RE: Xbox (Was -Online Games Consoles and Security Implications)

From: Ken Pfeil (Ken@InfoSec101.org)
Date: 06/04/02


From: "Ken Pfeil" <Ken@InfoSec101.org>
To: <vuln-dev@securityfocus.com>, <John_Leitch@NAI.com>
Date: Tue, 4 Jun 2002 08:54:09 -0400

I know the XBox thread was killed recently, but this is good reading.

http://slashdot.org/article.pl?sid=02/06/01/1656228&mode=thread&tid=172

http://web.mit.edu/bunnie/www/proj/anatak/AIM-2002-008.pdf

June 3, 2002

MIT Grad Student Hacks Into Xbox Security System

By REUTERS

Filed at 4:40 p.m. ET

LOS ANGELES (Reuters) - A graduate student at the
Massachusetts Institute of Technology has found a way
to circumvent the security system for Microsoft Corp.'s
Xbox video game console, opening the way for hackers to
use it to run competing software, according to
documents released over the weekend.

The MIT computer expert, who posted his report on his
university Web site, also questioned the security
behind Microsoft's soon-to-launch online service, Xbox
Live, saying hackers could exploit a flaw in the system
to identify individual players from their game
machines.

Andrew Huang, who recently completed a PhD thesis on
supercomputer architecture, wrote a memo May 26
describing his efforts to build hardware that would
read the Xbox's internal security system. A link to the
15-page report was posted this weekend at technology
news and discussion Web site Slashdot.org
(http:/www.slashdot.org).

Computer enthusiasts have been excited about the
possibility of using the $199 Xbox, which is
technologically similar to a PC, as a stand-alone
computer running operating systems like Linux.

Some see it as the ultimate slight against Microsoft --
using the software giant's own hardware to run software
that competes against its Windows operating system.

In the memo, Huang said the Xbox's primary security is
contained in what he calls a ``secret boot block'' that
is encoded into a media processor chip built for the
Xbox by Nvidia Corp.

Representatives of Microsoft and Nvidia were not
immediately available for comment. An MIT spokesman
told Reuters the university has not been received any
request to take the paper down from its sites.

TAPPED SYSTEM HARDWARE

Huang said he had extracted the contents of the boot
block by tapping the data path that travels between the
media chip and the central processor.data path, Huang
was able to capture the data transmitted between the
two chips and manually process it to uncover the
secrets contained in the ``boot block.''

He said it took a total of three weeks to build his
custom board for a total cost of around $50.

Given the particular encryption algorithm that was used
and the decryption key, both of which Huang has
identified, ``one can run original code on the Xbox,''
he said, meaning it would be possible to run things
like unauthorized games and other operating systems on
the console.

Huang also said he had discovered a vulnerability in
the console's programming, that would allow the boot-up
sequence to be interrupted so that any code can be run
on the system.

In an e-mail to Reuters, Huang said he notified
Microsoft in advance he would be publishing the paper,
gave them a copy to read, and has been in regular
contact with the company. He also said he is not
working on any of the attempts to run Linux or other
systems on the Xbox.

``I know a lot of people are exploring the possibility
now, but I personally am not spearheading any effort
toward this end,'' he said.

Huang also said in the paper he has discovered keys to
the identity of the console owner that may, in theory,
be vulnerable through an online connection.

Huang said he separately discovered that the console's
serial number is stored in its memory, and that the
data might be readable by the central operating system.
``What happens to this information when the Xbox is
plugged into the Internet?'' he said.