3. $whoami
● Conor Walsh
● Lodestone Security LLC
○ Principal Security Engineer, Head of R&D
● Modding since ‘95
○ Aware of it since ‘00
● Previous Employment
2
Agenda
4. Lodestone Security LLC
● HQ: Westport, CT
● Information Security Professional Services Firm
● Founded in Jan 2017 by Beazley Plc
○ London-based insurance provider
3
Agenda
7. Why Video Game Security?
● Game consoles were some of the first “IoT”
● Trusted Computing is everywhere
○ IoT, Medical devices, ICS/SCADA
● Concepts apply to all execution stacks
● Video Games are awesome!
○ Massive, complex, distributed, resource intensive
○ Modding can be both harmful, and awesome!
6
Agenda
11. Who Are They?
Establishing our lexicon…
● ‘Mod’, ‘Modding’
○ Modifying the physical or logical aspects of a game system
● Modder
○ An individual who ‘mods’
■ Not a hacker
○ Includes producers and users
● Not all games are considered equal
○ Focused on consoles today
○ Massively Multiplayer Online Games
○ Sony, Microsoft specifically
10
Threat Landscape
12. What Do They Want?
● Free Games
● #Winning
● Notoriety
● Profit
11
Threat Landscape
13. How Do They Do This?
● 80/20 rule
● ‘SPT’ - Simple Persistent Threat
● Operating in public
● Reputation, and respect thereof, plays a major role
12
Threat Landscape
14. Where Are They?
● Forums, Websites
○ Next Gen Update
○ Se7ensins
○ Multiplayer Gaming Hacking
○ Ps3Hax
○ Many more...
● Chat Groups
○ IRC
○ Slack
○ Skype
○ Discord
13
Threat Landscape
15. David v. Goliath
14
Threat Landscape
● Gaming == Safe Zone
● MMO: Active user account -> User experience
Histories’ first reported critical hit.
16. Sony v. George “Geohot” Hotz
15
Threat Landscape
● January 26, 2010
○ Hotz releases first PS3 jailbreak
● March 28, 2010
○ Sony releases firmware update
● December 29, 2010
○ fail0verflow presents PS3 exploit developments at CCC
● January 2, 2011
○ Hotz posts PS3 root keys on website
● January 11, 2011
○ Sony sues Hotz and others
● Then…...
18. Is Sony Down?
17
Threat Landscape
We discovered that the intruders had planted a file on one of our
Sony Online Entertainment servers named “Anonymous” with the
words “We are Legion.”
-Patrick Seybold, Sr. Director, Corporate Communications & Social Media
19. Fighting Your Customers
18
Threat Landscape
● Blades in the crowd
● Not everyone is a pirate
● Signal in the Data in the Noise
○ False Positives more severe!
● Security vs Usability
21. Trusted Computing
With Trusted Computing, the computer will consistently behave in
expected ways, and those behaviors will be enforced by computer
hardware and software.
20
Trusted Computing
22. Trusted Computing (cont.)
21
Trusted Computing
● Internet of Things (IoT)
● Medical Devices
● Industrial Control Systems (ICS)
● Payment Processing Systems (PCI)
24. Video Game Consoles
● Restricted user interface
● Signed Physical Media and Binaries
○ By 1st Party (Sony, MS)
● Peer-based network sessions
○ 1st Party handles QoS, sessioning
○ Peer chosen as session “Host”
○ Devs may employ game service API
● Network Session State
○ All must agree
○ One conclusion must be reached...
23
Trusted Computing
25. Developer Consoles
● Powerful, unlocked hardware
● Unrestricted user interface
● No code signing required
● Platform SDK’s and Tools
● Can sometimes disappear...
○ Just like my socks
24
Trusted Computing
26. Console Exploits and Modifications
● Hardware
○ Disk drive emulators - xk3y, 3k3y (X360, PS3)
○ Joint Test Action Group (JTAG) Interfaces (X360)
○ Reset Glitch Hack (RGH) (X360)
● Software
○ PS3 Firmware version 3.55 Exploits
■ CEX, DEX, Rebug, Rogero, etc.
