Sony Firmware Updater: a Security Risk

2014-11-11 • SEND FEEDBACK |
Related: Apple, Apple macOS, Eastern Sierra, peak bagging, security, Sony, Sony A7R, Sony A7R II, Sony A7R III, Sony mirrorless, Yosemite

A kernel extension (kext) is as nasty as it gets for system compromise, since a kext has unfettered access to everything. Seems like the perfect vector for a 'root kit'.

Yet Sony foists an firmware updater app on users whose signature is invalid (see log below). Running as 'root' and using a kernel extension is as ugly as it gets and for updating camera firmware?

Nikon and Canon do it right for their DSLRs: copy a firmware file to a card, have the camera update. Job done, no security risk to the computer. Shame on Sony. These days, hackers come at all angles. It is very poor design judgment to require root level access to update things like camera firmware.

BTW, the Sony firmware updater doesn’t work on OS X Yosemite. At first I missed this note at the bottom of the Sony firmware updater page. Why is something “IMPORTANT” placed last, where it can scroll off the screen and never be seen (I did not see it).

IMPORTANT: This update is not compatible with Mac OS® X 10.10. Please use Mac OS X 10.9 or lower to install this update

The suggestion is rather amazing: anyone who has updated to 10.10 is not likely to have a 10.9 bootable system any more. I do have it on a spare computer, so I suppose there is a workaround for me, but this does not change the risk of a kernel extension. It is a valid consideration in terms of what gear to buy to contemplate that a month after OS X Yosemite appeared, Sony users on Yosemite still have no working updater for their cameras.

While Nikon’s apps are badly written and also have problems, at least potential system compromise is not needed to update firmware with Nikon DSLRs.

drwxr-xr-x@ 3 root   wheel     102 Nov 11 12:58 SONYDeviceType01.kext
22014-11-11 12:58:27.149 authexec[87813]: executing /Volumes/Update_ILCE7RV110/FirmwareUpdater.app/Contents/Resources/FirmwareUpdaterTool
2014-11-11 12:58:27.166 sudo[87814]:     root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/Volumes/Update_ILCE7RV110/FirmwareUpdater.app/Contents/Resources/install.sh /Volumes/Update_ILCE7RV110/FirmwareUpdater.app/Contents/Resources i386
2014-11-11 12:58:27.175 sudo[87816]:     root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/cp -r /Volumes/Update_ILCE7RV110/FirmwareUpdater.app/Contents/Resources/x86/SONYDeviceType01.kext /tmp/SONYDeviceType01.kext
2014-11-11 12:58:27.186 sudo[87818]:     root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/sbin/chown root:wheel /tmp/SONYDeviceType01.kext
2014-11-11 12:58:27.196 sudo[87820]:     root : TTY=unknown ; PWD=/private/tmp/SONYDeviceType01.kext ; USER=root ; COMMAND=/usr/sbin/chown root:wheel Contents
2014-11-11 12:58:27.205 sudo[87822]:     root : TTY=unknown ; PWD=/private/tmp/SONYDeviceType01.kext/Contents ; USER=root ; COMMAND=/usr/sbin/chown root:wheel Resources
2014-11-11 12:58:27.214 sudo[87824]:     root : TTY=unknown ; PWD=/private/tmp/SONYDeviceType01.kext/Contents/Resources/English.lproj ; USER=root ; COMMAND=/usr/sbin/chown root:wheel InfoPlist.strings
2014-11-11 12:58:27.222 sudo[87826]:     root : TTY=unknown ; PWD=/private/tmp/SONYDeviceType01.kext/Contents/Resources ; USER=root ; COMMAND=/usr/sbin/chown root:wheel English.lproj
2014-11-11 12:58:27.231 sudo[87828]:     root : TTY=unknown ; PWD=/private/tmp/SONYDeviceType01.kext/Contents ; USER=root ; COMMAND=/usr/sbin/chown root:wheel MacOS
2014-11-11 12:58:27.240 sudo[87830]:     root : TTY=unknown ; PWD=/private/tmp/SONYDeviceType01.kext/Contents/MacOS ; USER=root ; COMMAND=/usr/sbin/chown root:wheel SONYDeviceType01
2014-11-11 12:58:27.248 sudo[87832]:     root : TTY=unknown ; PWD=/private/tmp/SONYDeviceType01.kext/Contents/MacOS ; USER=root ; COMMAND=/bin/chmod a+x SONYDeviceType01
2014-11-11 12:58:27.257 sudo[87834]:     root : TTY=unknown ; PWD=/private/tmp/SONYDeviceType01.kext/Contents ; USER=root ; COMMAND=/usr/sbin/chown root:wheel Info.plist
2014-11-11 12:58:27.265 sudo[87836]:     root : TTY=unknown ; PWD=/private/tmp ; USER=root ; COMMAND=/bin/chmod 755 /tmp/SONYDeviceType01.kext
2014-11-11 12:58:27.273 sudo[87838]:     root : TTY=unknown ; PWD=/private/tmp ; USER=root ; COMMAND=/bin/chmod 755 /tmp/SONYDeviceType01.kext/Contents/Info.plist /tmp/SONYDeviceType01.kext/Contents/MacOS /tmp/SONYDeviceType01.kext/Contents/Resources
2014-11-11 12:58:27.281 sudo[87840]:     root : TTY=unknown ; PWD=/private/tmp ; USER=root ; COMMAND=/bin/chmod 755 /tmp/SONYDeviceType01.kext/Contents/MacOS/SONYDeviceType01
2014-11-11 12:58:27.289 sudo[87842]:     root : TTY=unknown ; PWD=/private/tmp ; USER=root ; COMMAND=/bin/chmod 755 /tmp/SONYDeviceType01.kext/Contents/Resources/English.lproj
2014-11-11 12:58:27.296 sudo[87844]:     root : TTY=unknown ; PWD=/private/tmp ; USER=root ; COMMAND=/bin/chmod 755 /tmp/SONYDeviceType01.kext/Contents/Resources/English.lproj/InfoPlist.strings
2014-11-11 12:58:27.303 sudo[87846]:     root : TTY=unknown ; PWD=/private/tmp ; USER=root ; COMMAND=/sbin/kextload /tmp/SONYDeviceType01.kext
2014-11-11 12:58:27.569 com.apple.kextd[20]: ERROR: invalid signature for com.sony.driver.dsccamFirmwareUpdaterType00, will not load    

