The rising threat of the video game hackers

In the days following the launch of Pokémon Go in July this year, the augmented reality smartphone game, which encourages players to step outside of their homes and walk the streets in search of monsters, became an international phenomenon. Within seven days more people were played Pokémon Go during a 24-hour period than logged-on to Twitter.

Not everyone was able to get the game to work, however. The story at the time went like this: Pokémon Go’s preposterous success had drawn more players than developer Niantic’s servers could bear. “Demand may well have been too high," one outlet suggested when reporting that players around the world had experienced the game freezing and refusing to allow them to log in.

This was not, however, the whole truth.

Almost as soon as the game launched, hackers began to build an army of bots, digital golem-like entities which would play the game in their stead, farming Pokémon and claiming Pokestops in order to beat he competition. “We discovered hidden variables in the game that dictated the ‘perfectness’ of Pokémon,” explains Maxime Griot, a young French hacker. “Our bots could thus capture the most perfect version of each Pokémon.”

Armed with this information, the hackers could employ strategies to gain experience more quickly than human players. “We could reach levels that are theoretically impossible for regular players,” he says.

Pokémon Go’s intrepid hackers soon found a way to beat not only chance, but also geography. While regular players were required to physically visit a location in order to hunt its indigenous creatures, the hackers’ bots were able to jump to any location in the world, where they’d be able to capture rare creatures that only appeared in those places.

While much of the mainstream and specialist video game media repeated the story of a game’s launch hampered by a unrivaled demand from human players, Griot, who now works as an Anti-Cheat Engineer at Bethesda Softworks, knew the truth: Pokémon Go’s servers were being hammered, not by people, but by robots. In late August Niantic began to quietly threaten the creators of publicly available bots with legal action.

In recent years, the use of cheat bots has become a plague on many online video games. This kind of cheating rose to prevalence in MMOs like World of Warcraft, where time-squeezed or bored players would employ bots to ‘grind’ mobs, automatically farming experience points to raise their avatar’s level.

Human players grew used to having to share virtual real estate with bots, which would pursue their goals with the unmistakable single-mindedness of a machine. Once the number of bots in a virtual world reaches a certain point, however, the game's ecosystem can collapse.

“Bots can make a game unplayable by gathering all the available resources before players can get to them,” explains Griot. “This can kill a game. When a massive amount of bots are playing a game, its more disruptive for a game company than almost any other form of hacking attack.”

Bots are just one way in which hackers can fiddle with the fabric of a game’s reality in order to gain an advantage. Hackers are often able to find ways to give FPS players an inhuman advantage, creating and selling cheats that, for example, allow unscrupulous players to automatically score headshots in competitive matches, or to shoot through the scenery.

It can be alarmingly simple for a dedicated hacker to inject code into a live game in order to give themselves (or people they sell their cheats to) an unfair advantage over other players as it is common practice not to encrypt the network traffic during gameplay so as not to impact the game’s performance. When the traffic is unencrypted, it allows an attacker to modify the network traffic sent between the game and server during a session. If no other checks are being carried out at the server-side, a cheat has the keys to the virtual kingdom.

“The most commonly used attack vector for hackers is reverse engineering,” explains Griot, who learned how to program when he was fourteen years old. After moving to Los Angeles from France, he began to hack online games to work on private servers, in order to avoid having to pay monthly subscription fees.

He even made money while a student by releasing major games early, on private servers, and asking for donations. “Understanding how the client works and how the server replies is the easiest way to tamper with the game,” he says. “Once you understand the data, it’s trivial for hackers to write bots or bypass security mechanism client side.”

For Ian Reynolds, one of Britain’s leading online security consultants who has been responsible, in the past, for testing the Queen’s network security at Buckingham Palace, the risks to game developers posed by hackers are far more substantial than a plague of bots or cheaters. “Many games are now equipped to handle financial information to purchase add-on packs. This financial information is the prime target for criminal gangs,” he says.

In 2011, for example, Sony was the subject of the largest cyberattack seen yet seen, when the names, addresses, dates of birth, email addresses and log-in details of an estimated 77 million people around the world were stolen from PSN.

“If an attacker is able to modify the game’s source code, they will be able to inject malicious code into the game that could even redirect the user to a fake page to enter their credit card details when making a payment.” 

In 2016 the majority of attacks are launched for financial reasons. DDoS attacks, whereby someone aims a deluge of artificial traffic towards a server in order to take it offline, have been particularly prevalent. Often these attacks take place in the school holidays, when so-called script-kiddies are bored and want to cause a bit of online vandalism. But increasingly, DDoS attacks are being used as a way to threaten organizations into paying a ransom fee while the criminal gang knock their game servers offline for hours at a time. 

“For large organizations like Sony or Microsoft these types of attacks have a devastating effect for revenue,” says Reynolds. “With many games now offering subscription services or bolt-on packs, bringing the servers down can very quickly create a large deficit in revenue through users being unable to make purchases. Credit card chargebacks also present a significant cost to games companies during periods of downtime, as users often take the opportunity to force a refund through their credit card due to them being unable to access the services they've paid for.”

In recent times, a third, more personally malicious kind of attack has been aimed at individual game developers. In 2014 Phil Fish, founder of Polytron and creator of Fez, became a target for hackers and harassers when his personal details were published, and his company’s servers broken into and looted. The hackers stole and published Fish’s emails, passwords, banking information and other records, forcing the Canadian designer to flee his home. 

“Developers should be encouraged to lock down social media accounts and online forums, so that very minimal information is contained about them in the public domain,” says Reynolds. “The less information that is disclosed in the public domain about an individual, the less likely it is that open source intelligence gathering techniques will expose information that could be useful to an attacker in furthering a doxing attack.” Two-factor authentication, as well as ensuring the use of different passwords across different accounts is crucial to security for game developers, especially those who suspect they might be a target.

While the attack on Fish was intended to threaten and frighten him, other developers, such as Valve, have had their servers broken into and looted in the past by over-eager fans wanting privileged information about forthcoming projects. “One of the biggest threats to organizations at the moment is client-side exploitation,” says Reynolds, who often tests the security of company buildings themselves.

For example, he will sometimes walk up to the smoker’s entrance of an institution dressed as a deliveryman carrying a large box, in the hope that someone will open the door for him, allowing him to bypass security. Once inside the building Reynolds will look for an unused meeting room and attempt to gain access to the network and then further the attack by compromising the Windows domain or surrounding infrastructure.

“Malicious links or files in emails are still the most popular attack method used by criminal gangs and malicious individuals as a method of breaching the perimeter defenses of organizations to gain access to the internal network,” he says.

“I've worked with a number of studios where an unsuspecting employee has clicked on a malicious link in an email and this has resulted in the employee' workstation being compromised, with the attacker gaining full access to the code repository that’s used by the development team.” 

The impact of this scale of security breach to a software development company is massive. Months of coding can be lost in an instant when the source code is leaked and distributed online, while an opportunity is then available to the attacker to inject malicious code into the source code of the game that will directly affect the end-user.

 “While in most cases, anti-virus and in some cases the operating system itself will block malicious code in the end-users machine, code may be introduced to games that could allow sensitive information to be siphoned off through man-in-the-middle attacks where the data can be harvested by the criminal gang.”
 
Despite an increasing awareness of the risks posed by organized hackers to video games and their makers, Griot, who has worked on both sides of the battle, believes that the cheats and thieves have the upper hand. “The hackers are winning right now,” he says.

“Game companies refuse to invest enough in the relevant technologies. Spending millions of dollars on a game to see the game fail because of a cheap bot or hack is avoidable. The creators of online games need to care about security ahead of time and not just a couple of months before release.”