The Baltimore-based computer security company that hacked into the sizzling, hot iPhone and broke the encryption on wireless gas payment cards and car keys used by millions of drivers is at it again. But this time, analysts there uncovered serious vulnerabilities in two highly popular fantasy worlds frequented by hundreds of thousands of online players around the globe.
Using flaws discovered in the games' coding, Independent Security Evaluators said it was able to read confidential files on massive multiplayer online (MMO) games Anarchy Online and its best-selling successor, Age of Conan. ISE, which will reveal the research today on its Web site (securityevaluators.com), said it was also able to take control of a player's computer in the older game.
The vulnerabilities, ISE says, expose a growing concern among industry experts. Many say players of such games should start worrying more about malicious attacks that can endanger confidential and financial data than the virtual battles that revolve around crushing demon skulls and laying siege to ancient towns.
"Most people, by now, know not to open e-mails and click on links that aren't from people they know," said ISE security analyst Stephen Bono. "But players of these online games are more focused on whether they can walk through walls than whether someone can hijack their computer and steal personal data. The awareness is not there. That's a big problem, since many of these virtual games involve online economies where real money is exchanged for virtual money and goods.
"As these games get bigger and bigger, and more and more people play, and more real money is involved, it's ripe for criminals," Bono said.
Now all this talk of fake money, virtual worlds and fantasy lives might leave many of you addled. Don't we have enough to worry about in the real world?
What's not hard to understand is that there's a lot at stake in this multimillion-dollar industry that gains new fans every year.
To put it into context using some rough numbers, senior lecturer David Grundy at Newcastle Business School at Northumbria University said, "Star Wars is generally thought of as being the biggest movie of all time at around [a] $1 billion take. "Thriller" still is about the biggest song ever recorded, with sales of $500 million. One MMO game alone, World of Warcraft, a game which many of your readers will have never heard of, has for almost four years dominated PC game sales and revenues, with estimated global proceeds of over $4 billion.
"It is, simply put, the biggest single entertainment product ever," said Grundy, who is co-author of a virtual security blog, MetaSecurity.net.
By comparison, consider the 1 million copies of Age of Conan that Norwegian firm Funcom sold this year and the 700,000 subscribers who pay about $15 a month to role-play with thousands of players around the world. That amounts to an income stream of $10.5 million a month.
That's why, Grundy says, "criminals are targeting the online gaming world" and why giant Microsoft Corp. warned developers at a recent games conference in Seattle: "Those of you who are working on massively multiplayer online games, organized crime is already looking for you."
There's real money at stake, and should players feel less secure about these online games, they could stop playing.
Players, Grundy said, should "consider everything they ever type into their computer. Every user name and password they ever use, every bank code they use and so forth."
In a recent demonstration of ISE's findings, analyst Gabe Landau logged into Age of Conan to highlight the vulnerabilities. He showed how sending a routine invitation to visit his player's team Web site using two booby-trapped links to another player could allow him to read confidential files. Data could include anything from passwords to bank account numbers off the other player's computer.
To protect real players of the game, the other player in ISE's demonstration was Landau's colleague, Dan Caselden.
In the second serious breach, ISE said vulnerabilities in Anarchy Online allowed them to read files and take over the other player's computer, which could then be used to launch attacks on Web sites or send spam.
"It's a whole new world of electronic fraud," Bono said.
It's also a huge headache for game makers like Funcom, which was notified of ISE's findings almost six weeks ago.
Before anyone panics, Funcom said Thursday that it has patched the holes.
"Security vulnerabilities can appear in all Internet-based software, from Web browsers to online games, and defeating them is a constant challenge for all developers," said Funcom product manager Erling Ellingsen. "This is something we take very seriously, and we constantly have a team of dedicated engineers working on preventing this from happening. The issues in question here have already been corrected by our engineers for both Anarchy Online and Age of Conan. Also, we have not received any reports that these security vulnerabilities were misused before they were corrected."
Ellingsen said that the fixes took time because Funcom engineers had to test the patches and then issue them to players. When a player logs in to the game, the patch is immediately downloaded to their computer, he said.
"It is definitely a good thing," Ellingsen said of ISE's keen eye for security gaps. "Whenever anyone can point to something we need to fix, we appreciate it."
Bono said tests run by ISE on Thursday showed that Funcom's patches no longer allow them to read files on both games. But it said both games still have a bug that allows ISE to crash players' computers.
"This is just a good example of our goal to make people more aware of the risks out there," Bono said. "Online games are a huge attack surface for bad guys. There aren't a lot now, but as these games continue to grow, the tide will turn."
After all, it's not all fun and games, people. There are far scarier things out there than virtual demons.
Dan Thanh Dang's column also appears Thursdays.