Governments and Gaming Platforms: It's Time for Warfare

Tuesday, April 10, 2012

Plagiarist Paganini


(Translated from the original Italian)

The US government is financing several activities to investigate and hack into the technology in every electronic device that surrounds us.

This is the next step in warfare, espionage and attacks on foreign enemies by simply accessing the devices that are present in their offices, in their households, and in their cars.

Every device connected to internet could be the target of an attack, exploiting the lack of awareness of the cyber threat, and the intelligence which is harvested can be used for numerous purposes. 

Devices exchange information, and while they rid our lives of many concerns, the issue is extremely delicate and deserves careful study. These devices can provide information on our experiences, can be controlled to spy on us, and even worse may be deliberately remotely tampered with to cause damage.

For this reason, the American cyber strategy has addressed a sensitive component of research in this area with the intent to qualify in detail the threat while trying to benefit from this knowledge and its intended use. 

The U.S. government recently promoted a project to hack into video game consoles, requesting the “Development of Tools for Extracting Information from Video Game Systems.”

The idea is simple and efficient, as today's consoles are equivalent to a computer, they are connected to internet in the same way, and they provide many services to the end user.

The latest generation of gaming consoles have pushed the communications realm, as the devices are able to communicate with every other player connected to the gaming platform, and those communications and other sensitive information is stored in the console and are object of interest of by US intelligence agencies.

The U.S. Navy has reported that scope of the project is to hack into consoles to access to sensitive information exchanged through their messaging services. They have offered guarantees that the spying technology will be used only on nations overseas due the legal restrictions that don't allow this practice on US citizens.

The official U.S. Navy statement is:

“This project involves furnishing video game systems, both new and used, and creating prototype rigs for capturing data from the video game systems.”

The description in the actual contract from the Federal Business Opportunities website, posted on March 26 is:

“R & D effort for the development and delivery of computer forensic tools for analyzing network traffic and stored data created during the use of video game systems.”

The project was published two months ago, and this week the U.S. Government has granted the contract to the California-based company Obscure Technologies, signing a contract of $177,237.50 for the job. 

Obscure Technologies was chosen due its considerable experience in the sector and because it “is the only US company that appears to offer the purchasing of used computer equipment for access to the contained information as a commercial service,” according to the Contracting Activity document (docx).

US agencies are more interested in the platforms rather than the games, mainly because newer consoles allow users to communicate with one another via messaging and chat systems.

The main requirements of the project are:

Online Monitoring Tasks:

  • Provide monitoring for 6 new video game systems, a maximum of 2 of any type from any given vendor.
  • Generate clean data (data that does not contain any identifiable information from real people) from new video game systems.
  • Design a prototype rig for capturing data from new video game systems.
  • Implement the prototype rig on the new video game systems.
  • Provide data captured by the prototype rig in the following formats: Packets shall be delivered in PCAP format, Disk images shall be delivered in E01/EWF format.
  • Write a final report, between 10 and 20 pages, to include details of work performed, the engineering approach used and the reason why, any engineering decisions that were made and why, what work remains to be done, and any failings of the approaches followed.

Offline Monitoring tasks:

  • Provide used video games systems purchased on the open market.
  • Used systems provided shall be likely to contain data from previous users.
  • Extend tool development to implement creating signatures over sections.
  • Survey console chat room technology and identify potential chokepoints where data may be committed to storage.
  • Identify data storage points on used video game systems and attempt to demonstrate proof of concept.
  • Extract real data from used video game systems.
  • Provide data captured from used video game systems in the following formats: Packets shall be delivered in PCAP format, Disk images shall be delivered in E01/EWF format. Provide video game system extraction software and/or hardware.

In the past, several studies were conducted on the use of gaming consoles by the producers and also by organizations interested in psychological research. This time the approach is quite different, as there is the clear intent to spy on users that access gaming platforms.

Similar projects have already been developed in the past. In 2008, a project called "Gaming Systems Monitoring and Analysis Project" was launched by law enforcement to investigate crime related to pxdxphilia.

Law enforcement authorities had requested help via DHS's Science and Technology Directorate asking for an instrument that could observe game console data. DHS then went to the Naval Postgraduate School (NPS) to recruit Simson Garfinkel, an NPS computer science professor, and offered a contract to a company that could conduct the research and produce a product.

"Today's gaming systems are increasingly being used by criminals as a primary tool in exploiting children and, as a result, are being recovered by U.S. law enforcement organizations during court-authorized searches," said Garfinkel.

Obviously, there have been many concerns about the project and its legality. The Electronic Freedom Foundation's (EFF) spokesman Parker Higgins has alerted the world wide community regarding the illegality of the effort to access sensitive information stored on consoles without having been specifically requested by the user.

The main problem is "Which are the sensitive information that consoles keep without explicit information authorization of the users?"

Parker Higgins said:

"You wouldn't intentionally store sensitive data on a console. But I can think of things like connection logs and conversation logs that are incidentally stored data. And it's even more alarming because users might not know that the data is created. These consoles are being used as general-purpose computers. And they're used for all kinds of communications. The Xbox has a very active online community where people communicate. It stands to reason that you could get sensitive and private information stored on the console."

The interest of the US government in the gaming sector is not only motivated by spying intent, as the same consoles can be used as a weapon in a cyber attack.

Imagine a botnet made up of millions of consoles conducting an attack against a strategic target. This is not science fiction, it is reality. Similar attacks may cause extensive damage in a cyber warfare scenario and the U.S. government is aware of it.

