Microsoft looking into alleged Xbox security problem

Microsoft is investigating findings by researchers that its Xbox 360 gaming console permanently stores credit card numbers on its hard drive creating a potential security vulnerability for card holders.

“We are conducting a thorough investigation into the researchers’ claims,” Jim Alkove, general manager of Microsoft’s security of interactive entertainment business, said in a statement published at Joystiq.

“We have requested information that will allow us to investigate the console in question and have still not received the information needed to replicate the researchers’ claims,” he added.

The alleged security flaw was revealed by researchers at Drexel and Dakota State universities. The team purchased a refurbished Xbox and used a commonly available software tool to burrow into the file system on the gaming console. It took some sweat equity, but the researchers eventually pried loose the credit card information for the original owner of the Xbox.

“Microsoft does a great job of protecting their proprietary information, but they don’t do a great job of protecting the user’s data,” Ashley Podhradsky, a researcher who helped find the alleged vulnerability, told Kotaku, a gaming Web site.

The researchers, who include Rob D’Ovidio and Cindy Casey, of Drexel, and Pat Engebretson, of Dakota State, released their findings last August, but it wasn’t until stories about their research began appearing on the Internet last week that Microsoft took action on the matter.

Microsoft discounted the researchers’ findings. “Xbox is not designed to store credit card data locally on the console, and as such seems unlikely credit card data was recovered by the method described,” Alkove stated.

“Additionally,” he continued, “when Microsoft refurbishes used consoles we have processes in place to wipe the local hard drives of any other user data. We can assure Xbox owners we take the privacy and security of their personal data very seriously.”

In an abstract of their findings, the researchers explained that gaming consoles, just like PCs need proper sanitization processes to help fight identity theft. “[Y] ou cannot simply throw away a computer that has your personal data on it without some sort of sanitization process; gaming consoles are no different,” they wrote. “Simply returning your console back to ‘factory state’ will not do the trick.”

“In this research paper the authors aim to bring awareness to the gaming public, researchers and practitioners that improperly discarding used consoles without proper sanitization practices can inadvertently release personal data which can result in identity theft,” they added.

When retiring an old Xbox, the researchers recommend physically removing the HD from the console and running a software sanitizer on the drive.

When selecting a tool, they added, it is important to select one that emphasizes patterns in write fill in addition to passes. “This is imperative to making sure that slack and unallocated space is overwritten,” they wrote.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Related Tech News

Featured Tech Jobs


CDN in your inbox

CDN delivers a critical analysis of the competitive landscape detailing both the challenges and opportunities facing solution providers. CDN's email newsletter details the most important news and commentary from the channel.