Hacking online games a widespread problem
It will likely come as no surprise to anyone familiar with virtual worlds and online games that they can be hacked. But what might come as a shock is the sheer breadth of types of exploits that are possible.
That was the broad message of a Thursday panel called, appropriately, “Exploiting Online Games” at the RSA 2009 security conference here.
Moderated by Gary McGraw, CTO of software security consulting firm Cigital and an author of several books, the panel took the audience on a deep dive into the diverse ways that hackers and others have figured out to either skim real money or to gain game play advantages not available to normal players.
McGraw opened the panel with a brief explanation of the fact that there are real, functioning economies in virtual worlds and online games, and that players cash in their virtual goods for real money, to the tune of more than $1 billion a year. This, of course, is old news to those in game playing circles, but for many of the security experts in the room, it may well have been eye-opening.
And, McGraw said, it’s the very fact that real money is at stake that often gets otherwise uninterested game players to pay attention to the security risks they face every day.
“There’s a whole bunch of normals (those not steeped in knowledge about computers) using games, and they don’t care about security,” McGraw said. “But they like their stuff, (and) when their stuff gets taken, that really hurts the hell out of them. That’s a way to start a conversation about computer security with normals, because almost everybody knows somebody who plays online games.”
The first panelist to present was Greg Hoglund, the founder of Rootkit.com and the CEO of the consulting firm, HBGary. He explained that online games are regularly under attack by two discrete types of cheats: exploits–actual bugs in games that clever hackers have figured out how to mine in various ways, and bots, which are essentially automated macros that can be used to perform mundane tasks again and again and again, and very profitably.
The bugs, Hoglund said, often exist “at the borders of systems,” and are used for things such as duplicating gold, or leveraging poor synchronization between back-end databases to extract money out of a game economy or even to gain teleportation powers that otherwise don’t exist.
Hoglund also recalled a security expert who figured out a hack that allowed him not only to filch Second Life users’ virtual currency–which is directly convertible to US dollars–but also to get ahold of users’ credit card information and then use it to buy more of the currency to trade in. That exploit, Hoglund explained, was done only to prove that it could be done, but it underlined some of the significant risks facing players of online games and virtual worlds with functioning economies, as well as the publishers of those titles.
Hacking Disney
Aaron Portnoy, a researcher with Tippingpoint security research, took the microphone next and talked briefly about his experiences hacking the Python code of the Disney online game, Pirates of the Caribbean. He explained that because Python is a dynamic language, he and a colleague had needed just a couple of days to reverse-engineer all of the game’s code, and were able to use their exploit to get their in-game characters to do things that were otherwise impossible.
During a panel on exploiting online games, Tippingpoint’s Aaron Portnoy talked about how he and a colleague discovered that Disney’s online game Pirates of the Caribbean was written in Python, a language that allowed them to reverse-engineer the game’s code in just two days. The result was that Portnoy’s character was able to fly high in the sky, whereas everyone else in the game was limited to jumps of just four feet high.
RSA 2009
For example, Portnoy said, he was able to easily get his character to jump high in the air, while the standard maximum jump was just about four feet. Or, to jump out of a pirate ship, walk on water at a speed faster than sailing ships in the game could travel, and attack at will.
“Everybody could see my guy jumping over buildings for miles,” Portnoy said.
