• Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.

Is remote play for PS4 is a hacker's dream?

RhyDin

Member
I'd like to see some proof about that.

XSplit is being a jerk right now, but here. It works on cloud saves, too. I didn't capture the deletion screen because there isn't one/no prompt given, it just sends you back to the games list.

ZuP8s1b.gif


But yeah, while Nintendo does give you the regular login via e-mail as an option, it's a step in the right direction. Again, this is by no means a way for them to steal all your stuff, but is another way for someone malicious to do evil if they have your credentials.
 

le.phat

Member
so is this a Public service announcement that i shouldn't give my login credentials ( of any service you log into ) to hackers ( anyone), lest i'm at risk of tampering with my account?

Wow, thanks for the insight OP!
 

RhyDin

Member
so is this a Public service announcement that i shouldn't give my login credentials ( of any service you log into ) to hackers ( anyone), lest i'm at risk of tampering with my account?

Wow, thanks for the insight OP!

No need to be rude.

It's a public service announcement that should your PSN credentials get stolen (not just limited to accounts with unauthorized charges where the user chooses to eat them in order to keep the account and not be banned), your friends list and saves can be deleted remotely.

As others have said, if you don't plan on using the remote feature, consider turning it off. Also a warning to keep your passwords up to date and consider using a password manager.
 

Melchiah

Member
XSplit is being a jerk right now, but here. It works on cloud saves, too. I didn't capture the deletion screen because there isn't one/no prompt given, it just sends you back to the games list.

ZuP8s1b.gif


But yeah, while Nintendo does give you the regular login via e-mail as an option, it's a step in the right direction. Again, this is by no means a way for them to steal all your stuff, but is another way for someone malicious to do evil if they have your credentials.

No need to be rude.

It's a public service announcement that should your PSN credentials get stolen (not just limited to accounts with unauthorized charges where the user chooses to eat them in order to keep the account and not be banned), your friends list and saves can be deleted remotely.

As others have said, if you don't plan on using the remote feature, consider turning it off. Also a warning to keep your passwords up to date and consider using a password manager.

Sounds more like FUD to me. Anything can be done, if your PSN/XBL/NN password is compromised, even without using remote play. I highly doubt anyone could delete anything via remote access, if they don't have the access to password.
 

RhyDin

Member
Seriously? This made Miitomo useless for me.

I shouldn't have phrased it so factually, but I bet that's a big reason why an add by username was left out. The mobile market is plagued with bots on apps like kik, tinder, etc - it's no different from spam anywhere else. If people were getting random adds with spam URL's, this would poop up Miitomo pretty quick.

I suppose it just as easily could have been to encourage linking with social media to import friends quickly and seamlessly. Pretty much everyone has a facebook or twitter these days, anyway.

Sodns more like FUD to me. Anything can be done, if your PSN/XBL/NN password is compromised, even without using remote play. I highly doubt anyone could delete anything via remote access, if they don't have the access to password.
Right, if your account is compromised, the stuff on your console can be deleted. The issue is because the feature is enabled by default and as I stated in OP, didn't require any interaction on the console itself when I connected.

It's much safer to do nefarious things through an application on a computer than to use stolen credentials on an actual console (in which accounts could be tied to identifiable consoleID's and serials or other). A hacker could more easily mask their IP by proxy or VPN with the remote play client and not risk associating your stolen account with their own console, getting their own console banned or increasing the risk of being caught from identifiable information.

See threads like;
http://www.neogaf.com/forum/showthread.php?t=1026304
http://www.neogaf.com/forum/showthread.php?t=428229

Or articles like;
http://www.destructoid.com/inside-t...d-of-selling-stolen-psn-accounts-335904.phtml
 

GAMEPROFF

Banned
I shouldn't have phrased it so factually, but I bet that's a big reason why an add by username was left out. The mobile market is plagued with bots on apps like kik, tinder, etc - it's no different from spam anywhere else. If people were getting random adds with spam URL's, this would poop up Miitomo pretty quick.

I suppose it just as easily could have been to encourage linking with social media to import friends quickly and seamlessly. Pretty much everyone has a facebook or twitter these days, anyway.

First and foremost nintendo is afraid of child molesters.
 
No need to be rude.

It's a public service announcement that should your PSN credentials get stolen (not just limited to accounts with unauthorized charges where the user chooses to eat them in order to keep the account and not be banned), your friends list and saves can be deleted remotely.

As others have said, if you don't plan on using the remote feature, consider turning it off. Also a warning to keep your passwords up to date and consider using a password manager.

A common sense, nothing state is anything a user shouldn't do anyway, really your thread is the worst kind of scaremongering and you have been factually wrong on many points.


