Technology

Game Consoles -- the Next Hacker Target?


Don Kellogg is cheating. Over the last hour he's pumped round after round

into camouflage-clad terrorists, and only a few of them have been able to

return the favor. "I don't always cheat. I'm pretty good playing straight,"

he insists. "Cheating makes me a god." As he says this, he pumps three

rounds from his Heckler and Koch MP5 into an unsuspecting opponent, bringing

his kill count up to 47; his nearest competitor has 21. Kellogg plays under

the pseudonym "Nharlothep," and when he cheats, he is indeed a god.

Kellogg is playing Counter-Strike, the most popular game on the Internet.

With over 10,000 independently run servers around the world, the game has

set the standard for realistic online first person combat. But for those who

know how, cheating can make an ordinary Navy Seal into the Six Million

Dollar Man. With his illicit patches installed, Kellogg can move at faster

than normal speeds, shoot with near perfect aim, and see through walls.

And he's not alone. Cheating has become a front row issue in the online

world of counter-terrorist combat. There are now literally hundreds of

hacks for Counter-Strike, and every time a hole is closed, someone figures

out a new way to exploit the system. It's a serious problem for Valve

Software, makers of Counter-Strike, and the popular sci fi shoot-em-up

Half-Life. Valve spokesman Doug Lombardi says that the company "takes

cheating more seriously than piracy." Valve's not alone in their

struggle -- other popular games have had similar problems over the years,

including Everquest, Ultima Online and Diablo. Last year hackers exploited a

weakness in the Diablo II servers to loot other player's equipment and bonus

items -- worth real cash on eBay -- forcing developer Blizzard

Entertainment to restore the game from a backup copy.

It's into this war of hacking and counter-hacking that Microsoft's Xbox and

Sony's Playstation 2 will be thrust this fall, when their consoles join the

Internet for the first time.

FEARS OF AN XBOX ARMY. Microsoft integrated net connectivity into its Xbox right from the start.

The Xbox comes with a 10/100 base Ethernet port built-in, making it the

first gaming console ever to ship with a standard networking port. Sony will

release an add-on for its Playstation 2 in August that will include an

Ethernet port and a 56k modem. Nintendo has yet to officially announce its

networking plans for the Gamecube, but there are games slated for release on

the platform later this year which are designed for online play, most

notably Sega's Phantasy Star Online. It's rumored that Nintendo will release

a modem for its system this coming October, says Che Chou, editor at the

videogaming magazine Electronic Gaming Monthly.

But while the game makers have all discussed launch titles and strategies,

the topic of data security has mostly been left untouched. What happens when

10 million game console owners suddenly plug into the Internet?.

hellNbak, an IT security specialist from the white hat hacker group Nomad Mobile Research Centre worries

that massive numbers of Internet-connected Xboxes might be the perfect

platform for launching distributed denial of service (DDoS) attacks, if a

security hole is ever discovered in the console. "With the assumption that

the broadband gaming network is going to catch on like crazy -- if one was

able to get DDoS zombies on the millions of Xboxen sold, there might be

potential for massive damage," he says.

Console security holes are not unprecedented. When Sega released a modem and

broadband adapter for their Dreamcast console in 2000 a number of remotely

exploitable holes were discovered almost immediately, not the least of

which was a vulnerability to a "ping of death," a small, well crafted

packet that could crash the console, resulting in the loss of game progress

and the destruction of saved games, if timed properly.

"A remotely exploitable hole could lead to the stealing or deleting of

configuration files, ripped music, and saved games," says hellNbak, who

surmises that security holes could lead to headaches for gamers, and the

potential for some messy inter-gamer hacking wars in the ego-heavy

trash-talking game world.

Security is one of the reasons Microsoft is building its online service as a

closed, Microsoft-only system. The Xbox Live service will be a yearly-fee

based network through which players will find opponents, teams, updates, and

add-ons. According to a written statement from the company, "Microsoft

understands how important the online gaming experience is and have adopted

a managed approach with Xbox Live, ensuring that gamers don't encounter the

types of things that make PC online gaming a hassle."

Closing their service to outsiders increases the security of their system

overall and "prevents hackers from scaling beyond one machine," the company

claims. "Xbox Live has military grade security to ensure no cheaters, no

hackers, and no viruses."

SONY: OPEN DOOR POLICY.

"You cannot effectively secure a device that a potential attacker has

complete physical access to," counters hellNbak. And even Microsoft seems to

be hedging its bets, acknowledging that "no service is 100% hack-proof."

That's a lesson the company knows well. The Hong Kong based console

accessory company Lik Sang already

sells a copy protection defeating "mod chip" for the Xbox -- which allows

users handy with a soldering iron to play copied and imported games with

impunity, and even permits them to use the Xbox to play movies in the DivX

format popular with film pirates.

Sony declined to comment on their security plans for the Playstation 2, if

any. The company's strategy for Internet play is diametrically opposed to

Microsoft's closed-door system. Sony plans to allow game developers to use

their own services for player matching and game hosting. Connectivity beyond

the basic protocols is left up to developers.

That leaves much of the security in the hands of game developers. Chris

Mahnken, producer of Sierra's Tribes Aerial Assault, is building the popular

Starsiege Tribes series into a Playstation 2 online launch title. "Sierra is

using our existing PC game and player matching system for the PS2 titles,"

says Mahnken. "The system has proven to be both stable and secure, and we

don't see any reason for that trend to change." Mahnken says that the team

at Sierra has had to tweak server code to deal with cheaters from time to

time, but the majority of their code has remained solid and trusted.

Leaving the server interface software up to the individual designers creates

risks of its own, such as the possibility that spyware or backdoors may find

their way into game programs. In 1998 security researcher Mark Zielinski

found that server software for the first person shooter Quake II secretly

included a backdoor that potentially allowed a malefactor to gain remote

control of a running game. Of course, the danger of more serious backdoors

in console-based games is less threatening than on PCs -- nobody puts

corporate secrets and private e-mail on their game consoles.

Meanwhile, the Xbox seems to possess an almost magical allure for hackers

and tinkerers. In June, MIT Ph.D. candidate Andrew Huang published a 15-page

paper describing many of the more secretive aspects of the Xbox's hardware. In his

paper, Huang claims to have defeated the Xbox's copy protection system --

designed to prevent unlicensed developers from writing their own code for

the machine. Coupled with the Xbox's internal hard drive, this could bring

the possibility of patch-based cheating closer to console gamers than ever

before.

That's good news for the likes of Kellogg. Back in cyberspace, he's begun to

arouse suspicion in his Counter-Strike game. A few opponents are grumbling,

messaging phrases like "Nharlothep's a cheat! Someone kick him!"

Unfortunately for them, there's no server admin online, and Kellogg simply

ignores them and continues to rack up the kills. "There's so many other

servers out there," he says. "It's just a game, people!" By Alex Handy


Toyota's Hydrogen Man
LIMITED-TIME OFFER SUBSCRIBE NOW

Sponsored Links

Buy a link now!

 
blog comments powered by Disqus