Sony Firmware Update Procedures A Security Risk?

Wendell Weithers

Updated on:

The internet is a perilous environment and even when we navigate the vast sea of information with an appropriate level of caution, we are still vulnerable to unknown dangers. An unassuming link from a friend on Facebook, an email from some random Nigerian Prince, or the inadequate security measures implemented by companies we trust with our information can lead to life-disrupting events. And yet, as much as we try to avoid it, we often trade our security for access to something we need or want.

For instance, we’ve all seen the warning that pops up on our screen when we install an app that requires we authorize its installation. Unless we’ve heard something explicitly stating a risk about it, most of us enter our passwords and blaze through the subsequent “Are you sure?” prompts to get on with our day.

What’s worse is that many of us are not savvy enough to understand what happens when we click “Yes”. And when do so, we do it trusting that those who created the app have gone to the appropriate lengths to protect us from unnecessary risk. Sadly, history has revealed that isn’t the case and that reality persists.

Llyod Chambers is a blogger who has been documenting the unusual method employed by Sony to updating its cameras on Apple computers. In it, he chides the company for not only failing to perform its due diligence in protecting Mac OS users but in a textbook case of “hustlin’ backward”, they’ve apparently made it worse.

According to Lloyd Chambers’ Blog:

The current status of the Sony firmware updater is unacceptable because it requires the user to assume that Sony software is free of malware. That the software is signed only guarantees that something was signed by Sony, not that it is free of any infection (infection could have occurred prior to signing). [Indeed, even malware can be signed].

If Sony software is ever compromised (including at the source code level!), that malware would have unfettered root/kernel access to the system until the system were wiped out (assuming such an infection did not overwrite firmware in various places, in that case the machine becomes dumpster material).

Since Sony Pictures with highly valuble intellectual property was hacked a few years ago (taking the company down for weeks), no user should ever trust what could become a “root kit” firmware updater for hackers.

The ONLY acceptable solution is an in-camera firmware updater. Even that is not risk free (the download process), but it does not directly expose the computer at the kernel level, or even admin level.

That there is risk is self-evident in Sony’s need to bypass what Apple now considers core security prohibitions. Indeed, the Sony kernel extension cannot just be installed but requires explicit enabling by the user after installation, that is, on the new iMac Pro with its secure enclave and much more locked down boot security.

If you are so inclined, you can employ the means of protection quoted above and refer to the article for a broader account of the issue.

In most cases, I stand firmly in the camp with those less savvy regarding such matters.  So, I err on the side of avoiding strange links and I don’t respond to emails from random Wakandan princes.

But, I also trust that the company which, in part, facilitates my livelihood; a company that takes my hard earned money, soaked with my blood, sweat, and hopes; won’t provide a clear path to my dozens and dozens of dollars. For a company lauded for forward-thinking instincts and innovative vision, a better solution is warranted.

Sony CEO Kaz Hirai Steps Down But Leaves Sony Pedigree & Kando In Photography

Sony Announces Firmware Update 2.00 for a9 | Improved AF-C and addition of IPTC Metadata functionality