PS4/PS5 security: Fail0verflow disclose PSVR hack, dump all hardware secrets of the device
Hacking Team Fail0verflow have disclosed yesterday a series of vulnerabilities in the PSVR (PlayStation VR) headset. The PSVR is a potential entry point to hack the PS4 or the PS5, which is why the team had an interest in it in the first place. Their work led them to dump all hardware secret keys of the device, and crack the authentication mechanism of the PSVR.
PSVR Hack: What vulnerabilities were found?
Most notably, some functions accessed through the PCIe interface allowed them to decrypt and copy the firmware image into readable memory. This let them get access to all of PSVR’s keys, which were stored in the dumped Trusted Applications.
Furthermore, the team managed to dump actual hardware secrets, through FIGO (Secure coprocessor of the Marvell 88DE3214 SoC) vulnerabilities.
You can read the full writeup for full details.
PSVR Hack: what are the implications for the PS4/PS5?
Fail0verflow state they ultimately didn’t use the PSVR authentication mechanism as an entry point to hack the PS5 or the PS4 further (it’s worth reminding everyone that they did successfully hack the PS5, so what they’re saying here is that this PSVR research is not what led to the PS5 hack).
The scene could now technically use any programmable device to act as a PSVR headset for these two consoles, then dig to see if this gives them access to more “trusted” information within the consoles, or to an entry point for further privilege escalation exploits. Whether this is useful currently is up to debate, considering there is a working Webkit exploit on PS5 up to certain firmwares