Developers versus Cybercriminals Protecting your MMO from online crime Patrick Wyatt En Masse Entertainment Copyright March 2010 by En Masse Entertainment. This document is distributed under the Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States. Please see http://creativecommons.org/licenses/by-nc-nd/3.0/us/ for further details.
Please note: this presentation differs from the one I gave at GDC 2010 by the inclusion of my notes in additional slides. All other content remains the same.
MMO profit potential - notes Everyone is aware of the amount of money that has been made by a few standout titles in the MMO space, and consequently there’s a lot of interest in challenging those front-runners by making a great game that users will love. But you can spend $30-70 million making a great MMO that users love to play that still won’t be successful unless you’re prepared to face a challenge that's unrelated to making a fun game: hacking. The problems associated with hacking can destroy the fun of your online world, cause paying customers to leave in rage, and result in billing fraud issues that can ruin your business.
Background Credits Warcraft: Orcs versus Humans Warcraft 2: Tides of Darkness Warcraft 2: Beyond the Dark Portal Diablo Diablo 2 Starcraft Starcraft: Brood War battle.net Guild Wars Prophecies Guild Wars Factions Guild Wars Nightfall Guild Wars: Eye of the North Aion TERA (releasing early 2011) http://www.mobygames.com/developer/sheet/view/developerId,1019/
Threatmodeling / attack surface If you read security literature it seems incredibly abstract, with discussions about minimizing the “attack surface” exposed to hackers, but few practical examples about what to look for or how to fix the problems. This presentation is an attempt to eliminate the disconnect between the theoretical approaches and the problem we’re trying to solve: stopping hackers from ruining our games!
Game hacking Hacking games is as easy as it was 20 years ago when I began hacking in earnest. My earliest successful attempt at game hacking was with a game called Armor Alley on the Macintosh. It was a hybrid 2D, side-scrolling helicopter simulator (similar to ChopLifter) coupled with a real-time strategy component where ground-units (infantry, tanks and anti-aircraft guns) could be purchased for cash. By simply changing the amount of cash in memory I was able to buy as many units as I liked and trivially win the game. But more to the point, I could do the same thing in a two-player game! It would have been easy for the developers to ensure that the other player’s computer validated that purchases were legal, and that the opponent was making a purchase that was backed up by money already in the account, but apparently it wasn’t considered important. The developers of Modern Warfare 2 seem to have taken the same approach to game hacking: ignoring it. Given that aimbot, wallhack, speedhack, field-of-view-hack, and many other hacks have been developed since the invention of First-Person Shooter games, they apparently spent little time developing solutions. Perhaps the most egregious hack was one where the hackers *tried* to get killed; every time they were killed by another player, instead of that player getting rewarded with kill-points, they would lose 800,000 points from their kill-score! This is simply a failure on the part of the developers. At the same time, since their game sold $1 billion dollars worth of product (perhaps more by the time you read this), it may not be critical for FPS games. In an online virtual world game, where our goal is to attract and *retain* players for long periods of time, stopping hacking is (apparently) more important.
How did my early attempts fare? With my early knowledge of game-hacking, and a Computer Science degree to my name, I thought I would be able to do a good job of preventing game exploits, but hacks affected my early attempts too. Warcraft (more specifically, Warcraft 1, Warcraft 2 and Starcraft, which all used the same engine) has a fully-synchronized network model that is “unhackable”. All actions from each player are simultaneously validated on every computer before they’re allowed to be activated, and invalid actions aren’t permitted. So if a hacker were to alter the amount of gold in his counting-house, while it would register on his own computer, other computers would disallow purchases which attempted to use the illegal gold. Unfortunately it turns out that, because every computer knows the entire state of the world in order to be able to validate player orders, it also means that it is possible to peek into the game state to see what the other player is buidling, how many units he has, and where they’re deployed, effectively destroying the fog-of-war that makes the game particularly hard (and fun). This is known as an information disclosure vulnerability, and means that the game needs trusted referees to be played securely. Another problem is creating a game-desynchronization bug to avoid a loss. If there are two computers in the game and they disagree about the state of the game, the only recourse is to throw away the results. Diablo was originally going to use the same network model as Warcraft, which would have prevented some amount of in-game cheating, but it was basically impossible to retrofit a secure networking model onto what was basically a giant hack to begin with. Consequently I had to invent what I now refer to as a “loosely synchronized network model”, where the first player who visits a level becomes the “level master”, and is responsible for tracking game state and performing some minimal level of validation of player actions. But because one player’s computer is the level master, that player has godlike powers to modify the game state as well as exploit or even kill other players. Repeated attempts to correct these problems were only moderately effective because the basic network model was flawed.
