Gaming software is notoriously affected by issues such as piracy, ad removal, paywall bypassing or just plain cheating. This article, written by two cybersecurity gaming experts, examines the most common types of attack and what can be done by developers to protect publishers, gamers and content owners from these types of cyber attack.
Earlier this year the online gaming hit Grand Theft Auto fell victim to a hack that saw $1 billion fake dollars flooding into the gaming coffers.
The attack caused huge disruption for Rockstar Games and resulted in the game being taken offline in order to remove the counterfeit cash, prompting countless complaints from disgruntled players. This attack was one of a number of such incidents caused by gaming cheats that threaten to undermine the profitability of the industry.
This article investigates the nature of the most common attacks in the online gaming industry and asks what can be done to more effectively guard against them. And as the industry watches the next big blockbuster, high budget video gaming production – Destiny – build on its global roll-out, we ask why more attention isn’t being paid by games developers and publishers to build security into gaming software as a matter of course.
Let’s begin by taking a look at the challenges for gaming software developers themselves.
Developing a chart-topping online game is no simple task. For example, World of Warcraft contains 5.5 million lines of code and ensuring that each line of code is bug and flaw free is no easy exercise. What’s more, the pressures placed on developers are typically focused around building in extra functionality, or getting the games to market more quickly, rather than ensuring that the code doesn’t offer any open invitations to hackers to exploit software vulnerabilities to their own ends.
Industry analysts Gartner estimate that the worldwide video gaming market was worth an estimated $93 billion in 2013. However, according to another study, only 20 per cent of games realise a profit. One of the main reasons why some 80 per cent of games don’t generate a profit is down to piracy and cheating. But how can gaming companies protect against piracy, cheating and other types of attacks prevalent in the online video gaming market place?
What makes games different?
In order to understand the issues at stake here, it’s important to examine how gaming software is different from other types of software.
Business models for games range from the traditional single/multiplayer packaged games to massively multiplayer online games and freemium games. Regardless of the business model, the majority have a client/server architecture, where the client software runs on the player’s mobile device, gaming console or PC and the server operates remotely interacting with all the players.
Because online games require immediate feedback from the client, there is generally insufficient time for the server to receive the inputs (“fire”), make decisions (“did I hit?") and respond to the player instantaneously (“you missed”). This means that game servers must trust clients to determine outcomes (e.g. whether the bullet hit the target or not). This means that the clients are trusted to play the game according to the rules, with the server not verifying game play in real-time.
Due to the high latency and low bandwidth of many players’ network connections, this design and this element of trust will continue to be the de facto norm especially for massively multiplayer role-playing or first-person shooting online game designs (MMORPG or FPSOG) for the foreseeable future.
Herein lies the problem: players wishing to cheat are able to abuse this relationship of trust in a variety of ways. One example is with a simple ‘lag switch’ which slows down the actions of other players in a user’s game client, and allows the user to steal a march on other players. Cheaters also exploit the client-side trust issues by modifying game clients and data files on disk and in memory and by intercepting messages between the game client and the server.
Clients are trusted to play the game according to the rules, with the server not verifying game play in real-time. But players wishing to cheat are able to abuse this relationship of trust in a variety of ways.
Other techniques include modifying operating systems and device drivers, or even modifying hardware. The end goal is to gain an unfair advantage over opponents. For example, a player may use an “aimbot” that ensures that his/her weapon hits the target every time. Other common cheats are “texture hacks” that aim to make walls invisible and depict enemies in bright technicolour, and “radar hacks” that equip players with radar vision enabling them to see targets beyond the regular field of vision. Cheat programs can even allow players to teleport themselves or fly, by manipulating the character’s location in the local computer’s memory.
Another problem with doing a lot of work on the client side is that the server does not need to do much except keep game clients informed of other game clients’ states. Professional pirates often reverse engineer the client/server communications and create counterfeit servers or “gray shards”; they set up their own communities of gamers, directly stealing revenue from the game publisher. Pirates also make slight modifications to popular video games, rebrand them, and sell them. This also results in revenue loss as gamers may choose to purchase the rebranded video games instead of the original authentic video games.
Another area of revenue leakage for online games is where software licenses are subject to tampering attacks. While some games overcome this by requiring constant connectivity to a server, always-on measures are hugely unpopular with users so routines that verify and enforce licenses are a challenge. Finally, as in-game commerce grows in importance, more and more financial transactions are conducted within the game itself. Unsurprisingly where there is money to be made there are hackers and a growing area of risk and revenue leakage is in preventing billing fraud.
A massive area of growth in gaming that is likely to attract increasing attention by cyber criminals is mobile gaming. According to Gartner, mobile gaming will grow from 15 per cent of the gaming market in 2010 to 20 per cent of the gaming market in 2015, making it the fastest growing segment of all the gaming platforms. Revenue from mobile gaming is set to double between 2013 and 2015 from $13.2 to $22 billion.
One of the largest challenges for a developer in this space is the proliferation of different devices and operating systems available, making the task of developing games tough enough without the added challenge of building in extra security layers. Whilst most mobile devices are based on ARM processors, there are a variety of operating systems including iOS, Android, Palm OS, Windows Phone and others.
Add to this the multiplicity of programming languages available including Java, Objective C and .NET and the need for any game to support 80 to 90 per cent of all these platforms in order to achieve popularity – and the challenge is obvious.
Yet developing a best-selling game requires a huge investment. It’s the special effects, videos and other proprietary IP that contributes significantly to the fun factor and compelling nature of a game. There is also a substantial criminal infrastructure that specialises in selling cheating software and creating counterfeit games. So how can developers prevent their software from being tampered with, reverse engineered and ripped off?
Currently a common way for games developers to protect their software is by adding in surveillance technology outside of the game itself. These additional modules don’t contribute to the gameplay, but instead monitor the other programs that run on a user’s PC or device, looking for processes that might constitute a threat to the game’s integrity. Surveillance programs such as these can create privacy concerns for gamers and are also in reality simply closing the gate once the horse has bolted.
Building security into the game itself early in the development lifecycle is also critical. The need for real-time responsiveness for players makes traditional security controls insufficient.
There are better steps that developers and publishers can take to protect against a variety of attacks from piracy and tampering to just plain cheating and fraud. The challenge of course is in ensuring that these measures don’t detract from the enjoyment factor of the game.
Application hardening solutions such as Arxan’s can help protect the integrity of software without impacting performance significantly or making the developer’s job more onerous. These solutions allow applications to protect themselves by embedding logic that not only defends against code compromise, but also detects attacks and responds appropriately. Small pieces of software known as Guards are inserted into the software binary after the development process is complete to deter hackers. What’s more when they detect an attack they notify a forensic server.
Building security into the game itself early in the development lifecycle is also critical. The need for real-time responsiveness for players makes traditional security controls insufficient. Detective controls, which rely on server-side statistical analysis, offer a valuable compromise.
For example, some cheaters can be identified through statistical analysis. Players with nearly perfect aim or movement in unusual patterns are candidates for extra scrutiny. Game operators can act on that information centrally by, for example, banning players. Rich statistic gathering is just one example of a security control that cannot be added to a game easily after the game is launched.
Combining secure coding best practices with an effective hardening strategy can protect the game against cheating, piracy, reverse engineering and tampering and enforce usage terms without impacting the customer experience in any way.