1 mirrorless lets you update from SD.

If you do have to update your Sony camera firmware, Chambers suggests installing the update using a temporary Virtual Machine and then deleting it afterwards.

[via PetaPixel]

FIND THIS INTERESTING? SHARE IT WITH YOUR FRIENDS!

  • Share
  • Tweet
  • Flipboard
  • WhatsApp

Related posts:

Homeland Security warns the public that photography may be a sign of terrorism Biker shooting a 20 stairs BMX jump confronts security and removes security cart (with guard) from road Twitter urges all users to change their passwords after major security bug A major Instagram security bug leaked users passwords as plain text

Filed Under: news Tagged With: firmware, hackers, sony

John Aldred: from diyphotography.net

About John Aldred

John Aldred is a photographer with over 20 years of experience in the portrait and commercial worlds. He is based in Scotland and has been an early adopter - and occasional beta tester - of almost every digital imaging technology in that time. As well as his creative visual work, John uses 3D printing, electronics and programming to create his own photography and filmmaking tools and consults for a number of brands across the industry.

« Blackmagic’s new 4K UHD URSA Broadcast video camera costs less than a high end DSLR
This is the only good way to smash your Nikon lens »

Submit A Story

Get our FREE Lighting Book

DIYP lighting book cover

* download requires newsletter signup
DIYPhotography

Recent Comments

Free Resources

Advanced lighting book

Recent Posts

  • Comparing iPhone 13 vs iPhone 14 for astrophotography
  • Don’t buy a Z8 directly from Nikon, customers say
  • YouTube is killing off “Stories” to focus on Shorts and Live
  • Four ways to shoot epic stop motion hyperlapse with a smartphone gimbal
  • Canon reported to be working on a “zoomable” teleconverter

Udi Tirosh: from diyphotography.netUdi Tirosh is an entrepreneur, photography inventor, journalist, educator, and writer based in Israel. With over 25 years of experience in the photo-video industry, Udi has built and sold several photography-related brands. Udi has a double degree in mass media communications and computer science.

Alex Baker: from diyphotography.netAlex Baker is a portrait and lifestyle driven photographer based in Valencia, Spain. She works on a range of projects from commercial to fine art and has had work featured in publications such as The Daily Mail, Conde Nast Traveller and El Mundo, and has exhibited work across Europe

David Williams: from diyphotography.netDave Williams is an accomplished travel photographer, writer, and best-selling author from the UK. He is also a photography educator and published Aurora expert. Dave has traveled extensively in recent years, capturing stunning images from around the world in a modified van. His work has been featured in various publications and he has worked with notable brands such as Skoda, EE, Boeing, Huawei, Microsoft, BMW, Conde Nast, Electronic Arts, Discovery, BBC, The Guardian, ESPN, NBC, and many others.

John Aldred: from diyphotography.netJohn Aldred is a photographer with over 20 years of experience in the portrait and commercial worlds. He is based in Scotland and has been an early adopter - and occasional beta tester - of almost every digital imaging technology in that time. As well as his creative visual work, John uses 3D printing, electronics and programming to create his own photography and filmmaking tools and consults for a number of brands across the industry.

Dunja Djudjic: from diyphotography.netDunja Djudjic is a multi-talented artist based in Novi Sad, Serbia. With 15 years of experience as a photographer, she specializes in capturing the beauty of nature, travel, and fine art. In addition to her photography, Dunja also expresses her creativity through writing, embroidery, and jewelry making.

Copyright © DIYPhotography 2006 - 2023 | About | Contact | Advertise | Write for DIYP | Full Disclosure | Privacy Policy