Hackers – Why do they do it? Rather than thinking about the “attack surface” of the game, I think a good conceptual way to start looking at the problem of hacking is to understand the motivations of hackers. There are lots of reasons that people hack, and we need to focus our efforts on the ones that have deleterious effects on the game-world: griefing, gold-farming and gray-sharding, which I’ll describe in the next few slides. Education Fun Challenge Reducing grind Causing grief Profit Outright theft of business
Griefing Griefers get their jollies causing anguish. No, really! Exploiting game system weaknesses Exploiting network protocol weaknesses Exploiting operating system weaknesses ! #*!! ! What # ? What ? #*!! You You #
Griefing Notes Griefers like to make players angry; that's how they have their fun. Unfortunately their behavior is incredibly detrimental to the community, game stickiness and player longevity. Victims of griefing are more than unhappy; they can be so enraged they quit the game in anger. The behavior is so common it’s known as “rage-quitting”. Here are some methods that griefers have used to annoy gamers: Exploiting game mechanics: Spamming messages in chat channels to overwhelm legitimate chat. Substituting worthless or inexpensive items for valuable ones during trades. Blocking access to areas players would like to visit. Monopolizing game markets to prevent players from purchasing items they need. Many, many more. To address these types of exploits it’s necessary to hire designers who think about griefing. In fact, hiring one or more griefers on the design team will likely make for a better play experience for players because those designers will be more aware of the exploits of the systems they’re creating. Ultimately, play mechanics must be designed with the idea that players will attempt to exploit the game 2. Exploiting game programming weaknesses: Send messages to appear to be from another player or from the server. Flood other players’ Internet connections to overwhelm their network router. Send messages that are designed to crash the game client or even the operating system. It was possible to send the so-called “Ping of Death” to Windows 95 computers that could crash the computer, and many games have similar bugs. Overwhelm servers with computation ("gray goo" in Second Life). It’s necessary for the programming team to develop strong network protocols that validate every message that’s sent to the server, and to ensure that client systems in peer-to-peer games can differentiate between messages sent by different players using a cryptographically secure mechanism. 3. Meta-griefing or large-scale hacking: Distributed denial-of-service attack. (Aion was attacked on launch day by determined hackers who tried to flood it off the ‘net). Slowloris: too many connections from one or more computers These types of hacks can be considerably more difficult to deal with, and can require coordinated efforts on the part of the development and network operations teams.
Why griefing is so pernicious Victims are mad and may leave the game = loss of revenue It costs money to provide help to griefing victims = customer support costs In addition to the loss of revenue that occurs when victims of griefing drop out of your game, it can cost more money when the Customer Support department is called in to help with the problem.
