Amit Sethi
Amit Sethi

Industry analyst Gartner estimates that the worldwide video gaming market was worth an estimated £58 billion (US$ 93 billion) in revenue in 2013.  However, according to another study,* only 20 percent of the games produced realise a profit

Rennie Allen

Piracy, cheating and fraud are among the key factors that prevent a game from achieving financial success. But how can gaming companies protect against these and other types of attack prevalent in the online video gaming market place?

Source: Open Gaming Alliance

What Makes Games Different?

To understand the issues at stake here it's important to examine how gaming software is different from other types of software.  Business models range from traditional single/multi-player packaged games to massively multi-player online and freemium games.  Regardless of the model, the majority have a client-server architecture, where the client software runs on the player's mobile device, gaming console or PC and the server operates remotely interacting with all the players.  Because online games require immediate feedback from the client, there is generally insufficient time for the server to receive the inputs (“fire”), make decisions (“did I hit?") and respond to the player instantaneously (“you missed”).  This means that game servers must trust clients to determine outcomes (eg whether the bullet hit the target or not).  Clients are trusted to play the game according to the rules, with the server not verifying game play in real-time. Due to the high latency and low bandwidth of many players' network connections, this design, and the element of trust, will continue to be the norm especially for massively multiplayer role playing (MMORPG) or first person shooting  online game designs (FPSOG) `for the foreseeable future. 

Herein lies the problem.  Players wishing to cheat are able to abuse this trust in a variety of ways.  One example is with a simple ‘lag switch' which slows down the actions of other players in a user's game client.  Cheaters also exploit the client-side trust issue by modifying game clients and data files on disk and in memory and by intercepting messages between the game client and the server.  Other techniques include modifying operating systems and device drivers, or even modifying hardware.  The end goal is to gain an unfair advantage over opponents.  For example a player may use an “aimbot” that ensures that his/her weapon hits the target every time.  Other common cheats are “texture hacks” that aim to make walls invisible and depict enemies in bright technicolour, and “radar hacks” that equip players with radar vision enabling them to see targets beyond the regular field of vision.  Cheat programs can even allow players to teleport themselves or fly, by manipulating the character's location in the local computer's memory. 

Mobile Games

A massive area of growth in gaming that is likely to attract increasing attention by cyber-criminals is mobile gaming.  According to Gartner, mobile gaming is the fastest growing gaming platform with revenue  set to almost double between 2013 and 2015 from £8.3 billion to £13.8 billion.  One of the largest challenges for a developer in this space is the proliferation of different devices and operating systems available, making the task of developing games tough enough without the added challenge of building in extra security layers.  Whilst most mobile devices are based on ARM processors, there are a variety of operating systems including iOS, Android, Palm OS, Windows Phone and others.  Add to this the multiplicity of programming languages available including Java, Objective C and .NET and the need for any game to support 80 to 90 percent of all these platforms in order to achieve popularity – and the challenge is obvious. 

Building security into the game early in the development lifecycle is also critical.  The need for real-time responsiveness for players makes traditional preventative security controls not practical.  Detective controls can offer a valuable compromise.  For example, some cheaters can be identified through server-side statistical analysis.  Players with nearly perfect aim or movement in unusual patterns are candidates for extra scrutiny.  Game operators can act on that information centrally by banning players or taking other measures to restrict cheating.  Rich statistic gathering is just one example of a security control that cannot be added to a game easily after the game is launched. Paying attention to security early in the development lifecycle enables intelligent decision-making about controls that should be implemented on the client side and the controls that should be implemented on the server side to prevent or detect piracy, cheating and fraud. The right set of controls for a given game depends on such factors as the type of game, the business model, and the supported platforms.

Combining attention to security throughout the software development lifecycle with an effective hardening strategy can protect the game against cheating, piracy, and fraud and enforce usage terms without impacting the customer experience in any way.  This is a ‘win-win' scenario for everyone - except the cheats and hackers!    

Contributed by Amit Sethi of Cigital and Rennie Allen of Arxan

* Study by the Electronic Entertainment and Design Research Institute