Diglloyd says Sony’s Camera Firmware Updater is a Major Security Risk

Share

Diglloyd (via Petapixel) exposed a major issue on the MAC camera update software:

While companies like Nikon and Canon use safe in-camera firmware update processes, Sony uses a desktop-based updater that requires “administrative root access” to function — when given these permissions to your computer, the software could theoretically do just about anything.

Approaches that in essence require operating system kernel access are incredibly badly designed given the security risk

The current status of the Sony firmware updater is unacceptable because it requires the user to assume that Sony software is free of malware. That the software is signed only guarantees that something was signed by Sony, not that it is free of any infection (infection could have occurred prior to signing).

If Sony software is ever compromised (including at the source code level!), that malware would have unfettered root/kernel access to the system until the system were wiped out (assuming such an infection did not overwrite firmware in various places, in that case the machine becomes dumpster material).

Since Sony Pictures with highly valuable intellectual property was hacked a few years ago(taking the company down for weeks), no user should ever trust what could become a “root kit” firmware updater for hackers.

The ONLY acceptable solution is an in-camera firmware updater. Even that is not risk free (the download process), but it does not directly expose the computer at the kernel level, or even admin level.

That there is risk is self-evident in Sony’s need to bypass what Apple now considers core security prohibitions. Indeed, the Sony kernel extension cannot just be installed but requires explicit enabling by the user after installation, that is, on the new iMac Pro with its secure enclave and much more locked down boot security.

I doubt Sony will find a proper fix for this on current cameras. Sony has to completely rethink the way they do camera updates and this probably means that we may see a real solution on future models only.

We will add this to the long list of things Sony has to fix like:

– Star eater issue
– Doing regular firmware updates like Fuji
– Adding proper weather sealing on future cameras
– Improving the Sony service in some countries (I mean the normal service and not the PRO service which works fine)

Anything else?

Share
**This post contains affiliate links and I will be compensated if you make a purchase after clicking through my links. As an Amazon Associate I earn from qualifying purchases

**This post contains affiliate links to eBay and I will be compensated if you make a purchase after clicking through my links. As an eBay Associate I earn from qualifying purchases
Back To Top

Looks like your ad blocker is on.

×

We rely on ads to keep creating quality content for you to enjoy for free.

Please support our site by disabling your ad blocker.

Continue without supporting us

Choose your Ad Blocker

  • Adblock Plus
  • Adblock
  • Adguard
  • Ad Remover
  • Brave
  • Ghostery
  • uBlock Origin
  • uBlock
  • UltraBlock
  • Other
  1. In the extension bar, click the AdBlock Plus icon
  2. Click the large blue toggle for this website
  3. Click refresh
  1. In the extension bar, click the AdBlock icon
  2. Under "Pause on this site" click "Always"
  1. In the extension bar, click on the Adguard icon
  2. Click on the large green toggle for this website
  1. In the extension bar, click on the Ad Remover icon
  2. Click "Disable on This Website"
  1. In the extension bar, click on the orange lion icon
  2. Click the toggle on the top right, shifting from "Up" to "Down"
  1. In the extension bar, click on the Ghostery icon
  2. Click the "Anti-Tracking" shield so it says "Off"
  3. Click the "Ad-Blocking" stop sign so it says "Off"
  4. Refresh the page
  1. In the extension bar, click on the uBlock Origin icon
  2. Click on the big, blue power button
  3. Refresh the page
  1. In the extension bar, click on the uBlock icon
  2. Click on the big, blue power button
  3. Refresh the page
  1. In the extension bar, click on the UltraBlock icon
  2. Check the "Disable UltraBlock" checkbox
  1. Please disable your Ad Blocker
  2. Disable any DNS blocking tools such as AdGuardDNS or NextDNS
  3. Disable any privacy or tracking protection extensions such as Firefox Enhanced Tracking Protection or DuckDuckGo Privacy.

If the prompt is still appearing, please disable any tools or services you are using that block internet ads (e.g. DNS Servers, tracking protection or privacy extensions).