Video Games as an Attack Surface

Introduction

Video games are truly intriguing pieces of software. They are built with cutting edge technology and employ some of the most wild and innovative logic, all while being artistically expressive and generally entertaining.

I have always been a fan of video games and can truthfully (albeit cornily) say that they have brought me where I am today. Video games served as an accelerant for my interest in computer systems, software, and security. In fact I may never have made the leap from mere scripting and web language to proper object-oriented programming had I not been dead set on coding my own video game cheats. And when one of my creations gained popularity, a strongly worded email from a small game studio scared me straight and helped encourage me to pursue a more ethical hacking career.

However, when most video game players hear “hacking” in the context of their favorite game, they only think of cheaters. Cheaters in multiplayer games may not be directly attacking their fellow players in a technical way, but they are attacking the game’s infrastructure and logic. However, it is becoming increasingly clear that hopping into a video game lobby with strangers can be a security risk. Inspired by this recent report on a botnet being spread through a 0day in Counter Strike’s multiplayer environment, I thought I’d share my experience and thoughts on the attack surfaces of video games, and video games as an entire attack surface of their own.

Ethics and Motives of Video Game Hacking

Like many other young and impressionable kids, when I first started hacking video games I only did it for the lulz. When the hit sequel to the popular iOS game “Jelly Car” was released in 2009, people scrambled to shave seconds off of their run times and make it to the top 10 worldwide leaderboard for each level. I thought it would be hilarious to boost past them with a time so ridiculous that they’d scratch their heads and wonder how it happened. So I poked around, managed to edit the level data files, and scored a record breaking 0.00001 seconds on all the levels.

Jelly Car was a fun little racing game with soft-body physics

I know from many of the peers that I met in game hacking communities and forums that this “for the lulz” sentiment was not only common, but almost exclusive. After all, we were attracted to video games for fun. A similar ideology that I encountered, was that “it’s just another way to play the game”. Anyone could have opened up those level files from Jelly Car, edited the coordinates of the finish line, and claimed that top spot. Armed with this logic, many video game hackers feel as though they’ve outsmarted the other players and for a while I failed to see how truly grotesque that mentality was.

Obviously, as I grew up I started to define a proper moral compass and saw the flaws in my misguided logic. Today, I absolutely love playing competitive video games like Counter Strike in an entirely legitimate manner and feel the same anguish I once caused whenever I encounter a cheater.

CS:GO (the only game I play these days) with in-game hacks enabled

Not everyone, however, moves on. From my experience, one thing became clear: hacking video games is a gateway drug. You find yourself learning the same techniques used by blackhats in other fields, and who better to teach you? You wander into communities with moral code akin to the wild west. You may be tempted at the sight of financial gains or your curiosity might get the better of you. So it was no surprise to me when I read that the authors of the massive Mirai botnet had been motivated by hacking Minecraft. Originally, they just DDoS’d Minecraft servers but eventually expanded their market when they saw how much cash there was to be made.

I was once acquainted with a small hacker group known as BassCode that was also a part of the Minecraft scene. At first, they had relatively good intentions, as far as hacking intentions can go. They exposed people that were charging money for Minecraft cheats that they hadn’t coded themselves. They were “skid” busters. But eventually, they just started cracking all of the premium cheats and leaking private video game exploits. And now, looking at their website’s archive.org data over the past 8 years shows a deterioration into doxing, racism, defacing, and database dumps.

The Scope of an Attack on a Video Game

A majority of hackers in video games are using in-game exploits. Much like my editing of the Jelly Car data, they are manipulating the software or the communication between their game and a central server in order to change the gameplay. Their actions are usually confined entirely to the game in progress.

This isn’t a necessary limitation, however. Let’s take a look at the “Belonard” trojan that was recently propagated through Counter Strike servers. It’s end goal and ultimate functionality was to edit a config file of the game in order to promote certain servers by placing them at the top of the list. It’s slightly more complicated than that, but there really wasn’t any motivation beyond driving traffic to their game servers. This hacker had a 0day exploit that gave them user-level disk read/write capabilities and they chose to use it only for in-game effect. No ransomware, no backdoors, no keylogger, just a meager financial and popularity boost that really never left the scope of the game.

Promoted servers being hacked into a game's list (Credit Dr.Web)

In similar fashion, the slimey BassCode crew that I mentioned earlier started adding what was known as a “lastlogin stealer” to the Minecraft hacks that they were cracking and releasing. While I cannot say with certainty that nothing else was injected, they were initially caught using the full user-level read/write privileges inherited by Minecraft to collect a single file that contained the decryptable credentials of the currently logged in Minecraft account. Another case of in-game hackers venturing out of the game and into the private data of another player just for game-related gain.

Video Games as an Attack Surface

We used to tweak our game client's code to avoid rendering dropped items and then drop thousands of individual items in front of someone else to crash their game

Video game data gets weird. Very rarely are we exposed to so many different types of data that originate from an untrusted peer. Whether its updating the coordinates of an in-game box that you’ve decided to move, the creation and direction of a bullet projectile, or announcing to an entire Minecraft server that you just instantly dropped 2560 diamond swords on the ground, your actions have an incredibly varied impact on other people’s software.

And yes, I know what you’re thinking. Video game servers do have security. Client data gets sanitized, verified by the server, and it’s all transported in predictable, custom designed packets. Sometimes, video games have peer to peer data transfer but usually your game is getting all of its data from a trusted server. However, just because the server is trusted, doesn’t mean the content should be. In similar fashion, XSS attacks are most effective when placed on a trusted website.

I believe that a more significant blackhat attack distributed through video games will happen in the near future. It won’t take long for a video game hacker to realize that they can do so much more damage than promoting their custom servers or for a traditional blackhat to see the potential exploits in old video games.

Gamers hold onto their favorite games dearly, and many old multiplayer games have thriving online servers without receiving any updates in years. Major game design companies have recently been proving to the community that they will do absolutely anything to squeeze revenue from fans and discontinuing updates for games but keeping them online as revenue streams is not going to be rare. Security-conscious people would never open an untrusted PDF file with a 5 year old version of Adobe Reader, but may not think twice about booting up their favorite old game and playing with strangers.

One thought on “Video Games as an Attack Surface

Leave a Reply

Your email address will not be published. Required fields are marked *