Sony has a worrisome history

I wrote “root kit” because of what it seemed to me to emulate, forgetting about what reader Jim F reminds me of:

Their previous uncouth behavior. Oh and illegal too.

Quoting from Wikipedia:

The Sony BMG CD copy protection rootkit scandal of 2005–2007 concerns deceptive, illegal, and potentially harmful copy protection measures implemented by Sony BMG on about 22 million CDs. When inserted into a computer, the CDs installed one of two pieces of software which provided a form of digital rights management (DRM) by modifying the operating system to interfere with CD copying. Both programs could not be easily uninstalled, and they created vulnerabilities that were exploited by unrelated malware. Sony claims this was unintentional. One of the programs installed even if the user refused its EULA, and it "phoned home" with reports on the user's private listening habits; the other was not mentioned in the EULA at all, contained code from several pieces of open-source software in an apparent infringement of copyright, and configured the operating system to hide the software's existence, leading to both programs being classified as rootkits.

Sony BMG initially denied that the rootkits were harmful. It then released, for one of the programs, an "uninstaller" that only un-hid the program, installed additional software which could not be easily removed, collected an email address from the user, and introduced further security vulnerabilities.

Following public outcry, government investigations, and class-action lawsuits in 2005 and 2006, Sony BMG partially addressed the scandal with consumer settlements, a recall of about 10% of the affected CDs, and the suspension of CD copy protection efforts in early 2007.

No one can implement a root kit like this by accident (“unintentional”). To offer that as justification is not credible and worse. Has such thinking at Sony been extirpated?

In this context, do you want to install and run the Sony updater, which contains a kernel extension ('kext')? A kernel extension has unfettered access to the system. Who is to say it doesn’t introduce vulnerabilities that malware could attack? How does one know that it does not do other things? This is the kind of consumer software that intelligence agencies must adore. As per the Sony licensing agreement:

THE PROGRAM AND ACCOMPANYING ONLINE DOCUMENTATION ARE FURNISHED TO YOU FOR USE AT YOUR OWN RISK

Indeed, at your own risk.