Is PlayStation 4 Network Traffic Especially Difficult to Decrypt?

There has been much speculation in the media about PlayStation 4 (PS4) game consoles being used in the recent Paris terrorist attacks. However there is no evidence a PlayStation 4 (PS4) was connected to the Paris attacks. Most of the media accounts quoted a Belgian Minister Jan Jambon, who made claims, days prior to the attacks, that communication via a PS4 was “the most difficult” for intelligence agencies to decrypt and track. In this blog entry I examine the Belgian Minister’s statements, analyze the secrecy and anonymity provided by Sony’s PS4 to conclude that I was unable to find any evidence supporting Minister Jambon remarks.

How it started:

Soon after the terrorist attacks on Paris, Paul Tassi, a journalist at Forbes magazine, wrote:

“Following Friday night’s terrorist attacks in Paris[..], authorities are discovering just how the massacre was planned. And it may involve the most popular gaming console in the world, Sony’s PlayStation 4. [..] Evidence reportedly turned up included at least one PlayStation 4 console. Belgian federal home affairs minister Jan Jambon said outright that the PS4 is used by ISIS agents to communicate, and was selected due to the fact that it’s notoriously hard to monitor.” - How Paris ISIS Terrorists May Have Used PlayStation 4 To Discuss And Plan Attacks

A day later Tassi was forced to post a correction stating that there was no evidence of a PlayStation 4 (PS4) found in any of the raids and that Jan Jambon’s comments about terrorists using PS4s to communicate were made days prior to the attacks and were unrelated to the attacks. Tassi said that he “misread the minister’s statement”. His misreading had serious repercussions, the Chair of the FCC Tom Wheeler used the incorrect Tassi story to argue for new spying laws. Paul Tassi’s reporting was based on two quotes by Minister Jan Jambon, a Flemish politician appointed last year to the office of ‘the Vice-Premier and Minister of Security and Home Affairs, in charge of State Buildings’. The first quote comes from an interview conducted by Matthew Kaminsk:

Jan Jambon: “I heard that the most difficult communication between these terrorists is the PlayStation 4. ” Matthew Kaminsk: “Really?” Jan Jambon: “Yeah, yeah, it is very very difficult for our services, not only our services, Belgian services, all the international services, to decrypt the communication that’s done via PlayStation 4” Matthew Kaminsk: “Have you cracked WhatsApp?” Jan Jambon: “WhatsApp is also a difficult one, but there we could, not we not me, but the services could decrypt WhatsApp, but PlayStation 4 should be very difficult. Its a challenge.”

The second quote first appeared in the Belgian publication 'the Bulletin’ and is reportedly from the same interview with Matthew Kaminsk.

“PlayStation 4 is even more difficult to keep track of than WhatsApp”- Jan Jambon

Since very little is known about the Paris attacks or how the terrorists communicated I will avoid speculating on that. Instead I want to investigate the two quotes made by Jambon. First, does the PS4 encrypt communication in such a way that it is “the most difficult” to decrypt when compared with other communication services? Second, is the PS4 “ more difficult to track than WhatsApp”?

How Good is the PS4 at Encrypting Network Traffic?

To answer this question, I examined a recording of the network traffic sent and received by a PS4 running the game Dragon Age Inquisition. The communication can be broken into two groups: (1). communication between the PS4 and the PlayStation Network (PSN) and (2). communication between the PS4 and other parties. I will first look at PS4 to PlayStation Network (PSN) communication and then briefly describe the communication between other parties.

The PlayStation Network (PSN) is a social networking and identity service offered by Sony. According to Sony’s documentation a PS4 user must register and sign into the PlayStation Network (PSN) before playing online games. Much of the communication functionality offered by the PS4 is provided by the PSN. I found that while a small amount of the PS4-PSN communication was in the clear (unencrypted), much of it was protected by TLS. TLS is the same encryption technology that protects HTTPS websites for instance twitter, reddit or wikipedia are protected by TLS. In TLS a client performs a protocol with the server to establish an encrypted connection by agreeing on a shared encryption key and cipher.

Like many technologies TLS can offer different levels of protection, from totally broken to very secure, depending on the version used and how it is configured. Interestingly, the PS4 was running multiple TLS clients with different versions and configurations and on the server side PSN was also running multiple versions and configurations of TLS. The more configurations you run the more likely that one of them will be broken. The versions of TLS used in the PS4 range from the very old TLS-1.0 (developed 16 years ago in 1999) to the most recent TLS-1.2 (developed in 2008).

Many of the TLS configurations I observed were insecure and provided only weak security. Some of the certificates sent by the PSN TLS servers used the insecure signature algorithms 'SHA1withRSA’. NIST depreciated it in 2011 and stated that “it shall not be used after 2013”. Google chrome marks certificates signed with 'SHA1withRSA’ as “affirmatively insecure”.