Gold Farming Notes $1B – $10B industry with many negative effects: Economic inflation Game exploitation Chat spam Billing Fraud Phishing Account Theft Physical Goods Theft
Gold Farming The next major area of hacking I’d like to address is gold farming. It's big business: - 400,000 - 1,000,000 professional gold-farmers worldwide - Somewhere between $1 - $10 billion dollar industry; potentially higher revenues than the game business! Why gold farming is a problem: - Economic inflation: games lack enough cash outflows because renting and leasing aren't "fun"; we're not playing Papers & Paychecks. - Design ideas have to be watered down because of the risks of exploitation by players. - Perception that rewards aren't earned diminishes the bragging rights associated with owning those rewards. - Gold farmers are in business to make money, and have no scruples about breaking terms-of-service and criminal laws: Account theft Masquerading as a figure of authority, like a GM Phishing emails, use of similar URLs, theft of account databases Fraudulent credit card and other payment methods Theft of physical goods (trailer trucks of game boxes) There is no disincentive to stop: because they generally live in countries with minimal intellectual property rights (e.g. China, Russia, etc.) there are no criminal charges or fines; the only disincentive is the inability of the hackers to generate revenue and turn a profit.
Gold Farming: even worse than you think Why gold farming is so pernicious: It costs money to help players get their accounts back Players who have been hacked are mad at the company and may leave Fraud costs money:
Financial transaction costs - credit-card and other payment fees are non-refundable; the company eats it
Prevention costs - licensing and per-transaction fees; technology integration and management costs
Loss of customers who appear to be fraudsters (false positives)
High chargeback rates lead to high fines (six figures or more) or revocation of the ability to take payment
The console business model is based around a short shelf-life, but sales are critical to the life-cycle of MMOs because they need to continue to attract customers to stay healthy. Because games stay on retail shelves for such a short period of time, if the company can't sell the game online the game will die a certain death.
Gold-farming solutions Stopping the supply of illegal gold Device fingerprinting Proxy detection Phishing site detection and takedown Transaction review Telephone verification Shipping address verification Two-factor authentication Analytics: Banning players who “fit the profile” of gold farmers There are no easy solutions to stopping the *gold-supply* problem; it requires a substantial effort by an experienced security team that stays on top of phishing sites, tracks bot rings, reviews billing transactions, and analyzes player behavior to eliminate suspected gold-farmers from the player-base. Further, it’s necessary to consider how to reduce the risk that players lose their accounts to gold-farmers, so looking into solutions like two factor authentication using security tokens or mobile phone apps that can generate “one time passwords” (OTP) is a good idea.
Gold-farming solutions A novel solution used in Eve Online is to reduce the “demand-side” part of the gold-farming problem; it’s called PLEX, which stands for Pilot License Extension. CCP Games allows players to purchase time-cards (using real-world money), and those time cards can be traded in the game world for gold (actually ISK in Eve). By creating a legitimate and safe market to purchase gold, players will use that market instead of resorting to the illegal market with all its attendant risks, including credit card fraud, phishing, and the risk of account ban. For more information PLEX, check out these articles:
Gray Sharding Problem: theft of server binaries or code Mir and Lineage 2 binaries Half Life 2 and Lineage 2 source Infocom floppy disks!?! Rewrite of Aion server Solutions: Physical security Separate development network Two factor security for dev/ops Datacenter security/TPM Be nice to employees
Gray Sharding Notes Gray shards (also known as “private servers”) are game worlds that are run by criminals for their own profit. Based on estimates of player populations, it’s likely that there are more gamers playing Lineage 2 on gray shards than there are playing on legitimate servers. Criminals get access to server binaries through a variety of methods; it’s the job of the game development and operations teams to ensure that they close these loopholes to prevent their game from leaking:
Theft from the datacenter. Lineage 2 binaries were stolen when a datacenter employee walked out with a mirrored hard drive.
Theft of the game source code. Valve Software lost the source code to Half Life 2 via a Trojan program sent via email.
Theft from the development studio. A million years ago when games were still released on floppy disks, armed robbers stole one of Infocom text-adventure games immediately prior to it’s commercial release.
Some considerations regarding physical security
Consider isolating the development network, which contains source code and binaries, from the Internet.
Require operations staff use two-factor authentication when accessing servers to reduce the likelihood of Trojan attacks against datacenters.
