PS4/PS5 security: hacker TheFloW gets another $10’000 bounty from PlayStation. Why we think it matters
A few days ago, PlayStation’s account on HackerOne displayed a new awarded bounty, once again to hacker extraordinaire TheFloW, and once again for one of the top amounts in that bounty program: $10’000. The news is doing the rounds on hacking scene websites.
It’s the second bounty awarded to TheFloW by PlayStation in less than 2 weeks, and for an amount that points to a critical security flow in either the PS4, the PS5, or both. Two weeks ago, the hacker had been awarded $20’000 for another vulnerability disclosure.
PlayStation’s bounty program on HackerOne – a blessing in disguise for the hacking scene?
In total, more than $250’000 have been awarded through this bounty program since its launch about 2 years ago (that’s not counting some of the reports which might have undisclosed amounts), with a significant share of that ($60’000 so far) awarded to TheFloW.
This kind of information matters, because these security vulnerabilities have in the past been used to release Jailbreaks for the PS4. TheFloW in particular has released technical writeups on Jailbreaks with Sony’s approval, in the past. It’s worth mentioning that multiple hackers have called out that PlayStation are playing reasonably nice here, allowing hackers to disclose their findings in some cases. Other times, however, the hacks have not been disclosed. From the bounty program, it’s up to PlayStation and the hacker to reach an agreement on that aspect.
In the past, this has worked well for PlayStation and for the scene: PlayStation update their console firmwares with a patch, while people who chose to stay on a lower firmware (and forfeit access to the latest features and online services) would eventually get a Jailbreak.
Recently though, we can’t help but wonder if that “gentlemen’s agreement” has been on a hiatus. One of TheFloW’s recent vulnerabilities led to the 9.00 Jailbreak, but that was through indirect means: TheFloW wasn’t allowed to (or chose not to) disclose the vulnerability through the program, but instead other hackers found the vulnerability separately through a diff of the firmwares.
Similarly, recent bounties on PlayStation, by TheFloW in particular, but also folks like cturt, haven’t led to any particular Jailbreak release.
With the PS4 9.00 Jailbreak still fresh, hackers might be thinking now’s not the right time to release those. Or maybe Sony have decided it’s not in their interest to let hackers disclose these vulnerabilities once they’ve gone through the bounty program.
The security world puts a lot of value in disclosing vulnerability issues (after they’ve been patched by the vendor), in the interest of transparency for customers, as well as to help other software/firmware vendors who might have similar security holes. With that being said, the world of gaming consoles is a bit more constrained, and it might be difficult to justify disclosing a vulnerability issue if it only really impacts e.g. the PS4 (per opposition, to, say, a FreeBSD vulnerability, which would impact the PS4, but other systems as well).
Another impact of Sony not allowing disclosure of the vulnerabilities could be that some hackers will decide not to go through that channel again, for future reports. Believe it or not, $10’000 for a vulnerability that lets one get full control of an entire family of computer systems, is not a lot of money (Zero Day exploits on iOS or Windows can sell from $80’000 to several millions). A lot of PlayStation hackers go through the HackerOne program because it’s the “right” thing to do, and PlayStation have shown they can play nice with the scene. If that changes too drastically, some hackers could decide it’s not in their best interest anymore to go that route.
Hack bounties and Firmware updates. Could PS4 9.51 and PS5 5.02 have patched something critical?
Setting aside the reasons for a lack of Jailbreak release through the HackerOne PlayStation bounty program recently, this new bounty matters, a lot.
We’re seeing some activity here on HackerOne, but we’ve also seen a firmware update on both PS5 and PS4 recently, which might, or might not, be related. Scene veteran Zecoxao states that firmware 9.51 on the PS4 only changes Webkit, which would indicate at best a minor security patch, and probably not something correlated to TheFloW’s recent bounties.
seems that 9.51 only has changes in webkit 🙁
— Control_eXecute (@notzecoxao) April 16, 2022
Still, with TheFlow and Fail0verflow having both confirmed they have PS5 kernel exploits, and other hackers such as ZNullPtr stating they are getting closer as well, it looks like it could be only a matter of time before the PS5 gets its first Jailbreak.