16 June 2021

Security Explained: Fear the Peer-to-Peer

Peer-to-peer or P2P is a method of connecting players during gameplay. Security without sacrificing performance is a key goal for us at Cyrex. It’s our modus operandi, our driving force when it comes to conducting security testing. P2P networking is a cost-effective alternative. However, we’ve noticed a lack of knowledge regarding its vulnerability to malicious actors.

Dedicated Server

There are typically two standard variants of networking in gaming. Dedicated servers or peer-to-peer. Dedicated servers are a private network of services hosted by the game developers or a provider. Each player involved in the network connect to the respective server. This server hosts the game and acts as the authority for all protocols and communication.

Whenever a player acts or changes something in-game, that action is checked against a set of criteria by the authority. In this case, the authority is the server and thus the developers have full control over said authority. This means security is easy to implement and easy to control. We have a lot of experience securing gameplay. As a result, we know that for a developer, this control is the name of the game when it comes to security.

Peer-to-Peer

This is the second variant of networking in gaming. In this case, there are two further options. A dedicated host or a mesh system.

The dedicated host effectively makes a player the ‘server’. This is chosen on a set of criteria. Usually, the player’s bandwidth and connection strength.

From there, the player acts as both host and player. For example, let’s call the host – Player A. Player A would send packets directly to the other players, B and C. They would receive and send their own packets back to Player A.

A mesh system connects all players to one another, no server or dedicated host. Each player’s system runs the game logic, and each individual system negotiates with the others. In this way, each player’s system is determining the actions of a single player and trying to link these actions with every other player.

Both of these options offer a more cost-effective solution to gameplay networking. But at best they often result in an advantage being granted to the player acting as the server.

Dedicated Server or P2P?

There are advantages to both, but it can be simply boiled down to resources and ease of implementation. P2P is cheaper and easier. It’s a combination of budget and easy implementation. But it often performs worse in terms of stability and connectivity. And a dedicated server requires upkeep or payment to maintain via a provider. This cost results in a more stable network.

Our reason for bringing up this topic is due to a lack of awareness regarding the security of P2P. While it is a benefit to money and time, it reveals a swathe of security issues.

The main issue is that there is no neutral authority to verify and authenticate player action. With one or several players acting as a hybrid server/client authority, it adds a layer of complexity. A layer where hackers and cheaters can happily sit inside. In this situation, you’re relying on the goodwill of your players and, as we all know, there will always be those looking to target the gaming industry.

Check, check one, two

As we stated, developers want control of every step. That’s where security and safety for all parties lies. With P2P, the control is left up to peer devices to confirm and ensure others aren’t exploiting or abusing the game systems.

Once a hacker or cheating player gets involved as either host or player, there is no authority in place to check, validate, and remove these threats.

In other words, P2P is unsecure by design.

While P2P is cheaper and convenient for developers, this lack of awareness of its security issues is harmful to both players and developers. When it comes to penetration testing and securing a game, one with P2P cannot be fully secured.

If you’d like to learn more about gameplay or application security, we have details on our website. We also have anonymised security reports available, if you’d like to see what kind of things we find during a penetration test. For any other inquiries, we'd love to hear from you