For as long as I’ve been working in the security industry, which – in the spirit of full disclosure – hasn’t been a very long time, I have been shocked by the utter lack of attacks targeting gaming systems.
A couple times a year, maybe, you’ll read about an attack targeting or a vulnerability in some specific game or gaming platform. More often than not the attacks are one-offs, generally exploiting a game’s online platform, forum, or database of some kind. The forever-popular first person PC shooter, CounterStrike, is a great example of this: there always seem to be CounterStrike hacks out there.
To be clear, PC and other computer gamers, particularly those playing massively multiplayer online role-playing and other popular games (like Minecraft), are already exposed to significant threats targeting their machines. Attacks targeting the XBOX or PlayStation or Nintendo consoles, however, seem to be incredibly rare. Nintendo’s and Sony’s portable DS and PSP offerings were targeted by trojans some six years ago, and experts have prophesied the dawn of gaming malware for just as many years. The reality though, by nearly any measure, is that yearly gaming malware predictions have yet to materialize.
The PlayStation Network attack and subsequent outage in 2011 was among the largest known data breaches to date, affecting somewhere between 75 and 100 million customers. The network outage lasted nearly a month, and Sony (the company that makes the PlayStation) was harshly criticized for it, not only because of the way they handled the outage but also because of the series of security missteps that led to and in some cases worsened the severity of the breach. Notorious though the incident was, the attack targeted corporate servers rather than the console itself.
Of course, the PSN attack was – at least in part – a reaction to the way that Sony itself reacted when George Hotz, perhaps better known by the handle geohot, announced that he had Jailbroken – or unlocked – the PlayStation 3. In fact, it is important to draw a line here, when I say attacks, I am referring to malicious, criminal hacks seeking to steal money, information, or computer resources from gaming consoles which are increasingly computer-like. There has certainly been no shortage of hobbyist hacks, sometimes known as modding, seeking to access the full potential of gaming consoles or to make them capable of playing illegally downloaded content.
If you think back to early gaming consoles, this sort of behavior was almost encouraged in a way. When I was maybe five or six, my dad came home with this strange device called Game Genie for my Nintendo Entertainment System. For all intents and purposes, the Game Genie was an automated hacking box. It accessed the binary code that controlled the video games, manipulated that game data, and let game-players enter cheat-codes and perform unintended functions during game-play.
Now however, as consoles become more powerful and connected, the threat of malware targeting gaming consoles is becoming increasingly real. In words of my colleague, Kaspersky Lab expert Christian Funk, “the high interconnectivity of modern consoles, like apps for Twitter, Facebook, Youtube, chat tools and video conferencing like Skype opens doors and makes them more vulnerable to attacks.”
The hard reality here is that the more we input valuable information into a machine, the more likely that machine is to be targeted by attackers seeking to acquire that valuable information.
On that note, in a pre-Christmas Securelist article addressing the arrival of the newest XBOX One and PS4 gaming consoles, Funk assessed the contributing factors leading to the level of risk these devices face from malware attacks. He claims the two most important factors are the popularity of a device and the ability to make money attacking it.
In the case of the XBOX One, Funk is interested in its compatibility with Windows Phone applications. Currently, he claims, there is no in-the-wild malware targeting Windows Phone applications, likely because of it’s lack of market-share. The XBOX One bump may substantially increase the number of users that interact with Windows Phone and its exposure to threats in turn.
Financially, Funk reasons there is plenty of incentive for attackers. Despite this, he’s only seen bricking malware as of yet. And bricking malware, which essentially breaks the machine it targets, while unfortunate and malicious, isn’t making anyone money. Not yet at least. In that vein, Funk says he has read of certain hacks claiming to make the XBOX One reverse compatible with XBOX 360 games but actually just breaking the console by messing with the devkit. This is troll behavior at worst.
“However, with modern consoles,” Funk writes, “things are a bit different. Since the makers of devices are increasingly including the possibility to install additional applications (and pay for them via credit cards, saved on your gaming account) and social media interconnectivity to share the progress and achievements in a game for a ‘fuller gaming experience’, as well as offering decent hardware performance, consoles are in fact attractive for criminals.”
Funk goes on to express concern regarding potential ransomware scams that would lock down a console and demand payment to unlock it. Information, credit card, or credential-stealing trojans could also be a problem for gamers on the latest generation of consoles as well. Beyond these, given the increase in computing power built into these new machines, Funk notes that they may be valuable targets for criminals seeking to amass processing power to mine Bitcoins or perhaps operate botnets as well.
As Funk notes in his piece, we aren’t trying to scare anyone off the latest and greatest consoles. I am sure they are a blast and that they’ll bring you far more joy than grief. However, I also have a bad feeling that the time for gaming malware is now, and I am not totally sure what it will take to protect ourselves. It’s entirely possible that gaming malware predictions never come to fruition or that the console makers or even security companies get smart about console security and gamer protection. It’s also possible that attackers will start going after gaming consoles like Windows machines in the mid-2000s or Android now. Only time will tell.