Last week, I spoke at
SecTor 2009, on a subject near and dear to my heart: people messing around with videogame consoles in various horrible ways. Before I go any further, I want to say this - in terms of looking after people who turn up to speak, SecTor wins first prize. It might not sound like much, but it is extremely nice to have some dude waiting for you in a pre-paid car to take you to the hotel from the airport at 1AM when your plane has been delayed for seven or eight hours (cockpit windows fell out, or were about to. Long story).
So, large and appreciative hat tip to the organisers. They looked after me and stuffed me with food and I can't ask for anything more than that. You can also see a collection of photographs
here. Some of them are even in focus.
As far as my talk goes - hoo boy. Talking about exploiting videogamers always seems to be a touchy subject, as gamers seem to lock themselves into a protective bubble, dismissing everything with "Nothing to worry about, it's only phishing".
Once it's put into a box like that - sorry man, lights out. Whatever gaming network you're talking about is "safe". No "hacking" is taking place. The "only" way someone can get your login - argh, the assumption that the ONLY thing bad people are looking to do on gaming networks is steal your login! - is by convincing you to put your information into a phishing page or handing it over. While the phishing side of things is accurate - nobody is going to get anything unless you GIVE them it, save for when they try to social engineer support staff - there are many, many steps along the way that involve all manner of hexing, hacking and getting around security systems on the console which
lead to that phish being more convincing than it should be.
When it gets to that stage, the people who provide you with that gaming network need to sit up and take notice, because it is most certainly NOT just "about phishing". While gamers obsess over being "safe" in their account-not-phished world, the entirety of their gaming network had drowning in a sea of DDoS attacks, network spam and other junk clogging up their intertubes.
Also: this has been on
Slashdot and a bunch of other places, and without having seen the talk (and going off the condensed coverage the talk has had) people are either misreading what went down, or going on about things I never mentioned at all (one guy is talking about "compromised XBox consoles being part of a DDoS Botnet" - what?)
It wasn't just about phishing. I showed some pretty pictures of the tools people use to tamper with files. There were paid-for DDoS Botnets, designed to kick people out of games. How about people messing with files so they could get things for free that the rest of us pay for. There was an examination of people getting around swear filters in a manner that allowed them to impersonate videogame developers. And so on.
Everything in my talk boiled down to one of three areas:
1. People who manage to run open source operating systems and old videogame consoles on an XBox360.
2. People who hex edit files in order to gain some advantage, in order to get things for free that everyone else pays for, to gain the upper hand in a game or to make some money when they come to sell their account on the black markets. Or, you know, EBay.
3. People who wheel out all kinds of malicious activities - DDoS, chat spam, phishing and social engineering - in order to give you a bad hair day. Again, winning the game might be the priority - but there are many other reasons. In the same way that it isn't just about stealing logins, it isn't just about winning games either. Many scams flying around the XBox Live network are nothing more than plain old harassment, bugging you for no good reason, flooding your inbox for the purposes of hilarity.....etc.
The main areas I explored were 2 and 3 - and wrapped up in both of those are two basic ideas: hack yourself, and hack others.
Let's be clear here, because people get way too wrapped up on the word "hack" where consoles are concerned. Spoon fed the idea that consoles are "secure", many people will dismiss any and all activity as "mere phishing". Yes, the ultimate goal for most malicious individuals in console land is to grab your account. Yes, the final roll of the dice when your number comes up (usually) relies on you handing over information to your attacker.
But in the process of obtaining that data, the attacker may well have blended software modding, file hexing and system exploitation to achieve that final headshot. They start with hacking something, and end with phishing. There IS hacking taking
place, and it's really irrelevant if the hacking portion comes at the
start or the end of the process - all that matters is they gain control
of an account. They are hacking the software, the games, getting around the numerous
security protocols designed to stop tampering and also using these same techniques to obtain items for free that regular users have to pay for.
I don't know about you, but it certainly sounds to me like someone is hacking
something.
I expand on this a little
here, but feel free to keep rolling.
Key areas of console exploitation that I covered in my talk (loosely in the realm of points 1 & 2 above) were:
1) Artificially inflating your Gamerscore, either for kudos from your peers or financial gain by selling on high scoring accounts on various black market sites. If you can bump your own score easily, you don't have to get your feet dirty with that horrible phishing business.
