Diglloyd says Sony’s Camera Firmware Updater is a Major Security Risk
Diglloyd (via Petapixel) exposed a major issue on the MAC camera update software:
While companies like Nikon and Canon use safe in-camera firmware update processes, Sony uses a desktop-based updater that requires “administrative root access” to function — when given these permissions to your computer, the software could theoretically do just about anything.
Approaches that in essence require operating system kernel access are incredibly badly designed given the security risk
The current status of the Sony firmware updater is unacceptable because it requires the user to assume that Sony software is free of malware. That the software is signed only guarantees that something was signed by Sony, not that it is free of any infection (infection could have occurred prior to signing).
If Sony software is ever compromised (including at the source code level!), that malware would have unfettered root/kernel access to the system until the system were wiped out (assuming such an infection did not overwrite firmware in various places, in that case the machine becomes dumpster material).
Since Sony Pictures with highly valuable intellectual property was hacked a few years ago(taking the company down for weeks), no user should ever trust what could become a “root kit” firmware updater for hackers.
The ONLY acceptable solution is an in-camera firmware updater. Even that is not risk free (the download process), but it does not directly expose the computer at the kernel level, or even admin level.
That there is risk is self-evident in Sony’s need to bypass what Apple now considers core security prohibitions. Indeed, the Sony kernel extension cannot just be installed but requires explicit enabling by the user after installation, that is, on the new iMac Pro with its secure enclave and much more locked down boot security.
I doubt Sony will find a proper fix for this on current cameras. Sony has to completely rethink the way they do camera updates and this probably means that we may see a real solution on future models only.
We will add this to the long list of things Sony has to fix like:
– Star eater issue
– Doing regular firmware updates like Fuji
– Adding proper weather sealing on future cameras
– Improving the Sony service in some countries (I mean the normal service and not the PRO service which works fine)