This post is from the Arxan blog and has not been updated since the original publish date.
Arr Matey, Hear a Tale about Cyber-Piracy
It’s Talk Like A Pirate Day. The one day a year we all brush up on pirate-speak and can be forgiven for saying things like Arr Matey! It’s also a nice excuse for cybersecurity companies to tell tales about adversaries who, like the pirates of old, are out to plunder, pillage and loot.
Pirating Games for Fun & Profit
Especially in the gaming industry, piracy is still the order of the day. Today’s software pirates range from lone wolves looking for notoriety to organized cyber criminals looking for booty...er, profit. No matter the objective, the losers are the game studios, especially independent ones who have limited titles with which to pay the bills. When gamers find themselves cheated out of points, gameplay, and even money when virtual objects are stolen, they inevitably quit playing the game – thereby costing revenue, players and momentum for the studio.
Battling Pirates Has Gone Virtual
Just like the world’s oceans provided yesteryear’s pirates a large attack surface, so do today’s games deliver countless ways to plunder, pillage and loot. The battles used to be a physical battle between a country’s shipping economy and high seas pirates, now it’s a virtual battle between game studios and an unseen enemy. Unlike old-time pirates, today’s cybercriminals are invisible, highly motivated, in some cases well-financed, and know no borders. Whether it’s the latest MMOG (massively multiplayer online game), console or single-player PC-based game, gaming software is extremely vulnerable to attacks on the client and/or server.
Reverse Engineering Is the Cyber-Pirate's Cutlass
The primary attack strategy for today’s online pirates is to reverse-engineer game protocols to steal intellectual property (IP) or inject malware, modify code to enable piracy or cheating, and even clone back-end servers for independent game operation. These attacks can result in substantial revenue loss, illicit app usage, or cloning of client or server applications to affect gameplay.
Instead of canons and cutlasses, today’s pirates attack games by:
- Tampering to cheat – the biggest threat to the popularity and value of a game. Attackers tamper with game functionality to unfairly benefit the attacker.
- Piracy tampering – the biggest threat to game profitability. Since hacks are often released within hours of new game titles, versions, or other virtual world assets, they decimate new revenue streams from games in their most vulnerable stage. Attackers enable piracy by tampering with a PC game to deactivate, spoof or bypass license management.
- Game reverse-engineering – for PC games and the client portions of online and mobile games, attackers can gain complete control of game code – and with commonly available tools can unravel internal logic and client-server communication. They can then exploit vulnerable code with cheats, clone clients or issue commands.
- Back-end server reverse-engineering clone attack – attackers can model a back-end server by analyzing client communications with the server and internal client operations. This enables a “clone” of the back-end server to be created and independently run outside of the game operator, allowing subscription revenue theft.
- Reverse engineering communication – as the client and server, or two peers, communicate in the virtual world, attackers can inspect data traffic to reverse-engineer protocols. Subsequently, simple tools can be used to block packets and produce a negative effect on a player, or to replay packets that produce benefits for the attacker.
Thwarting Game Piracy
Arxan can help protect your game, your revenues and your players. Integrated at the binary and source code level, Arxan prevents attacks where they happen. The approach is multi-layered:
- Application Hardening – implementing a system of guards after code is finished deters reverse engineering and tampering, which can lead to breaches and app data theft
- Data and Key Encryption – using white-box cryptography to stop API compromises, theft of intellectual property or personally identifiable information
- Real-Time Threat Visibility and Analytics – enabling each protected app to “phone home” with vital security data, allows teams to stay on top of emerging threats and vulnerabilities and optimize defensive strategies
Once Arxan protections are integrated within your games, they can be automatically applied to each new revision, greatly reducing the effort required when updating apps for re-release.
By hardening networked, PC and mobile gaming apps against vulnerabilities, safeguarding data and encryption keys, and providing real-time threat intelligence, Arxan Application Protection helps several of the largest game studios thwart today’s pirating threat.