Governments and gaming platforms, it’s time for warfare

Pierluigi Paganini April 10, 2012

The US government is financing several activities to investigate and hack into the technology spread in every device that ordinary surround us. This is the next step of the warfare, spy and attacks foreign enemy simply accessing to the devices that are presents in their offices, in their houses and in their cars.
Every device connected to internet could be target of a possible attack, the intelligence which is fitted can be used for numerous purposes, exploiting the lack of awareness in the cyber threat. They exchange information, talk to each other sometimes getting rid of many concerns and facilitating our daily lives, the issue is extremely delicate and deserves careful study, these devices that can provide any information on our experience, can be controlled remotely to spy on us, even worse may be deliberately tampered with remotely to cause damage.

For this reason, the American cyber strategy has addressed a sensitive component of his researches in this area with the intent to qualify in detail the threat trying to benefit from his knowledge and its intended use. The U.S. government recently promoted a project to hack into video game consoles requesting for the “Development of Tools for Extracting Information from Video Game Systems.”

The idea is simple as efficient, today consoles are totally equivalent to a computer, they are connected to internet in the same way and they provide many services to the final customer. Last generation of gaming console have pushed on the communication aspect, using the devices the users are able to communicate to every other player connected to the gaming platform, well those communication and any other sensible information stored in the console are object of interest of US intelligence agencies.

The U.S. Navy has reported that scope of the project is to hack into used consoles to access to any sensitive information exchanged through their messaging services, it has also guarantee that the spying technology will be used only on nations overseas due the internal law restrictions that don’t allow this practices on US citizens.

The official U.S. Navy statement is:

“This project involves furnishing video game systems, both new and used, and creating prototype rigs for capturing data from the video game systems.”

The description from the actual contract from the Federal Business Opportunities website, posted on March 26 is:

“R & D effort for the development and delivery of computer forensic tools for analyzing network traffic and stored data created during the use of video game systems.”

The project has been published two months ago and week the U.S. Government has assigned it to the California-based company Obscure Technologies, signing a contract of $177,237.50 for the job. Obscure Technologies was chosen due its considerable experience in the sector and because “is the only US company that appears to offer the purchasing of used computer equipment for access to the contained information as a commercial service,” according to the Contracting Activity document (docx).

US agencies are more interested on the platforms rather than the games, mainly because newer consoles allow users to communicate with one another via messaging and chat systems.

The main requirements of the project are:

Online Monitoring Tasks:

  • Provide monitoring for 6 new video game systems, a maximum of 2 of any type from any given vendor.
  • Generate clean data (data that does not contain any identifiable information from real people) from new video game systems.
  • Design a prototype rig for capturing data from new video game systems.
  • Implement the prototype rig on the new video game systems.
  • Provide data captured by the prototype rig in the following formats: Packets shall be delivered in PCAP format, Disk images shall be delivered in E01/EWF format.
  • Write a final report, between 10 and 20 pages, to include details of work performed, the engineering approach used and the reason why, any engineering decisions that were made and why, what work remains to be done, and any failings of the approaches followed.

Offline Monitoring tasks:

  • Provide used video games systems purchased on the open market.
  • Used systems provided shall be likely to contain data from previous users.
  • Extend tool development to implement creating signatures over sections.
  • Survey console chat room technology and identify potential chokepoints where data may be committed to storage.
  • Identify data storage points on used video game systems and attempt to demonstrate proof of concept.
  • Extract real data from used video game systems.
  • Provide data captured from used video game systems in the following formats: Packets shall be delivered in PCAP format, Disk images shall be delivered in E01/EWF format. Provide video game system extraction software and/or hardware.

In the past many studies were conducted on the use of gaming consoles from the producers and also by many organizations interested in psychological research.
This time the approach is quite different, there is the clear intent to spy on users that access to gaming platform.

Similar project have already developed in the past, in 2008, a project called “Gaming Systems Monitoring and Analysis Project” was launched by law enforcement to investigate on crime relating to pedophilia.
For that project law enforcement authorities requested help to DHS’ Science and Technology Directorate asking for an instrument that could observe game console data. DHS then went to the Naval Postgraduate School (NPS) to find Simson Garfinkel, a NPS computer science professor, to offer a contract to a company that could conduct the research and offer a product.

“Today’s gaming systems are increasingly being used by criminals as a primary tool in exploiting children and, as a result, are being recovered by U.S. law enforcement organizations during court-authorized searches,” said Garfinkel.

Obviously there have been many concerns about the project and its legality, the Electronic Freedom Foundation (EFF) spokesman Parker Higgins has alerted the world wide community regarding the illegality of the access to sensitive information stored on a console without that the storage has been specifically requested by the user.
The main problem is
“Which are the sensitive information that consoles keep without explicit information authorization of the users?”

Parker Higgins said:

“You wouldn’t intentionally store sensitive data on a console,”
“But I can think of things like connection logs and conversation logs that are incidentally stored data. And it’s even more alarming because users might not know that the data is created. These consoles are being used as general-purpose computers. And they’re used for all kinds of communications. The Xbox has a very active online community where people communicate. It stands to reason that you could get sensitive and private information stored on the console.”

The interest of US government in the gaming sector is not only motivated by spy intent, the same consoles can be used as a weapon in a cyber attack. Imagine a botnet made ​​up of millions of consoles at the same time throw an attack against a strategic target, but is not science fiction, it is reality. Similar attacks may cause extensive damage in a scenario of warfare and the U.S. government is aware of it.
Understand and address the issues related to the new generation of cyber weapon is crucial and a misuse of the console may be used in this perspective.
The gaming market is one of the most critical in terms of security for the following reasons:

  • not easy to manage complex infrastructure, with significant computing power, and very attractive to hackers for the chance to use in attacks.
  • availability of a large amount of payment information (e.g. Credit card numbers and info about their owners).
  • large diffusion of mobile devices with specific security issues.
  • issues related to piracy management and more generally related to DRM (“Digital Rights Management”).

A study conducted about one year ago showed that 80% of organizations that provide gaming services not keep track of those who use game consoles in the workplace, thus making impossible to trace the activities related to the possible source of attack. After Sony Event, something is changed. According to the main security firm safety of users playing online console is exposed to significant risks more or less serious.

the war is just began …

Pierluigi Paganini

(Security Affairs – Gaming security)

you might also like

leave a comment