Even worse, many of the PS4 clients and the PSN servers included the insecure RC4 cipher in their cipher suites. Microsoft recommends completely disabling and disallowing RC4 on all systems and RC4 is so dangerous to use that the standards body of the internet, the IETF, wrote an RFC with the titled “Prohibiting RC4 Cipher Suites”, the RFC states:

“TLS clients MUST NOT include RC4 cipher suites in the ClientHello message.” “TLS servers MUST NOT select an RC4 cipher suite when a TLS client sends such a cipher suite in the ClientHello message.” “If the TLS client only offers RC4 cipher suites, the TLS server MUST terminate the handshake. The TLS server MAY send the insufficient_security fatal alert in this case.”

It gets worse, because not only do some of the PS4 TLS clients include RC4 in their cipher suites, but fatally the PSN server actually uses RC4 for TLS connections (see image below). This is particular dangerous because RC4 is considered cryptographically broken. If an encrypted TLS connection uses a broken cipher an adversary might be able to decrypt the messages. For instance researchers had performed practical plaintext recovery attacks against TLS when using RC4.

The above is not a complete list of all the cryptographic sins of PS4-PSN communication, but it is sufficient to show that not only is PSN significantly more vulnerable cryptographically than other standard communication platforms such as twitter, reddit, or wikipedia but it fails to meet the bare minimum industry best practices.

Lets pretend for a moment that Sony deployed stronger encryption, would PS4-PSN communications be difficult for intelligence agencies to decrypt? No, let me explain why. TLS allows two parties to communicate privately but in this case one of those parties is PSN i.e. Sony. This means it is very likely that intelligence agencies only have to ask for Sony’s encryption keys to decrypt PSN traffic. Sony even says they will share PSN activity (messages, voice, videos, etc..) with appropriate authorities in their Terms of Use:

Are we monitoring PSN? Yes but we can’t monitor all PSN activity [..]. However, we reserve the right [..] to monitor and record any or all of your PSN activity [..]. Your use of PSN and our community features may be recorded and collected by us [..]. Any information collected in this way, for example, your UGM, the content of your voice and text communications, video of your gameplay, the time and location of your activities, and your name, your PSN Online ID and IP address, may be used by us or our affiliated companies to enforce these Terms and the SEN Terms of Service, to comply with the law, [..]. This information may be passed to the police or other appropriate authorities.“ - PlayStation Software Usage Terms

Now I will briefly look at communication between the PS4 and other parties. The PS4, once signed into PSN (PlayStation Network), allows the user to connect to other servers and parties outside the PSN. Much of the network traffic I looked at was UDP traffic from the PS4 to other home internet users. Most of these UDP packets had very high entropy suggesting that they were encrypted or compressed. If these packets are Dragon Age Inquisition game actions, then it is likely they were using the same network protocol used by PC version. These packets may also have been the VOIP (Voice Over IP) service offered by PSN to allow gamers to talk to each other. Given that user identity and credentials are managed by PSN, it seems plausible that a compromise of PS4-PSN encryption would also allow the decryption of VOIP communications.

Is the PS4 harder to track than WhatsApp?

Both WhatsApp and the PS4 limit anonymity out of the box by requiring that users associate their online identity with a real world identifier. When a user connects a PS4 to the PlayStation Network (PSN), the service learns the unique identifier of their PS4.

"SCE will also be able to know your console unique ID and your console IP address which is automatically assigned to your PS4 system by your internet service provider when you connect your PS4 system to the internet.” - PLAYSTATION4 SYSTEM SOFTWARE LICENSE AGREEMENT (Version 1.1)

Not only that but most multiplayer PS4 games require a PlayStation Plus account. Reading Sony’s documentation it seems that to registering a PlayStation Plus account you must supply credit card and billing records. I don’t own a PS4, so I have not verified this myself.

“In almost all cases, a PlayStation Plus account is needed to play online multiplayer on the PS4.” - PS4 Online Multiplayer Requirements

Similarly, WhatsApp requires that you associate your phone number with your WhatsApp username. In both services this registered information is then used to track and identify users. Thus, neither one is designed, nor appears to offer, any particular problems from a tracking perspective.

Additionally, neither provides anywhere near the level of communications secrecy as created by secure messaging apps. All the messages sent by the WhatsApp client can be decrypted by the WhatApp server, and as we discussed earlier, since PSN/Sony manages user identities and credentials the same weakness likely exists for the PS4.

For further reading I recommend, “Forensic analysis of a Sony PlayStation 4: A first look” which shows how police can access files and data from a PS4 and that the PSN records and stores user activity on their servers (even if a PS4 was destroyed the data might still be accessible by Sony).

Conclusion:

I was not able to confirm any cryptographic benefit to using the PS4 over other standard communication tools such as gmail, facebook or twitter, nor does Sony promise the PS4 deliverers this functionality. In fact many things in their documentation suggest the opposite. Furthermore, the PS4 often requires that users give over information which could identify their real names to even begin using it making it very easy to track. This is not to say I am contradicting Minister Jambon statements, but in my brief investigation I was not able to find any evidence to support his statements.