Use TPM chips on hardware to encrypt the contents of hard-drives so that their theft doesn’t allow hackers to get access to code and/or binaries.
Be nice to your employees! Based on the employment horror stories that seem to be commonplace within the game industry, the possibility of leaks from disaffected employees is quite high. Employees should receive meaningful profit incentives tied to the success of their games and the development/publishing studio so that they’re partners in the success of the game.
Real live problems Guild Wars “comps” exploit Guild Wars trader arbitrage Lineage 2 SQL injection Aion Chat Spam Aion “account services” site (phishing) PlayNC password reset “birthday” vulnerability Guild Wars fansite account database theft RockYou account database theft Brute force attack against common password choices Sarah Palin well-known information attack Theft of credentials by “power-leveling” services Single sign-on weakest link attack Network protocol sniffing on shared networks Trojan player via Flash vulnerability Guild Wars network-fuzzing attack Gaming the support department
Real live problems: notes Guild Wars “comps” exploit
A hacker discovered that the components (“comps”) used to craft an object were only properly validated on the game client; the game server’s validation code contained a bug which would allow the creation of new items without all the necessary components. It should have been the case that all of the validation code was on the server, and none on the client, as the client code masked the vulnerability.
Guild Wars trader arbitrage
A failure of the server hosting the matchmaking service required that the operations team spin up a new server. Because there was no operations manual for creating a new matchmaking server, no one knew that the “trading service” needed to be initialized with the same data as all of the other live trading services. Consequently the European trading server had radically different pricing information than other servers, and players, in the best imitation of Wall Street traders, arbitraged the pricing difference. Three hours later it was necessary to roll back the game database because there was so much gold injected into the world economy. Failures: lack of good operational procedures, poor choices in the design of the trading service, no tools to automatically detect trade imbalances. Successes: database backup and rollback procedures were successful in restoring game state after an outage.
Real live problems: notes Lineage 2 SQL injection
In-game forum postings were not properly validated to prevent SQL injection; hackers from a Russian IP address were able to delete the databases of Lineage 2 servers in North America and Europe, necessitating a database restore. Failures: never, never, never construct SQL statements using string concatenation; use parameterized SQL – it’s been around since like forever! A similar issue existed in Aion character names during beta; new development teams seem doomed to repeat the mistakes of their predecessors – learn from others!
Aion Chat Spam
Why do Korean games imported to the West have huge problems with chat spam? Because in Korea people who play games are required to enter their citizenship ID number, which can be validated in real-time against a government registry. Players who misbehave are banned and can no longer play, but at the expense of having a strong government ID number, something abhorrent to many Westerners because of the potential for misuse by the criminals and the government (if that’s not redundant). Since chat-spam isn’t a problem in Korea, the developers haven’t spent the effort to develop strong anti-spam tools. This problem is eminently foreseeable, but requires that the development team is willing to implement appropriate solutions proposed by the local publishing organization.
The fundamental issue for Western games is to shorten the path to detecting and eliminating problem users. If it takes an hour for a report to make it through the petition-queue before a player is banned, he will already have had time to create another account to start spamming. It’s necessary to look at solutions that can immediately eliminate the problem.
Further, players must have tools to regulate the problem; if a player can’t squelch someone annoying the only alternatives are to accept the behavior or go somewhere else, maybe even out of the game. We don’t want that, right?
Real live problems: notes Some meta-game vulnerabilities used by hackers
Brute-force password guessing against authentication servers using multiple source computers and multiple destination login servers. Solution: you *did* implement rate-limiting, didn’t you?
Finding the weakest link for single sign-on services; there may be many different login gateways and one has weak authentication or rate-limiting. Solution: make sure all authentication gateways share a common pathway that monitors and prevents rapid account attacks.
Steal database with passwords stored in plaintext (compromised RockYou database contained 32 million passwords). Solution: use the SRP-6a password storage algorithm, puh-lease.
