28 October 2021

Unreal Engine – Security Best Practices

As experts in game security ,we know that it’s without a doubt that the Unreal Engine is one of the best game engines in the market. We’ve compiled a list of ‘quick security wins’ that this advanced, market-leading tool has in its favor.

To give a quick rundown as to what the Unreal Engine is, it’s the world's most open and advanced real-time 3D creation tool for photoreal visuals and immersive experiences. Developed by Epic Games, the engine was first showcased in the 1998 first-person shooter Unreal. Since then, it’s become a leading competitor in the video games industry against Unity, providing users with the ability to create immersive virtual worlds, being used across a variety of genres of 3D games (Fortnite, Gears of War, Final Fantasy VII remake, Valorant) and the film/TV industry.

What are these security best practices?

Now that you know the Unreal origin story, it’s time to delve into the nitty-gritty of it all. What makes the Unreal Engine such a secure and viable game engine? As Cyrex has conducted countless penetration tests on Unreal Engine based games over the years, we wanted to share some of the most notable security issues we discovered that we figured were worth highlighting:

    • Encrypt your connection

      In order to prevent Man-in-the-Middle attacks (MiTM), the server should use DTLS or other encryptions methods. DTLS Handler Component is a plugin that encrypts the connection between the client and game server. This puts an encryption layer over your connection, shielding you from hackers, and can be easily implemented within your game.

      The DTLS Handler is an extremely viable component that prevents anyone trying to access your information, such as authentication tokens, being sent between you and the game server, blocking them from seeing and sharing it with third parties.

      More information can be found here: DTLSHandlerComponent

    • Don’t publish PDB files

      During compilation, a PDB file (Program Database File) is often constructed from source files. It stores and keeps track of all symbols in a module, including their addresses, as well as the name of the file and the line on which they were declared. Because it takes up a lot of space, this symbol information is not saved in the module itself.

      The PDB file should be removed from the shipping build as they contain debug symbols which makes the process of reverse engineering a lot easier, allowing hackers to easily warp and manipulate it into revealing all your info. Essentially, PDB files can help hackers understand what exactly is ‘under the hood’ of the program.

    • Prevent speed-hacking

      Speed-hacking allows users to hack their characters, providing them with the ability to move around faster than other players in the game. You can understand how frustrating it would be playing a match in Call of Duty, only for your enemy to be whizzing around the map and wiping you out within seconds. This hack sends double the number of packets to the server and, because of this, the server should rate-limit the number of packets it receives.

      In case there is not enough time in between new packets, the server should discard the input or move the player back. Unreal Engine implements two settings that either detect and resolute these hacking attempts. AGameNetworkManager handles game-specific networking management such as cheat detection, bandwidth management, and countless more.

      More information can be found here: AGameNetworkManager

    • Disable ServerChangeName RPC

      ServerChangeName allows a player to copy another user's name exactly. It doesn’t matter if it’s just your average player or even a big-name streamer, identity theft is not a joke! The RPC should be removed from the build in order to prevent users from spoofing their username.

    • Validate Name parameter in mapUrl of login request

      Whenever you join a game, it sends a mapURL, providing a window for the hacker to pause the game and quickly change or replicate names before the game begins. To avoid this, the server should be extracting a player's username from the session data, instead of accepting it from user input on login.

    • Split server-side code from client-side code

      If a hacker successfully reverse-engineers the binary, they can see what's on the server, such as vulnerabilities that can be easily exploited. There are two ways this can be prevented:

      1. Place #if WITH_SERVER_CODE around the bodies of individual server-side functions.

      This is particularly useful if you only want to disable a single function or two in a class that otherwise would exist on the client, but this can be very cumbersome if you want to hide an entire class from clients.

      2. Make a server-side module.

      For example, on Fortnite there is a FortniteServer module that has most of the GameMode classes defined in it, as well as other support code. You can make a server module very similar to how you make a game-specific editor module. You’ll then have to add a conditional module dependency on your server module to your *Game.build.cs file.

Unreal Engine is currently on its fourth generation, with Unreal Engine 5 scheduled for full release in early 2022.

To discover more about Cyrex, why not check out our blog or portfolio. We also offer comprehensive, manual penetration testing for games and non-gaming applications. For any other questions, please get in touch.