14 September 2022

Security Implications when using Photon PUN

The world of cybersecurity is always changing as ethical hackers and hackers compete in an evolving arms race of attack and defence. At Cyrex, we always encourage our clients to look for and use tools that will help or reinforce their game and product security. Unfortunately, it can be difficult to move away from what is familiar and known. And this is just the case with many clients and Photon PUN.

What is Photon PUN

PUN or Photon Unity Networking is one of Photon’s oldest products and one that they even state has some issues regarding cybersecurity. They even say that it is deprecated now that they’ve evolved and released multiple newer products including Photon Quantum and Photon Fusion. PUN is effectively a series of networking libraries and quick and effective plugins that allow for peer-to-peer matchmaking and communication. Given its age, Photon recommends that it not be used with online competitive games where security is always paramount. Despite this, we’re still seeing clients use this version and put themselves at unnecessary risk.

Why does Photon PUN put you at risk?

As we always say, server-side authentication is king in security. And by default, Photon PUN works as a relay between game clients. It only confirms the information of each player individually and then with the other player. With no input or verification from the server-side, hacking and cheating is made all the easier. PUN does allow the creation of server-side authentication but due to its age, it is quite a simplistic level of security. It also has to be custom created by the user. The security it offers is quite minimal and basic and compared to Photon’s newer products – it’s outdated. To put it plainly, basic and integral gameplay interactions and physics cannot be validated without server-side validation. The newer technology on the market runs a version of the game code separately on the server side to confirm actions and interactions. Player physics, which include object interactions and movement, are a great example for this. Without verification, a player can instantly move a hundred feet and there will be no problems noticed. But with game code being verified server-side, an unreasonable or illegal action will be noticed and fixed.

The Benefit of Server-Side Game Code

Verifying these actions and ensuring there are no hackers or cheaters present are very hard to do without running the game code. Photon PUN cannot run game code, even if server-side authentication is implemented on the individual game’s basis. It’s too complex for the aged program to handle and therefore it’s impossible for it to verify complex information and interactions that occur in gaming code. It has the strength to handle basic checks like a web platform might. But once you push up to the logic required for gameplay, PUN is lost in the sense of security. Cyrex’ advice is simply not to use Photon PUN for your gaming needs. The level of security is far too low for us to recommend. Instead, look into their up to date releases!  

To learn more about Cyrex and our ethical hacking expertise, check out our portfolio page, blog, and penetration testing service page. If you have a query or a request, our team would be very happy to hear from you. Get in touch today and get the peace of mind that your product is as secure as it can be.