If you dont use your password for multiple sites and have individual, strong passwords for crticial / important accounts then you have nothing to worry about.


Even with 2 stage authentication, there are plenty of hacked xbox accounts for sale, Facebook accounts hacked and so on.

Abd yes if aby account is compromised, bad things will happen.
 

RhyDin

Member
and you have been factually wrong on many points.
What points would that be? I posted proof that you can delete local and cloud data using the app. I was able to turn my console on while in rest mode on my local network, so I can only assume it would work outside over WAN. Your friends list can be purged via the console, which cannot be done through the site. If you were compromised and this happened, there are things an intruder would be able to delete which cannot be recovered, even if you regain control of the account after the password was reset.

It's not about scaremongering to not use the feature, it's about security. It is a more likely scenario that a hacker will use the remote application rather than sign-in using their own PS4 because it's easier and faster and more secure for them. Have complex and unique credentials, as you said - but if you aren't going to use the feature, consider turning it off.
 

andshrew

Member
I think you've raised some valid concerns about potentially how easy it is for someone to remotely access your actual console and mess shit up for you, if they've somehow been able to obtain your PSN credentials.

It does rely on several additional factors though. You would have had to enable rest mode and allow internet access from rest. You would need a router which has uPnP turned on, or to have placed the PS4 in the DMZ or explicitly forwarded the ports required for remote play to enable connections from the WAN, and obviously the console would need to be on, or in rest mode for them to be able to connect.

I'm guessing you can access the web browser using remote play, so if someone were remotely controlling the PS4 they now have access to all your internal web services (ie. your routers configuration page, which in the majority of cases is going to be set to the manufacturers default password).
 

xxracerxx

Don't worry, I'll vouch for them.
It is a more likely scenario that a hacker will use the remote application rather than sign-in using their own PS4 because it's easier and faster and more secure for them.

This is just not the case.

You know what a hacker would do if they had your information (which they did not get through remote play)? Log on through the Sony website.
 

RhyDin

Member
I'm guessing you can access the web browser using remote play, so if someone were remotely controlling the PS4 they now have access to all your internal web services (ie. your routers configuration page, which in the majority of cases is going to be set to the manufacturers default password).
Damn, that's brilliant.
This is just not the case.

You know what a hacker would do if they had your information (which they did not get through remote play)? Log on through the Sony website.
Not if they wanted to screw with you before they sold or kept your account. The game saves are totally useless to them, as is the friends list. In fact, selling an account with people on the friends list would make it more obvious that it's a stolen account and probably be unwise for them if that was their intention.
 
No need to be rude.

It's a public service announcement that should your PSN credentials get stolen (not just limited to accounts with unauthorized charges where the user chooses to eat them in order to keep the account and not be banned), your friends list and saves can be deleted remotely.

As others have said, if you don't plan on using the remote feature, consider turning it off. Also a warning to keep your passwords up to date and consider using a password manager.

PSN credentials getting stolen has nothing to do with remote play being insecure insofar as your content being screwed with. Please stop with this.

Also, any time I've tried to add a device for RP I had to either add it manually with a code generated by the system or I had to be on the local network. You have MUCH bigger issues than RP being insecure in the case of the latter. This includes my Vita, my PSTV and setting up RP on my PC in the gaming room (which is pointless, but whatever).

You are concerned about, quite literally, the wrong thing entirely.
 

Blanquito

Member
Um, but there is console-side authentication: if your have a pin set to login to your account on your PS4, you are required to put your pin in when you try to remote play as well.

There, I solved all your problems.
 
XSplit is being a jerk right now, but here. It works on cloud saves, too. I didn't capture the deletion screen because there isn't one/no prompt given, it just sends you back to the games list.

ZuP8s1b.gif


But yeah, while Nintendo does give you the regular login via e-mail as an option, it's a step in the right direction. Again, this is by no means a way for them to steal all your stuff, but is another way for someone malicious to do evil if they have your credentials.

Congrats, you can delete your own saves. Maybe don't go giving your passwords out and this won't be a concern. You're right on the two step security, it should be there, but the rest is some of the greatest FUD I've ever read.

It's a public service announcement that should your PSN credentials get stolen (not just limited to accounts with unauthorized charges where the user chooses to eat them in order to keep the account and not be banned), your friends list and saves can be deleted remotely.

I really can't see a hacker being interested in deleting your friends or saves if he just gained free access to your credit cards. I can't say I'd care either with someone freely spending my money for me taking priority.
 

