If you are a Sony camera user, there’s something you must know. According to a computer security expert, Sony’s camera firmware update process has serious security risks and can put your data and computer in danger.
Software and photography expert, Lloyd Chambers, has informed that while companies such as Canon and Nikon have secure in-camera firmware update processes, Sony uses a computer-based updater that needs “administrative root access” to function. But giving these permissions lets the software do, theoretically, just about anything to your computer.
“That means it can install things like a keyboard sniffer, transmitting everything you type to some hacker in Belarus, so to speak. Thus all your accounts, all your money, your identity, etc is placed at risk,” says Chambers.
Apple has been consistently tightening up security in macOS. Sony did warn late, the previous year, that the latest security system in macOS 10.13 High Sierra might cause Sony’s firmware updater to not work for cameras like the a7R III.
Chambers adds,“Approaches that in essence require operating system kernel access are incredibly badly designed given the security risks.”
Sony, in January 2018, unveiled its solution to the issue of its updater not functioning in High Sierra. But instead of responding to Apple’s tight security with a secured and safe firmware update system, Sony posted a tutorial that explained, to the camera owners, the process of installing the kernel extension and granting permissions in High Sierra.
“The Sony kernel extension is, quite appropriately, blocked by macOS because it is a very very bad idea,” Chambers says. “In this day and age, requiring a kernel extension to install a firmware update for a camera shows gross ignorance of the security risks and in my view, is incompetence.”
In Chambers’ words:
The current status of the Sony firmware updater is unacceptable because it requires the user to assume that Sony software is free of malware. That the software is signed only guarantees that something was signed by Sony, not that it is free of any infection (infection could have occurred prior to signing).
If Sony software is ever compromised (including at the source code level!), that malware would have unfettered root/kernel access to the system until the system were wiped out (assuming such an infection did not overwrite firmware in various places, in that case the machine becomes dumpster material).
Since Sony Pictures with highly valuble intellectual property was hacked a few years ago(taking the company down for weeks), no user should ever trust what could become a “root kit” firmware updater for hackers.
The ONLY acceptable solution is an in-camera firmware updater. Even that is not risk free (the download process), but it does not directly expose the computer at the kernel level, or even admin level.
That there is risk is self-evident in Sony’s need to bypass what Apple now considers core security prohibitions. Indeed, the Sony kernel extension cannot just be installed but requires explicit enabling by the user after installation, that is, on the new iMac Pro with its secure enclave and much more locked down boot security.
If you would rather not trust Sony and place the security of your computer in the company’s hands, Chambers insists that you install the firmware update through a temporary virtual machine and later delete the VM.
Sony is yet to comment and respond on this security issue.
What’s your take on this matter? Comment down and let us know.
Also, check out our workshops on PHOTOSHOP Zero 2 Pro