Sony Firmware Updater a Major Security Risk?

[KeithDM]

Before buying my first Sony camera (A6500) in January, firmware updates for my other digital cameras had involved copying the firmware file to a memory card and updating the camera direct from the card. Thirty minutes or so after downloading/installing v1.05 for the A6500 using the (new to me) Sony method onto my iMac, I came across this link to an article where Lloyd Chambers (DigLloyd) ref the risks involved in Sony's methodology. Alarmist or a real concern?

 

[pegelli]

Let me first disqualify myself as an expert in this area, so YMMV

The way I read the article is that you need to have malware on your computer specifically looking for this weakness created by the Sony installer to get problems. So if you run a proper anti-virus/anti-malware software the probability of something going wrong would be low. So I would just follow the procedure and not worry too much. I've done my first update with this type of installer for the first time in 2010 and many times since then. But as they say ignorance is bliss

So, since the probability is not zero and the concequence might be too big for you (I don't store many propretary access codes on my computer, so I consider my risk low) maybe getting an old disconnected laptop in your household to do these updates completely avoids the risk.

Another thought is that if it would be a widespread problem the internet would be filled with many more burning stories vs. just this article which only describes the theoretical danger, but doesn't report anything about actual cases that went wrong, which would be strange for an unsafe type of software that's already in use for more then 8 years.

If others on here are more knowledgable about this problem I'm happy to be proven wrong so I can take better care next time I need to do a Sony firmware upgrade.

 

[Vivek]

It is a real concern*.

Given how sneakily Sony introduced the star eater via a firmware “update”, they do not have much credibility.

Also, it is worth keeping in mind all Intel based devices are prone to hacks as admittted by Apple and others.

*I am not a fan of DigiLloyd but he does raise an excellent point!

 

[pegelli]

Good points Vivek, Sony did some strange things with their firmware and signal processing in the past (up to today) allthough it is probably more stupidity then intent (you know I'm an optimist )

Other then using an island computer would you have some advice or other method to reduce the risk of Sony firmware updates?

 

[docmoore]

No real good way but with a Mac you could run the update under a sequestered PC emulation or with a Bootcamp partition ... recognizing that
should your partition be at risk for attack you could wipe it after the update.

Personally think that Sony needs to give up control and allow the update like the majority of other manufacturers ... in camera from
a SD file.

Bob

 

[Vivek]

Pieter, one has to assume that they are very visible to many when online. Any other thinking is like wrapping a blanket over oneself and assuming that he/she is invisible to the world.

I used to use an old PC for the updates. I do not plan to do any FW upgrades from Sony anymore, at least until reports about them appear and are deemed “safe”. I do not give any CC data to sony (never bought any of their playstation apps).

To be very safe, like you, I have decided to buy only old sony gear. Buying new gear, even with 5 year warranty makes little sense given how bad their farmed out service center here is.

I do applaud all the beta testers though!

 

[KeithDM]

Well, unless future firmware updates for the A6500 contain something that explicitly benefits my usage, I will give them a miss - but if they adopt the methodology used by everybody else...

Have run Sophos anti-virus and Malwarebytes on my iMac (High Sierra 10.13.2) and nothing untoward reported.

 

[picman]

Considering that most people had already used the updater, prior to this warning, at some time or another what should we do? Is there any software or files we could look for and that should be removed from the computer? I have Avast on my computers.

 

[Frankly]

Back in 1999 I bought a $2800 Sony digital camera and got to enjoy their cutting edge customer alienation and bumbling software and UI incompetence. I swore to myself never to buy another Sony product after that. So it's reaffirming to see stories like this, they make my Nikon purchases less painful. Nikon has lousy customer service and stupid software as well but never to the same degree.