Game Security - a brief history and what Developers should be aware of

Video games (including PC games) are a quite popular hobby. However, as game software is computer software (and sometimes hardware too), cybersecurity issues are ever-present.

Malware

Here, I shall briefly touch upon the history of video game. Older game consoles (and PC) and software (referred to as retro games) were not designed to connect to the internet (*1). Consequently, most of the cybersecurity measures implemented today were not done in those games. For game developers at the time, the more immediate threat was having their game program copied and pirated versions distributed, rather than facing online attack. Therefore, copy protection was implemented, particularly for PC games, in various ways.

However, the threat of computer viruses (malware) existed even in that era.

To my knowledge, the first reported cybersecurity issue involving video games (in Japan) occurred in 1990 when the Japanese PC game software “Far Side Moon Chikyuu Boueigun 2” (x68000 edition) was shipped containing a computer virus. Following the media coverage of this incident, computer viruses became widely known throughout Japanese society (*2)

Threat of Supply Chain Attack

Of course, video game manufacturers rigorously check and verify their products multiple times to ensure no malware is included, making a similar incident unlikely. However, most video game manufactures uses numerous third-party middleware, software, and libraries, which are also included in the final shipped product. Furthermore, since software online updates are now commonplace, malware can intrude during updating process. This is called as Supply Chain attack.
For example, this month, a video game software had code injected by an unknown party during an online update. This code was designed to steal cryptocurrency. It was downloaded and executed, leading to cryptocurrency theft from the PC of a live streamer (I wrote this in TWIS article). This incident serves as proof that malware infiltration still works as a Supply Chain attack.

Countermeasures against Supply Chain attack including malware injection are not only standard final product inspections but also rigorously requiring users to verify the Integrity of software during online updates, like checking the hash/checksum. Furthermore, using and managing Software Bill of Materials (SBOM) lists will likely become necessary to manage the third-party software used.

Online Games

The primary battleground for game security engineer is online gaming. Online games involve downloading only the game client software and some additional software from servers which are operated by the online game companies, with game status management (fundamentally) handled on the server side. The client software may handle user authentication or input credit card information for in-game purchases, making it a valuable target for malicious attackers. The client devices—PCs or smartphones— which does not have robust security also might be a target for malicious attacker as an entry points of threat campaign.

History of online games is also a history of addressing user cheating. Some malicious players attempt to analyze the memory or its temporary files which are used by the client software, and modify parameters to complete events faster than normal players or gain an advantage over countless competing players. Additionally, they often analyzed communications between the client and server using tools like Wireshark (only analyzing is not malicious, though), modified parameters, and sent them back to the server (Man-In-The-Middle attack). Online game developers have always countered such actions by banning players, detecting such behavior through monitoring health monitor on servers, and obfuscating or encrypting parameters within the client software.

DDOS attack

Furthermore, when in-game assets can be exchanged for monetary value on the market, the server itself becomes more and more valuable target for malicious attackers. This can lead to conventional cyberattacks, particularly DDoS attacks carried out by hijacking client software and PC. That is one of the reason why the malicious attacker aims client PC or smartphone at first.

Security by Design and Level Design

While addressing these various security issues is important, the most efficient cybersecurity measure is, implementing the concept of Security by Design (or Secure by Design) in developing.

Security by Design refers to incorporating security considerations into the software design phase, before the implementation stage. This should be adopted in game software development, ensuring security is considered during the software design. However, if similar concept can be implemented even earlier—at the game concept design and "Level design" stage where the essential part of the game is conceived—and the game is designed such that playing fairly yields greater benefits than cheating, it not only prevents cyberattacks but also creates an incentive for the majority of regular players to deter cheating. 

I imagine the most of game developers already consider security in the software design, however, using this concept in level design is more practical and a more cost-effective security measure.

*1 : Online games played over telephone lines existed as early as 1990, but it was not until 1998 that a game console with internet connectivity was released.

*2 : This incident is well known within Japan's gaming industry, but despite searching, no English-language news reports could be found.