Sony’s firmware update process is a Rube-Goldberg thing, the worst approach on the market today. But Sony seems intent on adding maximum offensiveness to the process, by requiring personal information on top of the obnoxious procedure.
But it’s worse than being a hassle and an intrusive/obnoxious data-gathering process: it is essentially a “root kit” update process*—not just the most cumbersome approach on the market, but a significant potential security risk, the existence proof being actual past events at Sony**.
Why isn’t it illegal to require personal information just for a firmware update, particularly date of birth?
UPDATE: hidden way down on the Sony update page is an option to get the firmware update without creating an account—I deem this willful obfuscation—separating it substantially from the account setup/login stuff is not accident—and that’s on Sony, not users who are not likely to see the alternative.
* A “root kit” is any hack or software that gives administrative access to the computer. Sony’s updater demands the administrator password in order to update the camera (I don’t think it requires a kernel extension any more, but I have not checked for awhile). While that’s true when installing any software requires an administrator password, in this case the alternative is to not require software at all for updating. And bypassing the Apple App Store (for Mac users) also forgoes the Apple approval process, which imperfect at least offers some chance of detecting inadvertant malware.
** Sony Pictures was compromised by hackers back in 2014. That sort of thing happens all the time to many companies, and a lot of it goes unreported. Companies like Sony are juicy plums for hackers. We are supposed to needlessly be required trust Sony application developers in such a context? And for Mac uses, an app that bypasss the Apple App Store?
Roy P writes:
I think Sony has THE WORST methodology for firmware upgrades I have ever seen. Since my first Sony NEX-5 in 2010, then through my NEX-5N, NEX-7, A7R, A7M2, A7RM2, A74M3, A7RM4, A9, A9M2, A7SM3 and now the A1, for over 11 years, every Sony camera firmware update has been a pain in the ass.
Why can’t Sony do the easy thing that everyone else in the business does? It is VERY simple:
- Just create a firmware file. If Sony is afraid the competitors will reverse engineer the firmware, then just encrypt the file.
- User copies the file to a blank, freshly formatted disk, and inserts into the camera with a battery with at least 50% power.
- Just provide one more menu item in Setup, #13, that says “Firmware update”.User selects this option.
- Camera then puts out a message like “Don’t turn off the camera. When the firmware is updated, camera will automatically shut off”, and puts some display like an hour glass or a slider bar that shows the progress of the update. When it reaches 100%, camera puts out a message saying “Update successful”, shows the new version number for a few seconds, then shuts off.
- If there is any error or problem, then notify the customer (e.g., error reading memory card, firmware corrupt, etc.), and give further instructions.
Instead of this, what Sony does now is insane. I have to download an installer, which will then download the actual firmware, and I must run the installer, but not start the camera until I am asked to do so, but the camera never properly connects to the USB port on my Mac, so the installer can’t tell if my camera is connected, so I have to borrow somebody’s Windows computer to install the update.
This has been a nightmare for years, and it is also not appropriate for Sony to connect to peoples’ computers. It is just not good business practice.
[DIGLLOYD: far worse than requiring a computer, it demands administrator/root access, which is outrageous]
I was hoping with the A1, Sony might have improved its firmware update, but I now find out that it has become even worse! Now I am required to register, create an account, give my name and date of birth, etc. to even just download the installer.
To create an account, I need to take a stupid quiz to identify all squares that have traffic lights in them. Then after all that, once I create the account, I cannot log in with that, because the Sony site says my password is incorrect, so I need to reset my password.
When I request a password reset, I get an email asking for my date of birth. When I tell it the date of birth I used to create my account, it tells me the date of birth is not correct.
What is Sony trying to do? I don’t trust a flaky IT system like this with my real name or real date of birth. Anyone with any awareness will use a fake ID, as I did. I used a fake name like Jo Bai Dung, and I gave India’s independence day as my birthdate. Sony gets nothing out of collecting garbage information like this.
Also, what is Sony afraid of? Nobody who is not a Sony A1 customer is going to download a firmware for the A1. What are they going to do with it?
All this complexity is insane! Sony needs to simplify things, not complicate it.
I have spent a fortune on Sony cameras and lenses, with most GM lenses from the 12-24mm f/2.8 all the way to 600mm f/4. I should not have to go through so much hassle to update firmware for my equipment.
Please forward this email to the right person inside Sony, so this problem can be solved.
In the meantime, how do I get my A1 updated? Can I send my A1 to Sony and have someone there install the firmware for me?
DIGLLOYD: spot-on. This revolting firmware update mess has persisted for years now. And why can’t the camera, since it has networking, connect directly to the internet and grab the firmware update directly without even needed a computer to download it?
It ought to be illegal to ask for date of birth except when it has material relevance—neer the case for a software update. Always use a fake DoB except where it is a legal or medical requirement.
I have now decided due to this inappropriate FW protocol I WILL NOT purchase another Sony camera of which the A1 and the next RX1R Markxx were on my “to buy list” and will now remove my name on all A1 lists. I am not a highly software literate person, but certainly understand those vulnerabilities to sensitive information on my devices thanks to your post. Only when you report that Sony has corrected this procedure will I even consider another Sony camera-best Eye AF or not.
DIGLLOYD: maybe this is a little too extreme view in practical terms? To be fair to Sony, most all software requires an administrator password.The issue here is that the user should never have to download or install any software. I think the updater might have eliminated the kernel extension problem with prior Sony updaters, but I haven’t checked in a while and I’m not sure.
The whole point is there is no legitimate reason to use a software updater. It’s just bad engineering and customer unfriendly nonsense.
I perform the firmware update on an older computer booted off a temporary external drive. That's no guarantee, but it offers some hope.
The risk I speak of is nil until it becomes a 100% risk, that is, when and if Sony’s software development is compromised. That might never happen but there is no guarantee.
My recommendation is to delay all camera firmware updates a month or so (all brands), so that if something awry, either with the update software or the firmware itself, then you have abuffer period for warning.
David C writes:
Would like to correct the reader comment about Sony requiring personal information for downloading firmware updates, this emphatically false as the option to download without registering is available on the bottom of the download page. I’ve included a screenshot. I will say its disingenuous of Sony to include this link in the bottom of the page where the options to sign in or create an account are prominently the first things you see on download page, but to report without knowing all the facts isn’t good look considering how in-depth you get on subject matters.
The firmware update process is strange on Sony for sure, but its not that much different for most photo gear manufactures. Just recently I updated my profoto lights and had to do a juggling act of holding buttons while connecting power cable and usb cable. For another reader to go apeshit and not purchasing a camera because of the firmware process when the info presented is not entirely true is pretty over-reacting, especially when updating camera firmware are pretty rare and far in-between.
DIGLLOYD: a design which de facto hides the alternative is no accident. That’s on Sony, and it might as well not be there for many users. I’ve added a note for that alternative up top, but it’s not on me or any user to dig through a deceptive presentation.
Computer security is the #1 computer problem of our time (worked in that field for several years). To design-in security risks is incompetent engineering, and I don’t judge quality by the least common denominator, but by best practices. Bottom line here is that this entire enervating discussion need not exist if Sony would just follow best practices!