The Computer Weekly Developer Network this weekend features a guest post from Paco Hope at software security firm Cigital on the subject of the specific types of hacks suffered by online gaming sites — and what games developers need to do to make their software more resilient to attacks.
TECHNICAL NOTE: Common attacks include aimbots, triggerbots, radar hacks and texture hacks that are specific to this industry segment.
The worldwide video game market is a multi-billion dollar market, generating an estimated £58 billion of revenue in 2013 — however, only about 20% of released games generate any profit and cheating is one reason for this. Games that don’t do enough to protect players from “cheating” risk alienating and restricting their potential pool of players.
Security in gaming helps protect the integrity of the gaming experience and the revenue that comes with it.
This is a subject close to the heart of myself and my colleague, technical manager, Amit Sethi so we’ve shared our views on what it looks like to do the right amount of security in gaming.
Regardless of the business model – from single/multi-player packaged games to multiplayer online and freemium games – most are built in some form of client/server architecture.
It’s a fair game
A perfectly fair game would make all decisions centrally at the server, never trusting the client at all (since a cheating player can change how his or her local system works). In reality, however, such a naïve design cannot be implemented in a practical way.
Games need to provide immediate feedback to user inputs. There isn’t enough time for the server to receive the inputs (“fire!”), make decisions (“did I hit?”), and respond to the player quickly enough (“you missed”). Instead, game servers trust game clients to handle many parts of the game experience that players shouldn’t see.
Moreover, game servers often trust game clients to adjudicate outcomes.
This is called a “client-side trust” problem. Unfortunately, given the high latency and low bandwidth of many players’ network connections, this will be part of games’ designs for many years.
How do people exploit these trust issues?
Attacks range from simple “lag switches” to complex hardware and software attacks.
Image credit: GeekNative
A “lag switch” adds artificial slowness to a user’s network connection, which can delay other players’ actions in the user’s game client, giving the user an unfair advantage. People use cheating programs that modify game clients and data files on disk and in memory. They intercept and modify messages between their game client and the game server. They modify their operating systems and device drivers. They even modify hardware; for example, to repeatedly send an input (“fire!”) faster than a player ever could.
Perfect aim, but you’re going to hell for this
The ultimate goal of many hacks is to gain an unfair advantage. For example, an “aimbot” ensures that a weapon always aims perfectly; a cheater can use “texture hacks” to make walls invisible and enemies brightly coloured.
This ain’t a scene, it’s an arms race
Defending against these attacks is complex, and ultimately is in effect something of an “arms race” in the real world.
Cheaters develop attacks; game developers develop corresponding responses. Game developers often defend the integrity of the client’s execution by adding surveillance technology outside the game.
These modules don’t contribute to the game play, but rather monitor the other programs on a user’s PC or device, looking for processes that the developer believes threaten the game’s integrity.
Surveillance programs can create privacy concerns among users, who may not want to send a steady stream of information about their PC and their actions back to the game’s developer. This surveillance approach also represents an after-the-fact approach to securing a game.
Security that is built into a game is more effective.
Since we need to provide real-time feedback to players, we cannot rely on traditional preventative security controls. Detective controls, that rely on server-side statistical analysis, offer a valuable compromise, helping to identify some cheaters. Players with nearly perfect aim or movement in unusual patterns are candidates for extra scrutiny.
Game operators can act on that information centrally by, for example, banning players.
Rich statistic gathering is just one example of a security control that cannot be added to a game easily after the game is launched. Security needs to be built into games early to ensure that a small number of users do not ruin other players’ gameplay experience and steer a title towards that 80% of unprofitable games.
About the author
Paco Hope is a principal consultant with Cigital, Inc. and has 12 years of experience in the security of gaming systems (lottery systems, online gaming, casino gaming devices), web applications, operating systems, and embedded devices (e.g., mobile phones, smart cards).