5 Common Security Pitfalls in Gaming
15 April 2020
Security will always be a hot button issue in the games industry. Questions like 'how easy is it for players to cheat in my game?', 'am I doing enough to comply with data privacy laws?', and 'how much of my profits am I losing through in-game cheating?' are timeless and will always be at the forefront of a developer's mind when creating games. These are the basics, the stuff we all know about. But in our work as gaming cybersecurity specialists, we come across a lot more than that in our day to day.
Without sounding too dramatic, for a large portion of the games industry - especially in online gaming - attacks are constant and widespread. As with any multi-billion dollar industry where the primary consumers are tech-literate agents with a competitive streak, getting 'one up' on a publisher or games creator is often half the fun for gamers with malicious intent. That's why it's so important to be aware of the most common ways your game can be attacked. Let's look at just a few.
1. Speed Hacking
Speed hacking is hugely common in competitive gaming. Put in the most basic terms, speed hackers target things like how fast their avatar can move from point A to point B or how long a reload/cooldown time is. You don't need to try too hard to imagine what an unfair environment this can create in almost all genres of online or PVP gaming. Racing games become unfair to the point of obsolescence. Tactical combat and shooter games like Call of Duty or PUBG become a total nightmare in which enemies can change locations in an instant. Besides being a breeding ground for one-sided matches, speed hacking flies entirely in the face of fair play. It's a real pity when we see this because simple validation checks can eliminate this kind of cheat completely.
2. Business Logic Flaws
For starters, business logic flaws are a massive threat to both fair play and profits generated in-game. They occur when players (let's face it, hackers) manipulate a game to allow them to perform functions they wouldn't usually be able to perform, or to get results they wouldn't usually get under normal circumstances. These can include item duplication, executing code to complete the same quest over and over again for increased rewards, level boosting (earning more XP than normal for an action), skipping load or wait times on in-game actions (like grinding), and even scamming other players when it comes to trading items. Hacks like this are usually performed by exploiting a flaw programmed into the process flow of a given functionality in a game.
It might seem harmless if one player can duplicate one non-essential item somewhere in the game once - so what? But what if your business model depends on in-game purchases? If your primary source of income comes from weapons or skins sold in-game or pay-to-win upgrades, players being able to mine XP without barriers or duplicate and trade (or even sell!) items needs to be stamped out with extreme prejudice.
3. Missing Access Controls
Developers working with clan, guild, or team-based games will be especially familiar with this one. Cheats originating from access control flaws are by far the most common security flaw in gaming applications because of the nature of the logic that needs to be programmed into a game's code. Players with a little knowhow can perform any number of unauthorised and unfair tasks in-game: promoting or demoting clan members without relevant permissions, accessing game areas they don't currently have the level or XP for, accepting or initiating trades on behalf of other players, or even issuing bans. Missing access control hacks have also been known to grant access to the personal data of other players. In other words, when left unchecked, access control flaws can change the entire landscape of a game.
4. Data Compromise
There are countless means outside of missing access controls to get unauthorised access to private data. The ones we see most commonly are SQL (structured query language) injection injections and remote code execution.
SQL injection allows a game hacker to execute system orders or commands for themselves. In many cases they can be used to bypass a game’s security system or even change things in the game itself. In extreme scenarios, a malicious agent could even access a server database containing private player or payment information.
With remote code execution hacks, players effectively introduce new code into a game's infrastructure to allow them to execute system commands in-game that can grant them access to the player database or even the game's entire server environment.
By ensuring a game's infrastructure validates and sanitises each input correctly, dangerous data compromise risks like this can be effectively avoided.
5. Control Forced Teleports
Like speed hacking, control forced teleport hacks are a huge threat to fair play in games. Common too. So much so that entire books are available on the dark web on how to perform CFTs on specific games! The same rules apply as with speed hacking; players who can teleport from point A to point B are always going to have an unfair advantage on the battlefield. But let's think a little more outside the box on this one. Being able to teleport to anywhere on a game's map can also give players a huge advantage when it comes to time spent grinding skills or XP. More than that, CFTs can even allow players to bring items restricted to certain game areas to any area in the game they like. Think bringing a tank to a knife fight here.
The first step in any ongoing security effort is arming yourself with information. By understanding how players can give themselves an unfair advantage, we can arm ourselves with the tools to prevent it before it ever becomes an issue. As developers, publishers, and professionals operating in the games industry, we want to see the best for our games. We want to release products that don't leak profits en masse, of course. But we also want to create a gaming space that's safe and enjoyable for our players. By taking simple steps from the outset, we can keep our players happier and our game's lifecycles ticking along for a lot longer.