○ Xenon Linux Loader (Xell) (X360)
○ Xecuter Fusion (X360)
25
Trusted Computing
27. Modder Recap
What We’ve Covered So Far
● Modders are many, relentless, and not always $$ driven
● Finding and stopping them is hard
● Trusted Computing is a security control, but not perfect
● The tools available allow the user developer-level access
○ Just like on a PC!
26
Busted Computing
30. Attack Vectors
● File Modification
○ “ISO Modding”
○ Editing static files found on disk
○ Low barrier to entry
● Binary Patching
○ Modifying instructions of executable
○ “Crack” - DRM bypass
○ Higher complexity
29
Threat Model
31. Attack Vectors
● Memory Manipulation
○ R/W memory of game process
○ API’s expose RAM to companion PC
■ TMAPI, CCAPI (PS3)
■ Xbox Neighborhood, XMDB (X360)
● Process Injection
○ Mimics DLL injection
○ SPRX (PS3), XEX (X360)
○ Complex to produce
○ High portability
30
Threat Model
32. ● Business Logic (Scripting)
○ Games employ scripting engines
■ Lua, Python, Perl, home grown, etc.
○ Updates without compilation
○ Stored, consumed in plaintext
○ “Sideload” custom script files
○ Forwards compatibility
○ Strap on your own interpreter
Attack Vectors
31
Threat Model
33. ● Script file extension for CoD Games
○ At least as far back as CoD:MW (2007)
● Rendered in plaintext
○ Community made GSC editors available
● API extensively documented by Modders
GSC Scripting
32
Threat Model
36. Attack Vectors
● API Server Attacks
○ Standard Web-service AppSec
● Peer-based Attacks
○ Console peer-to-peer channels
■ Communicated over UDP
■ Not encrypted by default
■ Little modder focus
○ Denial of Service attacks
35
Threat Model
39. XboxOne
● Hyper-V-based Hypervisor OS
○ Windows 10, Metro-UI Based Environment
○ Xenon (Xbox) processes run in separate sandbox
○ Public developer program
● Exploit released, then patched
○ Based on MS Edge exploits; ‘Chakra’
38
Into the Future
40. PlayStation 4
● FreeBSD-based OS
● PS4 SDK leaked to the public
● ‘CTurt’ discovers Webkit exploit
○ Releases ‘PS4-Playground’ toolkit
39
Into the Future
41. Then vs Now
● Now: MS Edge, Webkit, SDK
● Then: JTAG, RGH, E3 Flasher
40
Into the Future
42. SSL Certificate Hunter
● SSL Certificate Pinning
○ Hard-set certificate for a client to expect
41
Into the Future
44. What can we do?
43
Solving the Problem
● Fight the Good Fight
○ Security for Breakfast
○ Security in Layers
○ Player Profile
○ It’s a Game
○ Build Your Tool Set
○ Another Perspective
● Not Just Video Games!
45. Security for Breakfast
● Address security from the start
○ Cheaper, faster and easier
● Threat Modeling
● Cook in your session state
44
Solving the Problem
46. Security in Layers
● Trust Boundaries
● User Data
○ Input Validation
○ Output Sanitization
● All the things, everywhere, everytime
45
Solving the Problem
47. Player Profile
● Assumption: player data is already being collected
● One log to rule them all
● Behavior Profiling
● Piggyback on what’s exists
○ Or, build your own
46
Solving the Problem
48. It’s a Game
● Keep it fun
● Aim for perfect; Accept reality
● Old tricks, new label
47
Solving the Problem
49. Man is a tool-using animal. Without tools he is nothing, with tools he is all
-Thomas Carlyle
● Don’t bring malware home to see mom
● Build into your environment
● Start simple
● Use what’s available
● Build a team
Build Your Tool Set
48
Solving the Problem
50. Another Perspective
● Builders can’t assess their own work
○ Just like QA or AppSec
● Good developers fix the issues they find
○ It’s the ones they didn’t see...
● A Dev, QA, and a Hacker walk into a bar...
● Hired guns
○ [SHAMELESS SELF PLUG]
49
Solving the Problem
51. Fight the Good Fight
● Security for Breakfast
● Security in Layers
● Player Profile
● It’s a Game
● Build a Toolset
● Another Perspective
50
Solving the Problem