Oppo

Member
And were done here

actually

you can lock the account in the PS4 locally with a 4-digit PIN, which Remote Play client asks for if enabled

you can also deactivate auto login on your PSN account

so that's a sort of poor man's 2-step but it works

edit - Blanquito beat me
 

RhyDin

Member
Yes, but it proves that this method can and will work in the reverse situation, as outlined in my OP.

This is only day 2 or 3 of the service having gone live, too.
 
Yes, but it proves that this method can and will work in the reverse situation, as outlined in my OP.

This is only day 2 or 3 of the service having gone live, too.

Please read the thread again. It proves that it works as intended (and had the fortunate side effect of letting that guy know that another person had access to his PSN details)
What's the problem with a program working as it should?
 

RhyDin

Member
Please read the thread again. It proves that it works as intended (and had the fortunate side effect of letting that guy know that another person had access to his PSN details)
What's the problem with a program working as it should?

It's a security hazard because most people that game online have UPNP enabled and the remote play service is on by default on the new firmware. Therefore, you have a ton of people with unchanged credentials from old dumps of third-party breaches using the same info and they can get their console accessed.

From there, the intruder accesses the user's browser, uses a custom DNS on their router gateway to implement a MITM attack and your entire network is pwnt to a crisp. I checked and the PS4 browser is accessible from remote play.
 

Ponn

Banned
It's a security hazard because most people that game online have UPNP enabled and the remote play service is on by default on the new firmware. Therefore, you have a ton of people with unchanged credentials from old dumps of third-party breaches using the same info and they can get their console accessed.

From there, the intruder accesses the user's browser, uses a custom DNS on their router gateway to implement a MITM attack and your entire network is pwnt to a crisp. I checked and the PS4 browser is accessible from remote play.

If its so easy, have you done any of this at all to another persons PS4 you don't know without their credentials? You still need the login credentials. Remote Play is a feature built upon network features that are inherently gonna have the same vulnerability.
 

RhyDin

Member
If its so easy, have you done any of this at all to another persons PS4 you don't know without their credentials? You still need the login credentials. Remote Play is a feature built upon network features that are inherently gonna have the same vulnerability.
Again, I never said you could do it without their credentials. Not sure if you realize this, but when major sites are hacked and hashed passwords are stolen, the database dumps are often shared publicly and privately. You have to also account for users being targeted directly via phishing or other attempts.

Yes, this has the same vulnerability as remote desktop on PC - but remote desktop on PC isn't enabled by default on any device using an e-mail and password. As andshrew pointed out, this relies on three factors;

- credentials obtained
- port forwarding/upnp enabled
- using default password on router gateway

If those criteria are met, you can basically own someone's entire network from their PS4 and steal tons more traffic. It isn't hard.
 

BennyBlanco

aka IMurRIVAL69
I don't trust Sony with my cc info until they get a proper 2 step like everybody else. Especially considering their history.
 
The problem isn't Remote Play, the same could happen if a hacker grabbed a Vita or PSTV and knew your credentials.

The problem is that without 2-factor authentication, a hacker is able to quickly and easily decipher anybody's credentials. Even 2-factor isn't perfect if they hacker gets clever and employs some social engineering with any gullible customer service rep (see Apple.)

Please stop with this non-sense of Remote Play being the problem because it is not. It is simple a tool that can be exploited if you have a person's credentials.

This isn't hard OP.



THE BOTTOM LINE: Dude! You need their credentials!
 

RhyDin

Member
The problem isn't Remote Play, the same could happen if a hacker grabbed a Vita or PSTV and knew your credentials.

The problem is that without 2-factor authentication, a hacker is able to quickly and easily decipher anybody's credentials. Even 2-factor isn't perfect if they hacker gets clever and employs some social engineering with any gullible customer service rep (see Apple.)

Please stop with this non-sense of Remote Play being the problem because it is not. It is simple a tool that can be exploited if you have a person's credentials.

This isn't hard OP.



THE BOTTOM LINE: Dude! You need their credentials!
The bottom line is that until the web browser is disabled from remote play, you can gain access to someone's internal network with it if you have their PSN credentials and can access their PS4 using remote play. This isn't hard, InsaneTiger.
 
The bottom line is that until the web browser is disabled from remote play, you can gain access to someone's internal network with it if you have their PSN credentials and can access their PS4 using remote play. This isn't hard, InsaneTiger.

not-sure-if-argument-or-talking-to-a-brick-wall.jpg
 

dity

Member
The bottom line is that until the web browser is disabled from remote play, you can gain access to someone's internal network with it if you have their PSN credentials and can access their PS4 using remote play. This isn't hard, InsaneTiger.

And then they do... what? Watch media from my local plex server?
 