Password guessing against known accounts using common passwords (10% of users in one game I worked on used trivially weak passwords). Solution: like Twitter, you should disallow users from choosing weak passwords like “1234567”, “qwertyioup” and “password”.
Phishing: copy a real site and steal user credentials. Solution: your security team will need to seek out and report phishing sites daily.
Host a game forum and try logging in using the same credentials in the game. Solution: consider two-factor authentication.
Steal the accounts of users who sign up for your “power leveling” service. Solution: tell users to change their passwords after power-leveling; we don’t *want* them to power level, but like kids having sex, it’s gonna happen – do you want your high school kid to be pregnant, or use a condom?
Listen on unsecured channels; some college networks are sometimes weak. Solution: make sure you’re using good crypto to forestall listening attacks.
Use password reset process to get new password, because users many times choose bad password reset “hint” questions. This hack was used successfully to exploit Sarah Palin’s account; the hacker answered a security question about her mother's maiden name. Solution: try to select questions with answers that can’t be guessed by hackers using Google.
Scam other players by making modifications to the trade window. Solution: call out modifications to the trade window! Show players the estimated value of the trade they’re making (both what they’re giving and what they’re getting).
Don’t implement input filtering: UNICODE BOM (byte-object-marker character) crashed GW; smiley character crashed Aion. Solution: implement strong parameter validation, and perform “server fuzzing attacks” against your own servers to detect flaws.
Even more compromises:
Session fixation vulnerability: if you don’t know what it is, read up.
Accounts hacked via Flash vulnerability; Guild Wars web site updated to detect obsolete Flash version and suggest that users upgrade.
The support department can be gamed by hackers just like users; make sure that the support team keeps notes on players so they can give customers good support, but detect when they’re being repeatedly socially-engineered by a bad-guy.
Two Factor Authentication: not a panacea
Two Factor Authentication: notes When I first prepared this presentation I was prepared to talk about an unexploited weakness of two-factor authentication, but in the four weeks since writing the talk (and delivering it to a test-audience of University of Washington students) a cybercriminal had already implemented and successfully deployed an attack program. It’s not a true “man-in-the-middle” exploit of two-factor authentication. Instead, the hacker manages to get a Trojan program installed on a gamer’s computer, and that program intercepts the security value intended to be used to authenticate the user, redirecting it to one owned by the hacker. What we need is two-channel authentication, for example, logging into both the game client and via a mobile phone to securely authenticate through two channels instead of just through two-factors.
Other possible solutions: notes Stop designing exploitables and stop coding bugs?
Blizzard was able to shut down BNetD (a battle.net clone) and WoW Glider (a game automation tool) but it isn’t an ideal solution. Not only is such a solution expensive as well as being ineffective outside of first-world countries, it’s also icky from an ethical perspective: the legal tools used to fight these cases – like the DMCA – have strengthened the rights of corporations at the expense of our rights as citizens.
Other possible solutions: notes Protect the game client using something like GameGuard or Warden?
Here are some examples of problems that have occurred in games that could potentially be defeated with client-side checking:
World of Warcraft validated the altitude of the character on the game client; hackers could bypass that code to stand on tree branches, and fire spells down upon melee characters who couldn’t reach them. Aion validates the speed of animations, like running and sword-swinging, on the game client; by altering the animation speed values hackers could radically increase the rate of characters traveling around the world and the rate at which they can attack enemy mosters.
These hacks are great for griefers, PVP cheaters, and gold-farmers, so it’s obviously necessary to stop them! Let’s try executable packers, anti-debugging code, executable self-validation, in-memory checksums, process-monitoring, registry-reading, and rootkits!
