Gaming Industry Cybersecurity Risks and How to Prepare for Them

By Usman Altafullah, Sr. Security Engineer

Increasingly, games and gamers are being hit by cyberattacks in the video gaming sector. This spans PC, mobile, and console gaming alike, although attacks are more frequent against PC gamers due to the streamlined approach of developing code-based hacking algorithms to target PC architecture.

Adding to the danger, the covid pandemic has put further demands on developers to ensure their systems are secure and hardened to inhibit would-be attackers from infiltrating critical systems and manipulating system functionality.

The gaming industry grossed $175.8 billion in 2021, which is a slight drop of 1.1% from 2020 ($177.8 billion) but is projected to surpass 200 billion by 2023. The pandemic affected PC and console sales due to supply chain shortages, mobile device sales have increased and are continuing to trend upward to capture more than half of the global games market.

This growth is one of the reasons hackers and malicious actors seek gamers, game developers and gaming companies as targets of hacks and to disrupt their mission operations.

Gaming Attack Vectors

Attack vectors and methods will vary to suit the target. They range from social engineering and impersonation to directly injecting malicious code and data into system files to assume control.

Hackers are continuing to become increasingly sophisticated, stealthier, and bold. Unfortunately, developers and game studios have stagnated in the protection of their infrastructure and the integrity of their intellectual property.

Game developers face a unique challenge that other industries do not, that is, they depend on sales to gamers to stay in business. Big industry companies like Target, Home Depot, JP Morgan Chase, Oracle, and others straddle multiple target demographics. In contrast, game developers depend on gamers.

A popular quote in the gaming industry is “a delayed game is eventually good, but a rushed game is forever bad.” At its core, this approach conflicts with the ethos of game development as a delayed game is often the death knell for a company that has invested heavily in a product.

This constant tug and pull between stakeholders and game developers has caused endless strife that have resulted in what is known as “vaporware” i.e., a product that exists in thoughts and minds alone and never makes it to the cutting room floor.

To avoid the negatives of vaporware, game developers are frequently asked to cut content and features by senior management to ensure deadlines are met and the product can be released to meet an announced deadline.

Like other System Development Life Cycles (SDLC), game developers follow the same process. This includes quality testing, patch management, security, and testing evaluation (ST&E) and other portions of the SDLC.

If game developers are not precise with their bug fixing and vulnerability analysis, bugs and glitches and other unpredictable actions can, and do, develop when the game is released to the public.

Hacking Gamers is Nothing New

The sophistication and the level of privilege escalation and remote code execution that is being developed by hackers, however, coupled with the oversight of bug and coding vulnerabilities is evolving at a rapid pace.

According to SecureList (the official blog from Kaspersky Labs, a leading cybersecurity provider) the total number of users who encountered gaming-related malware between July 1, 2020 – June 30, 2021, was 303,827 with 69,244 files distributed as trojan horses under twenty-four of the most played games.

Due to the architecture of PC and mobile devices, unwanted applications and dangerous malware can infiltrate and propagate leading to the loss of not only credentials but also cryptocurrency.

A total of 50,644 users attempted to download 10,488 unique files disguised as the ten most-played mobile games, generating a total of 332,570 detections in July 2020 through June 2021.

The apex of where cybersecurity meets development has not yet been achieved but is ongoing.

We posit that, to avoid serious hacking attacks, when it comes to vulnerability and risk reporting, gaming industry developers must abide by the standards and practices set forth in other industries.

They must reveal known and detected vulnerabilities so that they can be mitigated, discussed, and resolved with little impact to players who then spread them to a wider group.

One model that could work is the Microsoft “bounty program.” Developers and engineers can submit identified and discovered flaws and bugs and then submit them in a direct channel to Microsoft for mitigation and resolution. This works well for identifying problems with Microsoft’s products. It could do the same for gaming companies.

Developers, to ensure quotas and timelines are sound, often skim on bug testing in hopes that players will submit the bugs through standard bug reporting mechanisms (often implemented within the game itself).

This can be an additional vulnerability in that gamers are not being held to a higher standard and can freely report the bug or exploit it as they see fit, with no tether to the developer to do right by other standard but brand loyalty.

The most recent example of a hacker attempting to coordinate with a developer before executing a more public hack is the Remote Code Execution (RCE) vulnerability plaguing the online severs for the role-playing games, Dark Souls: Remastered, Dark Souls 2 and Dark Souls 3.

Some background: An RCE allows an attacker to remotely run malicious code within the target system on the local network or over the Internet. Physical access to the device is not required. An RCE vulnerability can lead to loss of control over the system or its individual components, as well as theft of sensitive data.

The individual in question reached out to the developer about this known bug and was ignored. This exchange took place in a popular chat tool gamers use called “Discord” and the screenshot that was captured is from that source and the Discord channel.

According to an article in The Verge, the developer, Bandai-Namco and FromSoftware were reportedly told about this RCE hack and ignored the individual reaching out to them. The individual then preceded to hack a popular Twitch streamer during a live stream to bring attention to the nature of the RCE vulnerability.

A community driven effort was launched to inhibit hacking. It was developed and presented as an Anti-Cheat Mod, known as “Blue Sentinel.” Blue Sentinel has since been patched and updated to prevent the RCE exploitation, but only if end users have this mod. Without it, the native game is still susceptible.

The question must be asked: Where is the responsibility of the developer and what must the gaming community, consistently, do to improve the quality of the product?

Bandai/Namco have since shut down the Dark Souls servers for online and cooperative play as the widespread execution of this bug could be disastrous.

If proper risk aversion techniques were implemented (even to the degree of having a bug reporting mechanism that is tracked and monitored) perhaps the servers would not have had to be temporarily shut down.

Discussions about how to address this vulnerability and what to do amongst the players is continuous and ongoing with little feedback from the developer. The Reddit thread for the Dark Souls series has been monitoring the situation and indicated that “only 4 people know about this” with two of them being the two worked on it and the other two being Blue Sentinel developers.

Let’s Prepare for the Inevitable Gaming Cyber Attack

The discourse between cybersecurity communities, game developers and industry leaders need to grow through collaboration and communication. Based on our analysis, the RCE vulnerability is dangerous but cannot be readily exploited.

These potentially crippling vulnerabilities that, if discovered by a malicious actor or a disgruntled gamer, could cause severe damage. Robust cybersecurity reform is not the answer. Nor is waiting for a gamer to exploit that vulnerability to cause irreparable damage.

Instead, we need to act now, in concert, to prevent the inevitable gamer originated cyber-attack before it happens.

As we inch ever closer to a more interconnected cyber world where cyber devices are becoming more sophisticated, we are also granting them all levels of access. Therefore, it is only a matter of time before there will be a gaming cyber disaster as great as those that have hit Target, SolarWinds and the Bank of Bangladesh previously.

But we can prevent the gaming cyber-attack, or at least mitigate the damage if we act now.

Forewarned is forearmed.

References:

    1. https://newzoo.com/insights/articles/global-games-market-to-generate-175-8-billion-in-2021-despite-a-slight-decline-the-market-is-on-track-to-surpass-200-billion-in-2023/
    2. https://securelist.com/game-related-cyberthreats/103675/
    3. https://www.theverge.com/platform/amp/2022/1/22/22896785/dark-souls-3-remote-execution-exploit-rce-exploit-online-hack
    4. https://www.reddit.com/r/darksouls3/comments/s9sd3w/new_remote_code_execution_vulnerability_discovered/
Posted in