RhyDin

Member

B-b-but you can't do it without their credentials! I'm not trying to argue, I'm just stating facts. Having this on by default is a huge security risk, we aren't arguing the possible semantics of social engineering a company for credentials.

Worth noting that user DoctorWho from the other topic doesn't think his account was compromised until a couple of days ago, where it was made primary account on the hacker's PS4. Therefore, if it was from a prior leaked dump, these accounts are still actively being checked or old compromised accounts are just sitting dormant for a good opportunity - like having access to someone's router gateway and home traffic.

I'm not sure why everyone is coming in this topic failing to acknowledge this and acting like I'm a shill that is shunning Remote Play entirely. It's important people know to lock their console with a passcode or disable Remote Play if they aren't going to use it, as well as changing the default password on their router and checking the SEN site regularly to ensure their PSN account isn't active on any console other than their own.

And then they do... what? Watch media from my local plex server?

Configure your router do redirect traffic to phishing pages. https://en.wikipedia.org/wiki/DNS_spoofing Hope you don't check your e-mail that your PSN account is tied to the next morning. Not everyone would fall for this, but a lot of people would.
 

dity

Member
B-b-but you can't do it without their credentials! I'm not trying to argue, I'm just stating facts. Having this on by default is a huge security risk, we aren't arguing the possible semantics of social engineering a company for credentials.

Worth noting that user DoctorWho from the other topic doesn't think his account was compromised until a couple of days ago, where it was made primary account on the hacker's PS4. Therefore, if it was from a prior leaked dump, these accounts are still actively being checked or old compromised accounts are just sitting dormant for a good opportunity - like having access to someone's router gateway and home traffic.

I'm not sure why everyone is coming in this topic failing to acknowledge this and acting like I'm a shill that is shunning Remote Play entirely. It's important people know to lock their console with a passcode or disable Remote Play if they aren't going to use it, as well as changing the default password on their router and checking the SEN site regularly to ensure their PSN account isn't active on any console other than their own.



Configure your router do redirect traffic to phishing pages. https://en.wikipedia.org/wiki/DNS_spoofing

This is the most nonsensicle absolutely bonkers method of trying to scam someone out of money. You'd be better off just entering their PSN details into the SEN website and using their details to commit credit card fraud or something. Hell, you'd already have their bloody email address. Send them a phishing email.

You gotta be scared stiff and been watching too much CSI to think what you're saying is worth the effort. You are bonkers.
 
if someone has another persons information you don't need remote play......in order to use remote play you need a 4 digit code or your PSN information to link your device, you just don't use remote play and connect to any nearby PS4.
 

RhyDin

Member
Phishing e-mails don't work because people know to watch the address bar and sender e-mails (view original, etc), plus most stuff just goes to the spam folder. PSN accounts aren't useful on the black market because the accounts are banned from fraud claims - or accounts can be claimed back if the original owner has access to the e-mail. I suspect there is currently little money in PSN accounts, mostly just people hijacking accounts to play a free game or two. Again, you can't gift games on PSN accounts or view full payment information.

Having the ability to get into someone's network, though? A DNS spoof would hijack the address of the site you're visiting behind the scenes and still show the proper web address of the site in your address bar, not the forged address. This would be the phishing attempt the person would want and would be much more appealing with a widespread variety of accounts using different passwords. Different passwords which might include the password you're using on the e-mail of the PSN if it were different, or other accounts with different credentials.

It's no more farfetched than some Russian hacker jacking an account to play a game or two and the account be banned a week later. It opens the floodgates for a much broader hack with a more lucrative payoff.
 

dity

Member
Phishing e-mails don't work because people know to watch the address bar and sender e-mails (view original, etc), plus most stuff just goes to the spam folder. PSN accounts aren't useful on the black market because the accounts are banned from fraud claims - or accounts can be claimed back if the original owner has access to the e-mail. I suspect there is currently little money in PSN accounts, mostly just people hijacking accounts to play a free game or two. Again, you can't gift games on PSN accounts or view full payment information.

Having the ability to get into someone's network, though? A DNS spoof would hijack the address of the site you're visiting behind the scenes and still show the proper web address of the site in your address bar, not the forged address. This would be the phishing attempt the person would want and would be much more appealing with a widespread variety of accounts using different passwords. Different passwords which might include the password you're using on the e-mail of the PSN if it were different, or other accounts with different credentials.

It's no more farfetched than some Russian hacker jacking an account to play a game or two and the account be banned a week later. It opens the floodgates for a much broader hack with a more lucrative payoff.

You're just making stuff up to scare yourself. Seriously. Pop a cold drink, have a lie down, and realise you've set up a perfect scenario in your head.
 
Top Bottom