Understanding and addressing the issues related to the new generation of cyber weapon is crucial, as is the potential for misuse of consoles in this perspective. The gaming market is one of the most critical in terms of security for the following reasons:

  • not easy to manage complex infrastructure, with significant computing power, and very attractive to hackers for the chance to use in attacks.
  • availability of a large amount of payment information (e.g. Credit card numbers and info about their owners).
  • diffusion of mobile devices with specific security issues.
  • issues related to piracy management and more generally related to DRM (“Digital Rights Management”).

A study conducted about one year ago showed that 80% of organizations that provide gaming services not keep track of those who use game consoles in the workplace, thus making it impossible to trace the activities related to the possible source of an attack.

After the Sony event, something has changed. The war has just began ...

Cross-posted from Security Affairs

Possibly Related Articles:
Information Security
Legal Privacy Government Hacking Cyberwar Espionage Monitoring Gaming Consoles Digital Rights Management
Post Rating I Like this!
Charles Jeter Since XBox is launching a new console within the next 12 to 18 months I figure the old style systems will start backing up, they'll end up being sent overseas eventually. Knowing now how to exploit those low-cost computer platform which will end up in all corners of the world seems like a plan that DoD is able to take. Whether they can hack into an XBox Live account and take control of the Kinect camera and microphone... that might be against the ROE that the Navy is restricted to.

Unless the target happens to be someone the Navy (DEVGRU) is authorized to capture or eliminate.

There's a reason that we haven't seen any follow-on attacks since 9/11. The right people are getting killed. Sorry to be so frank about it, but the job's getting done. And due process isn't part of the DoD's job unless you're first, an American citizen, and second, not posing an imminent threat.
Plagiarist Paganini Hi Charles, I share your point of view, anyway I believe that the threat is real and dangerous. Every Government is spending a lot in monitoring and control, don't forget also that cyber theats can be also related to cybercrime and hacktivism. The response of the government promoting this project is controversial but coherent.
warm regards
and thanks for the comment
Tom Coats Hi Charles,
I try so hard to steer away from the politics on this forum. But your frankness demands an answer.
"There always and only the bad people but some of them are on opposite sides." The problem with lowering your standards (for due process, for ROE, for appropriate use of force) is that first there will be mistakes made and innocent people will be hurt maybe killed ("collateral murder" was just a potent example) The second is that everyone starts to play the game, and perhaps you are perfect but the Israelis, The Russians, the Poles probably aren't or perhaps they have a different list of who they think are evil bastards who should be killed. The escalation and weaponisation of our industry will cause the whole scheme to collapse, building solutions that resist weaponisation, promote communication and business are where I would prefer to put the money and effort.
My raft of rules and vaguley good intentions.
You guys make me feel like a dinosaur.
Michael Johnson Just have to add my two pennies here. I'm in total agreement with Tom, and in fact I've always made the same argument against the idea 'offensive security'/'cyber weapons' the Internet in general for the following reasons:
* How can we differentiate between a'cyber weapon' and a script kiddy tool? The parties wanting to use them don't necessarily understand why they work.
* It legitimises the acts of disrupting networks, invading privacy and other stuff along those lines.
* In the longer term, 'cyber weapons', 'offensive security', excessive surveillance and censorship will undermine the overall security of the Internet, since confidentiality and availability become much harder to maintain.
Plagiarist Paganini Hi Michael I partially agree ... there is a big difference between a cyber weapon and a script kiddy tool. To realize the first one we need a great effort in term of intelligence and also great technolical skills ... that is the opposite for script kiddy tools.
Regarding your long term vision ... I share it! Internet is changing, soon it will be not accessible if the things will not change too.
Warm reagrds
Tom Coats It will be interesting to see what the XBox attack code looks like, will it be another bloat-ware product like Stuxnet? Written in compartments where none of the coders really knows the end-product and how long will it take the rest of us to recognize it.
Plagiarist Paganini Well in my imagination the code behind this devices could be used mainly for spying purpose (e.g. information gathering) or for attacks od DDoS type in a powerful botnet. Of course we can imagine to use this devices also to spread malware on the network, but this hypothesis is too far ... at least for the moment.
Michael Johnson In other words, the Internet gets more malware, botnets and script kiddies wasting bandwidth every time politicians throw their toys out the pram. I'd actually call them script kiddies because someone else (Obscure Technologies) is creating the tools, and it's a safe bet those using them will have superficial understanding (or none) of the technologies involved.
Aren't the ethics of security professionals supposed to prevent things degrading into a situation like this?

What's interesting here is the US government's 'cyber war' and surveillance capabilities can't be anywhere near advanced as we initially thought, if the DHS has to resort to using botnets and malware.
Plagiarist Paganini Dear Micheal, believe me we are at a historic turning point for Internet. Cyber weapons, hacktism,cybercrime, warfare ... are trasforming internet in a battlefield. The concept of internet will change ... I wrote some article on this topic ... ethical hacking is just a step of a process to secure internet ... a little component of a huge project that must include awareness, monitoring, regulations ... and other options
warm regards
and thanks to all for the precious comments
Tom Coats Hi Pierluigi, this was a good discussion, and it is great that we are getting cross fertilization with the States on this, because all too often it decends into an "us vs them" irrational fear-based discussion.
"defend the infrastructure" seriously. It is amazing that the Internet works at all. Cheers I look forward to more lively discussions. If you don't think you are in this to save the world your are in the wrong industry :-)
Plagiarist Paganini thanks Tom, I agree. The challenge is crucial for future existence of internet as it is today. I'm sure that it will deeply change ... in this scenario the only way to protect critical infrastructures is to isolate them from the networks ... wea re too much vulnerable ... but it is an utopian.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.