Video games are a threat to my corporate security? If only it was a joke. Video games, both PC based as well as console games, and even phones, are a threat. Not one that you as the asset protector can necessarily deal with, but awareness of a growing threat can’t hurt.
We (in the security industry) are well aware of the use of console systems for brute forcing passwords on encrypted sources. The Air Force and other governmental agencies have made large quantity purposes, for various “missions”. But aside from the massive computational power, modern console games have a dark side almost nobody is talking about yet: harnessing them for a botnet. If some enterprising hacker figures out a way to harness one or more console types in a persistent botnet, we could have a serious problem. And none of the consoles is equipped with security features anywhere near the PC platforms. You’d think that would make them natural targets. At least they tend to use private networks for connectivity, although a good examination of the protocols should reveal the usual collection of weaknesses and exploitable problems.
If you look at a modern console game platform, you’ll find all the necessary hardware to support malware. Processors, persistent memory, and a network connection. Several platforms are readily hackable, in ways that the manufacturer won’t be able to detect without knowing what to look for, assuming anyone is even looking. Better yet, most of the console OS’s bear close resemblance to an existing OS platform, making it easy to transition to coding for the consoles. Getting the information necessary to pervert the console OS might be difficult, but definitely not impossible, since most of the code necessary for programming the console is available, the actual OS code can’t be far out of reach.
We are reviewing the EULA to see if we can conduct some tests on our console without angering some corporate lawyers or “bricking” the unit.
Games that run on consoles are another issue. Assuming the same level of security awareness in game programmers as found in corporate software would seem to imply that there are quite a few bugs out there waiting to be exploited. Thankfully, the cycle of game popularity means there is a shorter window of availability to use any particular game as a point of entry to a console. PC games have similar concerns. The protocol streams of both types of games reveal some interesting artifacts that may lead to exploitable services. Who would have thought of using a MitM attack against an Xbox?
PC games are more of a security challenge though, as many of, if not all, corporate alpha geeks, and many company males in general, either take laptops home where user PC’s get access to them on the home network, or users directly install games on the corporate hardware. Two vectors to gain access inside your firewall, bypassing most, if not all, of your security.
Bill, in Sales, loads a popular game on his corporate laptop, and if that game is compromised, the hacker has a clean, invisible pipe into your corporate network. Or it could just turn into a simple botnet zombie that, when he innocently brings it to the office, infects all the rest of your company PCs.
If hackers are willing to exploit Adobe and Word, what makes you think they won’t exploit Madden NFL 10?
In any corporate environment, be sure you are restricting users abilities to install programs, or connect uncleared devices to a secured network.
Digital Trust, LLC
This blog and it’s contents copyright 2009 Digital Trust, LLC. Republication of this post is permitted provided it is strictly on internal corporate messaging systems; no public re-use is permitted without licensing. Any republication or reuse is forbidden if the Digital Trust name is removed.