EDITOR’S NOTE: I initially wrote this article in late 2021 as Editor for my school’s newspaper. This is a revised timeline and story of the PSN hack that took place some time ago. You can read the original article here.
In early April of 2011, the Hacktivist group Anonymous brought down Sony’s PlayStation Network with a Targeted Distributed-Denial-of-Service attack. (DDoS) Anonymous had warned Sony of retaliation after Sony took legal action against George Hotz, known as “GeoHot,” and Alexander Igorrenknov, known as “Graf_Chokolo.” According to Anonymous, they now “received the undivided attention of Anonymous.” Their statement further reads, “Your recent legal action against our fellow hackers, GeoHot and Graf_Chokolo, has not only alarmed us but has also been deemed wholly unforgivable. You have now abused the judicial system in an attempt to censor information on how your products work. You have victimized your own customers merely for possessing and sharing information and continue to target every person who seeks this information. In doing so you have violated the privacy of thousands. This is the information they were willing to teach to the world for free. The very same information you wish to suppress for sake of corporate greed and complete control of the users. Now you will experience the wrath of Anonymous. — You must face the consequences of your actions, Anonymous style. Knowledge is Free.” This article will cover the timeline of what took place, and what led up to the PSN outage.
OtherOS.
In 2009 GeoHot announced on his blog that he was interested in hacking the PlayStation 3. His method in doing so was to utilize OtherOS, which allows users to run Linux. Considering that this was also available on the PlayStation 2, Sony was not oblivious to letting users run Linux on their hardware. But it was optional. This required a Hard Drive, Mouse, Keyboard, and a Linux Installation Disk. OtherOS on the PlayStation 3 in contrast was presented as a feature. GeoHot published his findings on his page and found a method to bypass the security hypervisor. His findings would later catch the attention of Sony who in March of 2010, released an update for the PlayStation 3 that completely removed OtherOS and suppressed anyone who wanted to continue GeoHot’s previous work. In July 2010, GeoHot announced that he was retiring from the PS3’s hacking scene saying “It was a cool ride, and I learned a lot. Maybe I’ll do in the next few years, a formal goodbye.” However, Sony couldn’t breathe a sigh of relief for much longer. Later that year, FailOverflow, a hardware hacking group motivated by the removal of OtherOS found a way to obtain the private key for the PlayStation 3 without having to make any hardware modifications to the console. At that point, the key itself wasn’t enough to execute unsigned code, but it could be used to run software that could. GeoHot, who had previously stepped away from the PlayStation community, combined his findings with FailOverflow’s discovery and created a package to run unsigned code on the PlayStation 3’s hardware.
Court Orders & #opSony.
GeoHot would post his method around early 2011 along with his files. Around the same time, Graf_Chokolo had released a custom firmware that would reinstate OtherOS onto the PS3 that would allow previous owners to run Linux once again. In January 2011, Sony filed a court order against GeoHot and FailOverflow under violation of DMCA and Computer Fraud. Later, Graf_Chokolo’s house was raided by law enforcement. He was placed under arrest facing numerous charges. Hacktivist group Anonymous responded to Sony later that year in response to the court orders and arrests made. Anonymous made cyberattacks against Sony’s servers for three days. The disruption was known as “#opSony.” Operation Sony’s objective was to do whatever it could to undermine Sony’s operations. Anonymous would later stop its attack realizing that it was harming consumers rather than Sony. So, they decided to stand down. “Anonymous is not attacking the PSN at this time.” Stated the group. “We have realized that targeting the PSN is not a good idea. We have therefore temporarily suspended our action until a method is found that will not severely impact Sony customers. Anonymous is on your side, standing up for your rights.” Normal PSN service would resume after that. However, on the morning of April 19th, PlayStation Network was down again. But Anonymous wasn’t responsible for the shutdown. Sony took PSN servers offline again. Sony had warned its consumers that it could be a full day or more of downtime. The next day, Sony announced in a press release that there was an “external intrusion” on their system that affected both PlayStation Network users and Curiosity Services and admitted that they had disabled PSN. On April 20th, PSN remained offline for another week. Which caused outrage from customers who were not sure of what was happening. But Sony emerged, announcing what was to be a massive security breach that affected 77 million users. Sony said in another statement “Although we are still investigating the details of this incident, we believe that an unauthorized person obtained the following information that’s provided. Name, address, country, email address, birthdate, PlayStation Network password and login, and PSN Online ID. It’s also possible that your profile data, including your purchase history and billing address and your PlayStation Network Curiosity password security answers, may have also been obtained.” Sony would hire a security firm to investigate the breach. As well as perform updates to the service.
“What Next?”
Sony completed its upgrade to security on PSN servers and held a press conference in Japan to outline what it was doing to protect its customers. Sony executives apologized and offered their consumers a welcome-back package which consisted of two free games, 30 days of free PlayStation Plus, and a free year of identity theft protection. One day after however, Sony executives apologized once more. Sony Online Entertainment had been breached. Stealing more than 24 million users’ information. “We are today advising you that the personal information you have provided us in connection with your S.O.E. account may have been stolen in a cyberattack.” Sony Online Entertainment was not directly linked with the PlayStation Network. Rather, its division was responsible for multiplayer online games. Sony Online Entertainment had services because of this breach. In June of 2011, hackers had also taken down yet another Sony network. This time, Sony Pictures. Hacking group LulzSec took responsibility, claiming “Every bit of data we took was not encrypted. Sony had stored one million passwords that of its customers in plain text. Which means it’s just a matter of time taking it.” Sony had denied the claims. But later LulzSec uploaded a 5MB file outlining how the hack was performed via simple single sequel injection methods.
Clarification on What Happened.
In September of 2011, the FBI announced that they had made arrests in the Sony Pictures attack. Two members of LulzSec were arrested and charged. Several news outlets claimed that law enforcement had made arrests in the Sony hack. Which many had wrongfully assumed that it was for the PlayStation Network. Many people are unsure of the cause of the PlayStation Network hack. One popular theory at the time was that there were potential discussions about a custom firmware known as “Rebug” that could’ve been responsible. Rebug is a custom firmware for jailbroken PS3s that enables Homebrew and piracy. There was also the ability to rename all functionality that should only be available to debugged versions of the PlayStation 3. Including access to the Internal Developer Network. Which is used to test online functionality during a game’s development. This is very similar to the XBOX 360’s PartnerNet System. The Developer Network simulates a user purchasing a game through a placeholder credit card. This meant that hackers could steal and download the pre-release beta, as well as pre-released titles. However, this exploit was later patched as part of the PSN downtime. But it was not responsible for the hack itself. At the time, Sony had accused Anonymous. Claiming that they have found files on their server “Anonymous” and “We Are Legion”. But I have not been able to find any arrests made or reported.
