Recently I bought a used PS Vita from eBay, after receiving and thinking about some security issues, I decided to write about it. Not only for educational purposes, it’s just to inform about the risks but because it’s highly interesting from a hackers perspective what information one can obtain from any device.
However: This is not any kind of tutorial or motivate anyone to replicate this themselves, but to warn everyone, to always be careful what you do with your devices. Since we as Hackinformer should inform about hacks or security risks, why not do that, right?
Okay let’s start then:
Last week I bought this Vita which was water damaged for $40 bucks with the only goal of getting the battery out of it. The seller said, the Vita more or less still works and only some buttons refuse to work actually.
I bought it via PayPal (which will give anyone’s e-mail address you pay) and 3 days later I got the package in front of me (which you’ll get anyone full address from the mail-sticker). Nothing interesting of course and quite normal but still information some bad guys might have already pay money for.
After charging and booting, the first thing I did was checking the firmware of course and to my surprise, it was still running firmware 3.52! Furthermore, they didn’t format the Vita properly back to factory and it was still linked to his PSN account, which would have been taken out if a factory restore was done to it.
For some of you following the Vita hacking scene, this might ring a bell already. For everyone else: What this basically means is that anyone can dump the Vitas registry and get personal information from it unencrypted in plain text. (This security problem was fixed as of firmware update 3.57 though)
Well, so I did, just to see how far the rabbits hole would go.
After analysing the data. You could see Wifi password, the internet provider, and PSN Login Data.
Since the password, let’s say, isn’t very “smart” and unique, it’s rather obvious that said password will probably be used for other services as well. So if my assumption turned out to be correct, you could have had full access to some one’s PayPal account or more..
But no, of course, I did not continue any further.. and yes, of course, this happened with the permit of the seller after I contacted him about this.
However if the same password is used for other services as well, getting control over his e-mail address(es) from the beginning, facebook and more shouldn’t be any problem from here.
Summing everything up: In the end, someone who wants to actually harm you got more or less everything about you. So ALWAYS be careful, what you do with your devices. Please don’t always use the same password and properly reset and format any electronic devices you sell.
Note: Hackinformer sees this way to offend with used consoles for sale from pawn shops, yard sales, flea markets, etc. Once again always remember to format any device back to factory before you sell it.
Hope you liked this different kind of post for once and learned something from it. (And this was just an example for a gaming console!)
Until next time I’ll go shopping on eBay.. 😉