2) Phishing accounts, particularly those with credit cards attached or - of course - those with high gamerscores. Phishes can (of course) be everything from the basic fake webpage, to lame messages sent across the XBox Live messaging system, or those wonderful
fake points generator programs. Phishing has become a lot more sophisticated, and nowadays most phishing throw in some file tampering to make the phish more realistic. Speaking of which...
3) Hex editing data created on your console in order to cheat at games, unlock various things you'd otherwise have to pay for (which in many cases ties back to Gamerscore hacking) or perform malicious acts that often form one of the rungs in the phishing ladder.
This is a perfect example. As I've said elsewhere, temporarily changing your gamertag in order to assume the identity of a game developer listed on gamerscore rank sites and phish another user is, I think, a pretty smart example of maliciously altering programming in ways it was never meant to be altered, as well as getting around a supposedly rock solid authentication system and throwing in a neat social engineering twist into the bargain.
4) People just want to have fun. And by "fun", I mean "fill up your gaming network with so much junk and rubbish that the whole thing eventually crumples in a heap and starts to cry". I covered
Friend Request Spammers, DDoS attacks and a couple of other things such as lag switches that you buy from online stores and glue onto your controller but time was against me. I wanted to also explore things like chain letters (that require you to waste time by inserting a specific game disk to view them!) and other weird / not-so-wonderful items of strangeness, but I guess those will keep for another time.
Why are we at risk?1) Modern console design is geared towards interactivity, and something working with everything else whether you want it to or not. You can get online with your console via ICS and a hole in the back of your PC, you can wirelessly use Windows Media Center with your XBox, and you can - crucially - take your removable XBox Hard Drive (geared towards digital downloads and eventually buying bigger drives) and use a Microsoft supplied USB wire and plug it into a PC, view all the files on it then start hexing many of them if you're that way inclined.
I'm not quite sure how someone at MS didn't think people wouldn't immediately plug these HDDs into computers and start looking around, but putting features onto gaming consoles that make them resemble mini PCs also makes them rather exploitable. The same features, the same functionality, the same funny shaped holes in the back of them and it all starts to go a bit pear shaped.
2) Dedicated pretexting groups on forums who will happily spend all day phoning Microsoft support reps in attempts to social engineer them into giving them your data. It seems after a number of incidents MS has tightened up in this area; however, people still complain that this has happened to them and these SE groups still exist. Some currently hijack accounts and give tutorials on how to keep them once stolen, which is, uh, a nice touch. I guess.
3) The huge obsession with promoting your
gamerscore - an arbitrary numerical value assigned to achievements you earn in a game - as an
amazingly cool thing. Witness
this guy having a huge hissy fit about me daring to complain about it.
The flipside is that these scores single people out as targets for phishing, social engineering and general abuse.
Limited privacy features mean you can only hide your most recently played games and achievements - pointless - but you
CAN'T hide your gamerscore.
A common technique for social engineers is to simply go to one of the many sites that provide this data, such as the
official XBox forums and make a running total of anybody with a score between 20,000 or 30,000 (or more) on the basis that those accounts will have unlocked more things in the game, or have a higher ranking, or have more shiny blinky things for you to play with.
Remember the "impersonate a game developer" scam I mentioned earlier? Many of the people trying that scam out would potentially have just gone to a site listing game developer Gamertags under "Celebrities" - like
here - then writing down their names for future use.
You can bet a lot of people on that list don't know about the scams that are out there, despite them being game developers. Are we painting a big target on people that really should be a little more anonymous? I would argue we might be - phished game developer accounts would no doubt be able to fool a ton of starstuck game fans.
And we really should have the option to hide the Gamerscore, "celebrity" or not, should we choose to do so.
ConclusionIt's not all bad - Microsoft do ban lots of accounts for cheating and tampering, but I'm not kidding when I say the problem is long since out of control - jump onto Youtube or any other site, and there more cheating / hacking / modding videos there than you could ever hope to wade through in one lifetime. For all intents and purposes, we're all stuck with this until a real solution is found.
As for me, I'm going back to playing on my Atari 7800, where the only danger is that the ancient wiring might blow out and burn down my house.
