(Translated from the original Italian)
The US government is financing several activities to investigate and hack into the technology in every electronic device that surrounds us.
This is the next step in warfare, espionage and attacks on foreign enemies by simply accessing the devices that are present in their offices, in their households, and in their cars.
Every device connected to internet could be the target of an attack, exploiting the lack of awareness of the cyber threat, and the intelligence which is harvested can be used for numerous purposes.
Devices exchange information, and while they rid our lives of many concerns, the issue is extremely delicate and deserves careful study. These devices can provide information on our experiences, can be controlled to spy on us, and even worse may be deliberately remotely tampered with to cause damage.
For this reason, the American cyber strategy has addressed a sensitive component of research in this area with the intent to qualify in detail the threat while trying to benefit from this knowledge and its intended use.
The U.S. government recently promoted a project to hack into video game consoles, requesting the “Development of Tools for Extracting Information from Video Game Systems.”
The idea is simple and efficient, as today's consoles are equivalent to a computer, they are connected to internet in the same way, and they provide many services to the end user.
The latest generation of gaming consoles have pushed the communications realm, as the devices are able to communicate with every other player connected to the gaming platform, and those communications and other sensitive information is stored in the console and are object of interest of by US intelligence agencies.
The U.S. Navy has reported that scope of the project is to hack into consoles to access to sensitive information exchanged through their messaging services. They have offered guarantees that the spying technology will be used only on nations overseas due the legal restrictions that don't allow this practice on US citizens.
The official U.S. Navy statement is:
“This project involves furnishing video game systems, both new and used, and creating prototype rigs for capturing data from the video game systems.”
The description in the actual contract from the Federal Business Opportunities website, posted on March 26 is:
“R & D effort for the development and delivery of computer forensic tools for analyzing network traffic and stored data created during the use of video game systems.”
The project was published two months ago, and this week the U.S. Government has granted the contract to the California-based company Obscure Technologies, signing a contract of $177,237.50 for the job.
Obscure Technologies was chosen due its considerable experience in the sector and because it “is the only US company that appears to offer the purchasing of used computer equipment for access to the contained information as a commercial service,” according to the Contracting Activity document (docx).
US agencies are more interested in the platforms rather than the games, mainly because newer consoles allow users to communicate with one another via messaging and chat systems.
The main requirements of the project are:
Online Monitoring Tasks:
- Provide monitoring for 6 new video game systems, a maximum of 2 of any type from any given vendor.
- Generate clean data (data that does not contain any identifiable information from real people) from new video game systems.
- Design a prototype rig for capturing data from new video game systems.
- Implement the prototype rig on the new video game systems.
- Provide data captured by the prototype rig in the following formats: Packets shall be delivered in PCAP format, Disk images shall be delivered in E01/EWF format.
- Write a final report, between 10 and 20 pages, to include details of work performed, the engineering approach used and the reason why, any engineering decisions that were made and why, what work remains to be done, and any failings of the approaches followed.
Offline Monitoring tasks:
- Provide used video games systems purchased on the open market.
- Used systems provided shall be likely to contain data from previous users.
- Extend tool development to implement creating signatures over sections.
- Survey console chat room technology and identify potential chokepoints where data may be committed to storage.
- Identify data storage points on used video game systems and attempt to demonstrate proof of concept.
- Extract real data from used video game systems.
- Provide data captured from used video game systems in the following formats: Packets shall be delivered in PCAP format, Disk images shall be delivered in E01/EWF format. Provide video game system extraction software and/or hardware.
In the past, several studies were conducted on the use of gaming consoles by the producers and also by organizations interested in psychological research. This time the approach is quite different, as there is the clear intent to spy on users that access gaming platforms.
Similar projects have already been developed in the past. In 2008, a project called "Gaming Systems Monitoring and Analysis Project" was launched by law enforcement to investigate crime related to pxdxphilia.
Law enforcement authorities had requested help via DHS's Science and Technology Directorate asking for an instrument that could observe game console data. DHS then went to the Naval Postgraduate School (NPS) to recruit Simson Garfinkel, an NPS computer science professor, and offered a contract to a company that could conduct the research and produce a product.
"Today's gaming systems are increasingly being used by criminals as a primary tool in exploiting children and, as a result, are being recovered by U.S. law enforcement organizations during court-authorized searches," said Garfinkel.
Obviously, there have been many concerns about the project and its legality. The Electronic Freedom Foundation's (EFF) spokesman Parker Higgins has alerted the world wide community regarding the illegality of the effort to access sensitive information stored on consoles without having been specifically requested by the user.
The main problem is "Which are the sensitive information that consoles keep without explicit information authorization of the users?"
Parker Higgins said:
"You wouldn't intentionally store sensitive data on a console. But I can think of things like connection logs and conversation logs that are incidentally stored data. And it's even more alarming because users might not know that the data is created. These consoles are being used as general-purpose computers. And they're used for all kinds of communications. The Xbox has a very active online community where people communicate. It stands to reason that you could get sensitive and private information stored on the console."
Imagine a botnet made up of millions of consoles conducting an attack against a strategic target. This is not science fiction, it is reality. Similar attacks may cause extensive damage in a cyber warfare scenario and the U.S. government is aware of it.
Understanding and addressing the issues related to the new generation of cyber weapon is crucial, as is the potential for misuse of consoles in this perspective. The gaming market is one of the most critical in terms of security for the following reasons:
- not easy to manage complex infrastructure, with significant computing power, and very attractive to hackers for the chance to use in attacks.
- availability of a large amount of payment information (e.g. Credit card numbers and info about their owners).
- diffusion of mobile devices with specific security issues.
- issues related to piracy management and more generally related to DRM (“Digital Rights Management”).
A study conducted about one year ago showed that 80% of organizations that provide gaming services not keep track of those who use game consoles in the workplace, thus making it impossible to trace the activities related to the possible source of an attack.
After the Sony event, something has changed. The war has just began ...
Cross-posted from Security Affairs