Microsoft is investigating findings by researchers that its Xbox 360 gaming console permanently stores credit card numbers on its hard drive creating a potential security vulnerability for card holders.
“We are conducting a thorough investigation into the researchers’ claims,” Jim Alkove, general manager of Microsoft’s security of interactive entertainment business, said in a statement published at Joystiq.
“We have requested information that will allow us to investigate the console in question and have still not received the information needed to replicate the researchers’ claims,” he added.
The alleged security flaw was revealed by researchers at Drexel and Dakota State universities. The team purchased a refurbished Xbox and used a commonly available software tool to burrow into the file system on the gaming console. It took some sweat equity, but the researchers eventually pried loose the credit card information for the original owner of the Xbox.
“Microsoft does a great job of protecting their proprietary information, but they don’t do a great job of protecting the user’s data,” Ashley Podhradsky, a researcher who helped find the alleged vulnerability, told Kotaku, a gaming Web site.
The researchers, who include Rob D’Ovidio and Cindy Casey, of Drexel, and Pat Engebretson, of Dakota State, released their findings last August, but it wasn’t until stories about their research began appearing on the Internet last week that Microsoft took action on the matter.
Microsoft discounted the researchers’ findings. “Xbox is not designed to store credit card data locally on the console, and as such seems unlikely credit card data was recovered by the method described,” Alkove stated.
“Additionally,” he continued, “when Microsoft refurbishes used consoles we have processes in place to wipe the local hard drives of any other user data. We can assure Xbox owners we take the privacy and security of their personal data very seriously.”
In an abstract of their findings, the researchers explained that gaming consoles, just like PCs need proper sanitization processes to help fight identity theft. “[Y] ou cannot simply throw away a computer that has your personal data on it without some sort of sanitization process; gaming consoles are no different,” they wrote. “Simply returning your console back to ‘factory state’ will not do the trick.”
“In this research paper the authors aim to bring awareness to the gaming public, researchers and practitioners that improperly discarding used consoles without proper sanitization practices can inadvertently release personal data which can result in identity theft,” they added.
When retiring an old Xbox, the researchers recommend physically removing the HD from the console and running a software sanitizer on the drive.
When selecting a tool, they added, it is important to select one that emphasizes patterns in write fill in addition to passes. “This is imperative to making sure that slack and unallocated space is overwritten,” they wrote.