Video Game Security

Video games, especially online video games, can expose players to cyberattacks.   The attacks come both from unsafe behaviors by the players and from inadequate security in the servers hosting the games. Many games require players to have credit cards registered with the server so they can pay for special treatment or game artifacts, such as alluring attire, powerful weapons, or extra game points. If the server is successfully attacked, players’ credit card information could be exposed.

Well crafted video game security is more difficult to achieve and to maintain than security for applications that move at the speed of keyboard typing or the display of pages of text intended to be read by the user.

Video performances that involve receiving or transmitting fast moving images, bursts of color , and complex sounds will use a large portion of the users’ computer capacity, and this will challenge even the fastest servers running the game quickly enough to satisfy hundreds of simultaneous players.

Aside from running an elaborate game for many simultaneous users, the game servers must also track player behaviors looking for rules violators, unusually successful players, and blatant attempts at seizing control of the operation, or capture of other players’ identities.

Exposure to hacking is not inevitable. There are some successful strategies that manage multiple games, provide very fast game reactions, and keep security at a high level. One that seems very popular is the “Steam” environment created by Valve. It manages dozens of game titles, many of them free to the players. The games are designed and written by independent game makers.

Steam games use Valve’s private backbone network peered with more than 2,500 ISPs around the world. To reduce latency, Steam leaves open the UDP ports on the player’s firewall. Use of UDP eliminates time consuming tasks that typically burden conventional TCP transmission.   Valve’s use of UDP, encryption and its private network tolerate switching from one network point to another without interrupting the transmission. Under UDP, the IP address of both sender and receiver are masked and the message payload is encrypted. Using UDP, it is nearly impossible for a cyber-attacker to target the victim. Together the design strategy makes Distributed Denial of Service (DDoS) attacks exceedingly difficult to mount. Before Steam, streaming games were frequently attacked by DDoS.

Valve has taken on a large chunk of the security measures that e-commerce vendors need to address for an online game. For a different kind of application, other exposures could undermine Valve’s thoughtful approach. There are many thoughtless ways that a player could behave to his own detriment. For example, if the player while not using a Steam game were to fall for a phishing exploit, he could give the attacker the virtual keys to everything on his computer. Or, if the player were to download a virus-infected game, he could contaminate his own computer, and perhaps transmit malware to the Steam games site.

Soon we may be hearing about virtual reality users suffering from nasty falls and injuries that result from a hacker tampering with the streaming visual feed sent to the VR headset.

The most predictable out of control behavior on any computer can be triggered by a player running a program that contains code leading to buffer overflows. Buffer overflows allow anyone running that program to execute arbitrary, perhaps dangerous, instructions for the computer to follow.

On the bright side, gains from stealing credit card information, cookies, or ransom ware placement on one streaming gamer at a time seems like a poor use of a hacker’s time. Low payoffs may help insulate streaming applications from cyberattacks.