When it comes to securing games against hackers, there’s a common misconception that can be very harmful to the security world. When a typical security firm tests for vulnerabilities, they’re unlikely to even consider testing the gameplay. This is because of the misconception that gameplay is rarely attacked, as it’s not as common as a traditional back-end API.
In addition, security is unlikely to consider securing the gameplay elements because it’s a much more difficult task. Security engineers must seek out and cover as many avenues of attack as possible in their limited time. Whereas hackers aren’t limited by a timeframe or a budget.
Time and Budget
Security companies usually work with web applications and those with experience testing gameplay are looking to maximise their findings with the limited timeframes. But it’s a rarely tested area because of the misconception that it is rarely attacked. But hackers are attacking it, that’s where they live. Modifying and tampering with the client-side binary. Once this is compromised, it can be packaged and sold off to players seeking to cheat.
Companies can’t afford to wait and they certainly don’t pay security engineers to take longer to do their jobs. Between checking for tampering and reverse engineering functionalities for potential vulnerabilities, most teams are already working a careful line of efficiency and speed.
Cyrex and Gameplay testing
This is one of our unique strengths, which we work on daily to stay at the top of the game. There are a few key aspects to our teams and our knowledge that help us test gameplay. One tool involved is our proprietary Cyrex Protoceptor, a protocol sniffer tool, which we use for man in the middle attacks. It allows us to check all different functionalities and gameplay-related network requests between client and server, which we then verify and report.
While this tool helps us with gameplay testing it also helps speed up our testing tremendously. It gives us breathing room to cover as many gameplay elements and functionalities without missing any potential vulnerabilities. Between this tool and our pair hacking methods, we are always surprising our clients with the speed of our work and the number of vulnerabilities we find.
The Game Hacking mindset
Another aspect of game hacking that often pushes away many security engineers is the knowledge required. To hack something, you must understand how it works. From there, you can understand how it can be manipulated. For games, you have to know how they work. How certain functionalities interact and work with the player. Without this knowledge, a security engineer would have to inform themselves and learn – taking the precious time to do so.
At Cyrex, we’re native players. We’re no strangers to games so once we’re introduced to the game, we can immediately get to work understanding how the system works. This knowledge also helps with the actual penetration testing as we know the common areas of manipulation. We’ve seen it all, across dozens of games. Whether front-end, back-end, a clan system, a marketplace, looking-for-group systems, we’ve seen it all. Our knowledge helps us know the common attack vectors and find new ones.
Game Hacking technicalities
On the other side of knowing how games work, there’s knowing how they are put together too. Coming as native players and having a huge amount of experience testing games, we are intimately familiar with the common game engines, such as Unity and Unreal. We’ve also worked frequently on custom engines on several occasions. Which helps us in finding those patterns when looking for vulnerabilities.
We have the in-depth game security knowledge that a typical security vendor might not be familiar with. This knowledge truly helps us in understanding games quickly both on a player and technical level. With this knowledge and understanding, our quality improves with each round of testing. We are able to quickly understand the scope of the game and thus provide a quick and efficient penetration test.
Security on gameplay is something that is often overlooked, whether for timing or lack of consideration. At Cyrex, we believe no element of security should go without proper attention. Between our knowledge, tools, and top-of-the-line methodology, we’re working hard to stay true to that belief.
If you’d like to learn more, you can get in touch, visit our pages on penetration testing, or find anonymised security reports here. We also have a portfolio of previous works as well as our other services available on our site.