Pandora's Xbox of security fears

Microsoft's new super-sensitive console takes gaming to a new level, but critics say it has all the features of a covert surveillance device

PUBLISHED : Monday, 10 June, 2013, 12:00am
UPDATED : Monday, 10 June, 2013, 3:47am

In 2011, Microsoft's Kinect, a hand-free sensor unit for the Xbox 360 gaming console that captures and integrates a player's motion, set a world record as the fastest-selling consumer electronics device in history: with more than 8 million devices being sold in its first 60 days on the market.

So when Microsoft announced its next-generation gaming console, Xbox One, two weeks ago, it generated a great deal of excitement. Xbox One comes with an updated version of the Kinect sensor that has greater sensitivity and accuracy in tracking, capturing and recording the user's motion, gestures and voice. It boasts a state-of-the-art motion device that is so powerful it can even track the heart rate of people standing in front of it. The new Kinect microphone will remain permanently active so that it can take voice commands from users when needed - even when the console is in sleep mode.

It promises to revolutionise the home entertainment system: With Xbox One, you can finally do without numerous remote controllers to issue commands to your TV, the disc player, the gaming console or the sound system. You make a gesture or voice a command and they will respond.

But the device has alarmed many would-be consumers as the Kinect sensor is so powerful, that many people fear it could threaten the privacy of its users. The all-encompassing nature of the relationship between the user and the device means everything the user does or says near Kinect will be captured and recorded.

Microsoft responded with an assurance that the user would be able to turn the Kinect off if they wanted, and would have full control over the type of personal data they want to share with others.

In a newly published document detailing privacy concerns for the console, Microsoft said Xbox One Kinect camera and microphone will not record or upload conversations and users can freely customise the settings.

But this does not solve the potential problem of the Xbox One being hacked. Its super-sensitive Kinect sensor will make the device a dream target for hackers as it will allow them to see, hear and monitor almost everything in homes around the world.

To some young-but-ambitious mainland hackers who earn less than 3,000 yuan (HK$3,700) a month, share a small apartment with a dozen roommates and spend many evenings alone on a second-hand laptop, hacking Kinect is a portal to peer-recognition, fame and possibly money.

"It is not that I want to peep into people's privacy. It is just a way to prove my brains, my strength, my worth," said Lin, a relatively new member of a major hacking group on the mainland who declined to reveal his full name and organisation because such activities are banned by the Chinese government.

"But on the other hand, I have never been to the United States. I won't mind paying a visit to the White House and catching President Obama in Dance Central [a popular Kinect dancing game]," he said.

Over the last couple of years, the mainland's hacking communities have made little progress, however, due to their lack of familiarity with the Xbox's operating system.

To access the Xbox, a hacker needs to discover and exploit some backdoors left open either intentionally or accidentally by developers - but only a small number of people in China have the Xbox and only a small number of Xbox users are hackers, Li said. That made the discovery of Xbox's backdoors quite difficult as it meant a labour-intensive exercise.

But a comment made during a Microsoft presentation of the console gave mainland hacking communities a ray of hope last week. Xbox Chief Marc Whitten said during his presentation that the Xbox would be running a "kernel of Windows," which was assumed by many technology websites to be similar, if not the same, as the operating system on personal computers.

As China has probably the largest number of Windows users in the world - estimated to have reached more than half a billion at the end of last year - the chance for mainland hackers to tap into the new gaming console could increase significantly, according to some industrial experts.

Microsoft did not respond to an inquiry from the Post on the system's security issues, but experts said that if a large number of Chinese hackers joined in the game of hacking the Xbox, the company would face an unprecedented challenge to protect the privacy of its multi-million users.

Adding to the security concern was that the new Xbox will come with Kinect 2.0 - an upgraded version of the motion sensor.

The sensor would not only increase its sensitivity to detect tiny human motions such as the jerk of a shoulder, but come with a high definition camera with 1080p resolution and microphone arrays sensitive enough to pick up gamers' heart beats.

With the new Kinect, a hacker could hear clearly a conversation not only in a living room, but almost anywhere in a house or apartment.

Microsoft also strengthened the new console's online connectivity so much that you probably would be unable to play a game if you were not connected to the internet. And the new console could not be completely turned off, as a function was added to switch the machine back on by voice command.

Tang Wei, senior security engineer with Rising, one of the largest anti-virus and network security companies on the mainland, said that it was "totally possible" to hack into the new Xbox and take control of the Kinect, and he was not surprised by the growing interest among hacking communities.

"The gaming console today is no longer the gaming console we played 10 years ago. It is more and more like a PC and in cyberspace it is technologically the same as a PC," he said.

"An important motivation for hackers is the size of a user base. With its popularity in the United States and other countries, Xbox is definitely a temptation."

Compared to Windows-based personal computers, a Windows-based Xbox could be more vulnerable due to a lack of anti-virus and firewall protection, Tang said.

Nobody would consider setting up a firewall and installing anti-virus software on a gaming console. The entire burden of security has rested on the shoulders of Microsoft.

Though the software giant has been quite good at network security, it cannot guarantee 100 per cent safety to all its users, Tang said. "There are always backdoors and weaknesses that can be exploited."

Sony suffered a Waterloo of security breach in 2011 with its Playstation 3 console. Hackers infiltrated its Playstation Network and obtained the personal information, including credit card details, of more than 70 million subscribers.

Though there has not been an incident of similar scope on Xbox, Microsoft may not be aware of a breach if a hacker bypasses its server and enters a console directly, which is possible if the hacker knows the console's IP address, according to Tang.

Ironically, because the Xbox and other gaming consoles are banned in the mainland market by the government, which worries about their negative effect on children, Chinese Xbox users on the mainland could be less vulnerable to privacy leaks than their peers in other countries.

Most of them had disconnected the console from the internet to play pirated games which, though illegal, reduced the risk of privacy leaks, according to Tang. "The Chinese government would have fewer issues to deal with than the US government because of its ban on video gaming."

Dr Shiuhpyng Shieh, director of the Taiwan Information Security Centre, said it was "very possible" that the Xbox One would be hacked by individuals or organisations with a clear target or objective in mind, because the Windows operating system was known for its security weakness.

"The hackers can always find a way in. Though the Windows in Xbox might be a watered-down version of the desktop version, their nature should be the same."

Shieh said that individual hackers might have good skills, but they could have considerable difficulty in succeeding due to the task's high demand on manpower, time and financial support.

"I don't think a hacker who tries it for fun or interest would generate much damage. Even if he succeeds, the privacy leak would be limited to a few families because he will not have time or energy to do more," he said.

"My biggest concern is some organisations or governments targeting a specific person, such as a high-profile politician or military commander.

"If that happens, it could become a national security issue."