This fault injection attack on AMD CPUs Could be super relevant for a PS5 hack
Security researchers Robert Buhren and Jean Pierre Seifert have published a hardware attack against AMD’s Secure Processor, the coprocessor in charge of handling a secure boot on the AMD Zen series. The PS5 is using a Custom Zen 2 CPU, which could be impacted by the vulnerability.
The hack, they say, “allows an attacker to execute custom payloads on the AMD-SPs of all microarchitectures that support SEV currently on the market (Zen 1, Zen 2, and Zen 3)“.
The white paper from the researchers was published about a month ago, with sample code provided on github 2 weeks ago, and a live presentation scheduled for November this year. (links below)
Glitching the AMD Secure Processor
The Security researchers provide the following summary of their attack:
The AMD Secure Processor (AMD-SP, formerly known as PSP) is susceptible to voltage fault injection attacks. Using our fault injection attack, we are able to execute custom code on secure processors embedded in Ryzen and Epyc CPUs of the AMD Zen series (Zen1, Zen2 and Zen3). In our paper we show how this affects the security guarantees of AMD’s Secure Encrypted Virtualization technology (SEV). Furthermore, we show how an attacker can mount attacks against SEV protected virtual machines without physical access to the target host by leveraging previously extracted endorsement keys (CEK/VCEK).
The document and data focus mostly on SEV (Secure Encrypted virtualization) to showcase that once hacked, the processor cannot be trusted to host a secure Virtual Machine (e.g. for usages in the cloud). However, since the attack directly targets the Secure Processor, there are non negligible chances that this glitch could be used on the PS5, whether it uses a VM or not.
The white paper and the code sample already provide a lot of information that should be enough for security researchers to look specifically into attacking the PS5. Additionally, the folks behind this attack will be presenting the glitch in November at the 28th ACM Conference on Computer and Communications Security (CCS’21) in Seoul.
Links and relevant Data for the AMD-SP glitch
What’s next for the PS5?
It’s of course unclear at this point if this attack could be used on the PS5. But there’s no doubt that someone, somewhere, is already looking into it to see if any kind of information could be extracted from the PS5’s AMD Zen 2 CPU. The white paper provides enough details that someone with the right set of skills could get started already.
Hardware vulnerabilities are the holy grail of the hacking scene, since they cannot easily be patched. Full control of the PS5 boot sequence could mean a lot of good things for the PS5 scene, but of course only time will tell us if this is useful.
FIRSSSST!!!
How are you this fast dude?
wololo.net/feed probably
Pointless
Good job dude
First !!!
You aren’t lmao.
Yeah, ok, but today we don’t have any Custom Firmware for PS4 and xBox One..
because you dont need it especially on an abox one you can already run 3rd party windows programs on a xb1 out of box
The reasoning behind there not being ps4 CFW is most certainly not because “we don’t need it”. As soon as its possible it will be released because not everyone like you wants to run an exploit every time they boot up their ps4 or keep it permanently in sleep mode 😉
These types of attacks potentially leaves the chips firmware venerable, which in turn can be exploited. Anybody interested in the non pre-school explanation of these exploits should check out the white paper called “Shaping the Glitch:
Optimizing Voltage Fault Injection Attacks”
1st this may or may not lead to a JB.
2nd don’t expect a custom firmware to ever come out of this those days like the PS3 and the PS Vita are long gone Sony now has a lot more mitigations in place to prevent that it’s the same reason why there is no custom firmware on the PS4.
3rd if a this does allow a JB it’s likely going to need a chip and some soldering like the RGH on the Xbox360 likely need to have HEN injected during device bootup.
This. I have hacked 3ds, vita ,switch, ps3, ps4, wiiu, and gave up hacking the ps5 and actually pay for my games now. Reason being the bounty one program and how the ps4 was never hacked fully. Also improved Sony security. I may be wrong but i am not waiting who knows how long for something that may or may not happen.