Here are some examples hackers can use to perform speed hack in games that check animation speed on the client:
Alter the return value from the “GetAnimationSpeed” function in the game code (the actual speedhack exploit in Aion). Hack places in the game that use the results of GetAnimationSpeed. Hack the animation data files to alter the animation speed. Change the data-file loader so that speeds are altered when the animation data files are loaded into memory. Set a hardware breakpoint to modify registers that contain the animation speed before it is used. Run the cheat code inside a separate process and periodically alter process memory. Run the cheat code in a rootkit or inside the processor hypervisor to make it undetectable. Don’t allow the monitor code to scan for alterations; modify page table entries so that the monitoring code "sees" the original, unaltered code, but the processor reads the modified (hacked) code.
Well shoot, all those mechanisms are invasive of users privacy, lead to system crashes, create false positives when working with some keyboard/mouse drivers, drive virus detectors crazy, and aren’t even successful at stopping the problem. See, detecting hacking is asymmetric warfare: hackers can hack all they want, but developers have to figure out how to detect and then prevent the hacking. In the meantime hackers can come up with new methods!
Other possible solutions: notes Use an authoritative server!
The right approach to solving game hacks is to use an authoritative server. For example, if the server is aware of – and enforces – animation timing, then modifying values on the client system ultimately has no effect.
Note that in some cases you may decide that the extra effort is not required for the game you're making: e.g. games for young kids.
Make systematic measurements of the game environment:
Your game should be instrumented with code that logs “interesting” events. These events can be used to measure the amount of time players participate in various activities, how successful they are at harvesting gold and other resources, how much progress they’re making through the game, and where the most rewarding (and most deadly) areas of the game are. Using this data it is possible to construct reports that evaluate the likelihood that a players is a gold farmer. Make sure that your game is measuring useful information, but not so much that it overwhelms your analytics system. Collecting too much data is just as bad as collecting too little. If your system is spending all its time logging sword-swings you won’t have enough bandwidth left over to analyze the data.
Other possible solutions: notes Prepare to correct bugs rapidly using rapid build iteration and deployment:
I spent approximately one year (spread out over the development cycle) working on the build server, build tools, file-packing tools, revision-control-system integration, delta-file-patching, file-servers, game-server loaders and other components associated with building and deploying Guild Wars, and other programmers contributed substantial efforts in building additional components (delta-compression libraries, art-processing tools, etc.). But this work enabled the GW dev team to correct a defect in the source code, initiate a build process, and have the build deployed to end users in roughly five minutes. We averaged approximately 20 builds per work-day over the almost four-year external alpha test cycle prior to the launch of the game. We got really practiced at writing and deploying code “live” to users. This enabled us to avoid “patch paralysis”, which prevents some teams from correcting defects: the team fixes a patch, puts it into a full test-cycle, then fixes another bug, restarts the test-cycle, etc. I’ve seen some patches take months to release due to this cycle.
Be prepared to roll back your game database when you discover a serious exploit!
You must have regular, reliable reports about the state of the game world and its associated economy. These reports must be read on a regular basis; you can’t come in Monday morning and discover that it’s necessary to roll the game back to Friday night, as it will piss off your users!
If your operations team hasn’t practiced a rollback, the likelihood is that you won’t be able to roll back; your backup process is probably broken.
Other possible solutions: notes You must read security advisories for the software your company is using!
Curse.com was recently exploited because they were using out-of-date forum software that had known (published) security advisory.
Some software is buggier than others (I’m looking at you, PHP); make sure that you stay current.
Think about protecting players from common mistakes exploited by hackers!
Don’t allow the use of common passwords
Make sure that security questions actually provide some security
Protect user information diligently with good information-security policies, strong cryptography, and good operational practices.
Conclusion To ensure success you must prepare for failure: expect to be hacked Your security team needs to see into all areas of the business Security through obscurity is not security Defense in depth Continually monitor and improve game security; it’s never “done” Good luck! Developers vs. Cybercriminals is a case of co-evolution. As gazelles run faster, cheetahs adapt or die. We similarly have to expect that criminals will evolve their methods. And, as the German general von Moltke said "no battle plan survives first contact with the enemy.”