Some of the most complex software being developed today is for the $100+ billion video game market. Not only are games attractive for consumers, but they also present a lucrative, high-visibility target for hackers. So, how secure is the video game industry — or rather, how much attention is being paid to security throughout the development process?
The gaming industry operates differently than other industries in that there is an inherent understanding that video game software will not only be attacked but that its security mechanisms in place will fail at some point. For instance, games will be pirated and there will be users who are determined to find a means by which to cheat. If flaws in the software exist, gamers will most certainly find them and manipulate them if for nothing else but curiosity or attention.
Examine every angle and plan accordingly
It is for this reason and this understanding on the part of the industry that game developers plan for what to do if an attack is successful—in other words, having an incident response in place from the start. For example, removing client control, locking down the software, encrypting memory and other strategies that firms should include in such plan to mitigate potential attacks. Contingency mechanisms around economic or social consequences (e.g., user or account bans) should also be in place in the event that these measures aren’t enough.
With a history of pushing the boundaries of software security, it would appear that the video game industry has every reason to lead the pack. For instance, a greater emphasis on intellectual property may necessitate digital rights controls such as anti-piracy mechanisms where most development groups may not have this requirement. To do so, firms within the video game space have developed complex copy protections and anti-debugging software. This also supports the mechanisms to combat an explosion of cheating techniques that arose from the dawn of multiplayer gaming, digital currency, and loot-based gaming.
Consider varied security mechanisms
Let’s now examine a few actionable takeaways that other industries can glean from the gaming space. There are a number of security features that should be implemented into software that has access to sensitive data or sensitive functionality.
The first feature to note is that of server-side checks. Client-side security is a common point of failure. The video game industry has learned this lesson the hard way over the years. Many video game development companies check periodically with a server they control to validate that modifications haven’t been made to the game and everything is performing as intended. In addition, server-side anomaly detection has been paramount to combat these efforts as well. For instance, you can’t score 45 goals over 5 seconds in an ice hockey game.
Next, we need to consider over-the-air updates, another common attack vector. A plan must be in place for patching vulnerabilities as soon after they’re identified as possible. A mandatory update is clearly preferable when it comes to security issues as long as it can be justified in coordination with the user experience. However, it has to be tempered with proper integrity checks as a forced update mechanism can be abused just as easily.
Anti-debugging (or other forms of execution integrity) is another security feature that cannot be ignored. If attackers are able to run through the code line by line, there’s an increased chance that they’ll be able to find a way to modify it to their benefit. Execution integrity is a strong strategy in preventing hacks and preventing the software from being used as a vector for potential malware attacks.
Obfuscation is another important security mechanism; however, it’s one that isn’t focused on stopping attackers, but rather delaying them. It serves a few purposes. It can be used to make runtime modification more difficult in combination with anti-tampering or force an additional security control for proper operation (e.g., a cryptographic key via security dongle). In many cases, there is a “golden ratio” between the skill required to modify a piece of software and the amount of attention it attracts which is based on visibility and complexity. Obfuscation is a tactic that can keep less-experienced attackers guessing for quite some time, but depending on the target, may entice more experienced reverse engineers to give it a go. The value proposition is, if it can “protect” a piece of software through an initial release window (a few months or so), then it was worth the investment. As a result, the optimal strategy for a stakeholder (be it a developer or publisher) to consider is protection that is “just complex enough” to keep out most lightly skilled attackers and hearty enough to delay more dedicated groups until the release window has expired.
It should also be noted that the video game industry in general has opted for a commoditization model when it comes to these protections, in most cases, via prepackaged mechanisms. While there’s nothing inherently wrong with relying on prepackaged security mechanisms or reaching out to vendors for prebuilt obfuscation tooling — and in a lot of cases it’s perfectly fine for most projects — the industry still faces a considerable challenge when shifting security left in the development process, getting teams to perform their own analysis, and knowing when to make these decisions or build something themselves. This isn’t a challenge that goes away at this maturity level or level of need and is a major challenge for the video game space.
Learn from experience and improve accordingly
Security is a trade-off. Users want to best experience and the fastest, shiniest features available. And yet security is an important feature that shouldn’t be considered to be a compromise. At the end of the day, the only way to minimize the cost of adding security to the product is to incorporate it from the very beginning of the development process. Strategizing which techniques to implement and making them work in harmony with the user experience and product functionality is key.
The video game industry is most assuredly a leader, with decades of experience developing solutions to the challenges they’ve met along the way. They understand that the best way to protect revenue and reputation is to proactively build security into the software development life cycle. It’s also important to note that they are not exempt from the challenges of communicating and putting best practices in place at every level. Any organization building or consuming software should encourage their respective industry to move in a similar direction.
Mario Mercaldi is an associate principal security consultant at Synopsys where he specializes in video game security. He holds an M.A. in Computer Science and IT Entrepreneurship from Brandeis University.