Sophos Cloud Optix
The US Department of Homeland Security is out to hack video game consoles, such as Xboxes, Wiis and PlayStations.
According to Foreign Policy, the US Navy has just awarded a $177,237 sole-source research contract to Obscure Technologies, a computer forensics company, to figure out how to hack the encryption that protects personal data on the consoles.
What the feds want from the deal, according to the contract with the US Navy: “hardware and software tools that can be used for extracting data from video game systems” and “a collection of data (disk images; flash memory dumps; configuration settings) extracted from new video game systems and used game systems purchased on the secondary market.”
According to Foreign Policy, law enforcement agencies contacted the Department of Homeland Security’s Science and Technology Directorate for help on a tool to examine gaming console data. DHS then asked the Naval Postgraduate School (NPS) to execute the contract and to lead the research.
It’s easy to dismiss these consoles as trivial games. But to law enforcement, they’re a potential treasure trove of forensic data.
As Foreign Policy points out, the government isn’t interested in the games themselves.
It’s the sophisticated platforms that could be a gold mine, given how they’ve evolved far beyond being simple entertainment purposes and now serve as all-purpose devices that can, for example, connect to Facebook or allow chatting with other players.
Once the DHS has cracked the encrypted devices, investigators will have access to data including when players were connected to the internet, the identity of those to whom they talked, the conversation logs of what was said, and the game that was played.
This data can help track down pedophiles, who often use online gaming communities as hunting grounds. A spokesman for DHS told Foreign Policy that there’s also a “suspicion” that terrorists are using online gaming to communicate.
Of course, on the flip side of catching pedophiles and terrorists lie privacy concerns.
Parker Higgins, a spokesman for the online privacy group the Electronic Freedom Foundation (EFF), told Foreign Policy that users might not realize the extent of the data that’s created and stored in their consoles:
"You wouldn't intentionally store sensitive data on a console. But I can think of things like connection logs and conversation logs that are incidentally stored data. And it's even more alarming because users might not know that the data is created."
"Taken in context, it could end up revealing more than you expect."
As Naked Security’s Lachlan Urquhart has pointed out, US police are already increasingly using online forums such as Xbox Live to communicate with suspected criminals and, reportedly, to record conversations.
And as Ars Technica reported in a January article on law enforcement’s use of online games to aid investigations, Microsoft has actually filed a patent on ways to intercept Internet calls, potentially including audio messages transmitted via gaming systems.
The US Privacy Act makes it illegal to poke at US citizens’ data in this manner, according to Simson Garfinkel, a computer science professor associated with the DHS project.
That’s why the government is pointing Obscure Technologies at gaming systems purchased outside the country.
Here’s what Garfinkel told Foreign Policy:
"This project requires the purchasing of used video game systems outside of the U.S. in a manner that is likely to result in their containing significant and sensitive information from previous users. We do not wish to work with data regarding US persons due to Privacy Act considerations. If we find data on US citizens in consoles purchased overseas, we remove the data from our corpus."
Getting data out of these systems is hard. A peek at the Ars Technica article reveals a host of quotes from frustrated investigators who’ve tried.
It’s certainly not impossible, though. As Foreign Policy points out, there have already been hacks that enable spying on users of the Xbox Kinect, a video-enabled add-on that reads body movement for interactive gaming.
Should law enforcement agents be given the rights to spy on gaming users? Given the allure of catching pedophiles and terrorists, it’s hard to imagine they won’t inevitably be granted such rights, Privacy Act or no.
Again, Privacy Act or no, it’s also naïve to think that law enforcement wouldn’t go ahead and use whatever spying technology they get out of the Obscure Technologies deal to hack into US citizens’ devices, given the rise of warrantless eavesdropping.
It’s time to stop thinking that what’s said and done on a game console doesn’t matter.
DHS’s move makes this clear: If you don’t want your conversations or activities monitored, don’t assume that a gaming console is going to keep them out of the increasingly watchful eye of the government.
By hacking these consoles it is invading your privacy. I know that I disable voice data collection on my Xbox because there are some things I only want my friends to hear and no one else.
You know that you press a button and it says voice data collection is off, but is it really off?
Facepalm if this is a reaction to The Sun's story about terrorists using Modern Warfare to communicate their plans.
Even if it isn't, still facepalm.
Facepalm!
I think their main concern is finding a way to charge people with illegal copies of games, and being able to trace contacts, and pull down pirate sites. Really you got a better chance of finding pedophiles on Facebook, but the police can't even do that right considering they are chasing a guy who updates his facebook while running and has managed to escape 2 times.
Government is wasting our money on a 3rd party instead of going to the source since Microsoft has a patent for this, and they created the system.
Reading Artfuls comment makes me laugh. I can just see the logs.
Terrorist 1: "Run in and just toss the bomb at your feet"
Terrorist 2: "Alright great plan"
Terrorist 1: "No, enter the room and throw it at your feet. You failed to kill yourself. Try again"
Terrorist 2: "Darn this is hard. I get shot up the moment I enter."
Why don't they just ask Sony or Microsoft for the Key to the store room or is this the simple option that is often overlooked to make it seem more complex than it actually is ?
Exactly! There is something very wrong about this. If law enforcement is actually after suspected criminals they can get the key from MS or Sony but if they just want to monitor for the sake of monitoring then it's a different case.
What do Nintendo & Sony think of this? I don’t like it.
Doesn't this violate the DMCA ?
This violates national and international privacy law. I didn't know that US Navy handled the pedofiles in US…
I call shenanigans. The U.S. Navy, nor any other branch of the military or government is in charge of getting rid of pedos outside the U.S. Hell, the military isn't in charge of getting rid of pedos WITHIN the U.S. Sounds like once again someone is using "think of the children" to pass some dumbass nepotism contract for IT services that are most likely useless and certainly not worth six figures in sole-source funding. Of *course* they're sole source, everybody else is like "WTH are you talking about?" when the Navy approached them to hack gaming consoles for sensitive data.
America scares me….
Me too ……
You all didn't really think privacy was going to be like it was in, I don't know the 1950's??
Of course there won't be retaliation on some random log they hacked spouting nonsense. They are trying to put folks behind bars using any means they can within the law. The fact that they have reason to believe people are using game consoles is even worse than when they were just finding them in the chat sessions in America Online.
Just another reason I don't use consoles anymore, however, if you're not DOD wiping your hard drives (in any device with a HDD) before you sell them you're just dumb.
Also willing to bet Nintendo wasn't mentioned cause they don't use removable internal storage. Plus, who care about the data in a Wii? You gunna bust someone cause the last game they played was Mario Party?
Exactly!
Wipe a disk before trashing the computer?? not on your life.. you physically take it out and "smash it" beyond reading..
Don't want prosecuted for something that some hacker managed to load on my machine, and is found later..
BIG BROTHER IS WATCHING YOU PLAY GAMES
1984 has come to America, the book, not the year.