[UPDATE]: Jim Alkove, a General Manager for Security in the Interactive Entertainment Business division at Microsoft has sent us a statement:
“We are conducting a thorough investigation into the researchers’ claims. We have requested information that will allow us to investigate the console in question and have still not received the information needed to replicate the researchers’ claims.
“Xbox is not designed to store credit card data locally on the console, and as such seems unlikely credit card data was recovered by the method described. Additionally, when Microsoft refurbishes used consoles we have processes in place to wipe the local hard drives of any other user data. We can assure Xbox owners we take the privacy and security of their personal data very seriously.”
Credit card data being stored remotely seems as if it would be a simple precaution. Hopefully this means our used console data is safe.
Even if your credit card info hasn’t been stolen from that compromised processor that’s causing such a stir today, it might not be safe if you’ve given away or sold your old Xbox 360.
Kotaku interviewed Ashley Podhradsky, an expert in computer forensics and professor at Drexel University’s School of Technology and professional Studies. According to a study Podhradsky is leading, some personal data is left on the hard drive of an Xbox 360 even if you restore it to factory settings.
“Microsoft does a great job of protecting their proprietary information,” Kotaku quotes Podhradsky as saying. “But they don’t do a great job of protecting the user’s data.”
The study was fairly simple, which highlights how easy it is to extract this type of information. The researchers bought a refurbished Xbox 360 from a reseller that was authorized by Microsoft. They then downloaded a modding tool, freely avaliable on the the internet, and used it to hack the console, giving them access to the console’s file system and, eventually, the previous owner’s credit card information.
This exploit isn’t exclusive to an Xbox hard drive. In general, when a file is deleted, the data that the file was based on doesn’t disappear – it simply becomes available to be written-over. Without a program to put random data in its place, a file could remain intact indefinitely, and some programs are able to retrieve it. The problem with an Xbox hard drive is that it isn’t easy to hook one up to a computer (to overwrite the data) without the proper tools.
Not surprisingly, Microsoft was unavailable for comment on the issue.
So just be careful who you sell your old 360 to – though it’s unlikely, you could end up with your identity stolen.