Are Video Games Hackable? A Cybersecurity Story
by Alexander J. Roxon
At its core, playing a video game is no different to filling out your taxes online. Ultimately you are using input devices (keyboard + mouse or a gaming controller), entering values into a computer application (a web form, game cartridge, or desktop application) and seeing what the outcome is on a monitor. I'd argue that one of the two is significantly more fun, but maybe you really love taxes and I am not one to judge. Ultimately both the online tax form and a video game are made of computer code. We hear about companies and their online applications being hacked all the time, but are videogames... hackable? The answer is yes, and I'm going to walk you through an example.
Super Mario 64: An Example of Authorization Bypass
Introducing the game. Super Mario 64 was our favorite red plumber's first foray into the 3D gaming space and served as a launch title for the iconic Nintendo 64 console. Whilst the graphics aren't anything based on today's standards, at the time they were absolutely mesmerizing and to this day, Super Mario 64 is widely regarded as one of the greatest videogames ever made. The plot is simple: Bowser has kidnapped Princess Peach and you need to rescue her (sound familiar?). So Mario dives in to collect power stars and defeat Bowser.
Hold up, hoooooooooold up. What are authentication and authorization and what do they have to do with Mario?
Fair question. Authentication is the process of proving you are who you say you are. An example of this is a login page asking for your username and password. Once you've entered these and the application has confirmed they are correct, the application next looks at what authorization your account has. Authorization in simple terms is seeing what an account does and does not have access to. An authorization bypass is when a user is able to reach areas of an application they are not meant to have the authority to see (or perform actions they do not have authority to perform).
In Super Mario 64, authentication is pretty simple. You are a man in blue overalls running around with a cap with a large M on it. You are clearly Mario Mario (yes, that's his surname).
Ok but what does authorization have to do with anything?
Well, a lot actually. Videogames are designed to allow varying levels of freedom, but generally a player is blocked from firing up a game and heading directly into the final boss area. In Mario 64 there are doors with a number on them—these are saying "Yes, I can see you are Mario, but unless you have x stars you do not have the authority to enter."
This is similar to how in web applications—such as in the online process for filling out taxes—you have access to your own data, but not access to the administrator functionality for doing things like deleting and creating accounts or exporting data out of the application. Another example of an authorization check in Super Mario 64 is the Endless Stairs.
The Endless Stairs...
Before facing Bowser for the third and final time, the game shows you that Bowser is waiting for you at the top of the Endless Stairs. But the Endless Stairs won't let you up until you have 70 stars. If you try climbing this staircase with less than 70 stars, the stairs will just loop over and over, with Mario never reaching the top. This happens because at the top of the staircase there is essentially a teleporter, sending Mario to the bottom of the stairs. The teleporter is invisible, but it's large enough so that even if Mario is running as fast as he can or jumps as far as he can, he won't be able to jump over it. As long as Mario is inside the teleportation zone for a single frame (0.05 seconds or so), he will be teleported back to the bottom of the stairs to begin the loop again.
I don't like these constraints, I want to skip the Endless Stairs.
Now you are thinking like a hacker. What if Mario can travel up the stairs so quickly, he never spends a whole frame inside the teleportation zone? Essentially, this would mean that as far as the game is concerned Mario was never inside the teleportation zone at all so he could progress beyond. Sadly, this is impossible as Mario's forward speed is capped/limited. He cannot run fast enough to skip the teleportation zone.
This seems like a long article for it to end in failure, I'm suspecting there is a way to do it.
True, so what about Mario's backwards speed? Interestingly enough, the developers chose not to cap Mario's backwards speed. In fairness why would they, apart from crawling or sliding, Mario can't really travel backwards anyway, let alone build up the required speed. In information security we'd call this a vulnerability—a potential hole in the code that may lead to an undesired outcome. But without an exploit to take advantage of the vulnerability, there is no problem really.
Introducing the backwards long jump.
Well really it is meant to be a forward long jump, but you can actually reverse the direction. Not only that, but you can chain long jumps together, with each jump increasing Mario's speed until... I think you can see where this is going. The player can build up enough speed to climb the stairs so quickly Mario never spends a full frame inside the teleportation zone and therefore reaches the top of the stairs, even without 70 stars. Mario has now reached the administrative area of the application essentially, when he was not supposed to be able to until he had acquired 70 stars.
THE ADMINISTRATIVE AREA!! (click here)
And just like that we've drawn a direct parallel between one of the all-time classic videogames and simple cybersecurity thinking. It doesn't stop there though—in particular older games (where in their defense, the developers didn't have the luxury of patching updates) are full of stories like this. There are examples of classic bugs like buffer overflow or arbitrary code execution in all kinds of retro games. Modern games aren't safe either!
As humans we learn about new topics for two reasons—because we are interested or because we have to. The level of tolerance we have for the way this learning material is presented to us varies massively across these two reasons. When learning how to drive, the highway code can be the blandest book ever. To drive a car, we need to pass the exam, driving a car is a desirable thing and therefore... we soldier on.
The problem is when we present content to people in subjects they aren't immediately interested in, and don't feel they have an obligation to pursue, the likelihood of anything sticking in their brain is low. We can bridge the gap with material that leans more towards the "fun" side, letting the interest take hold and allowing natural curiosity to take it from there. So, if nothing else, maybe this article will bridge the gap between videogames and cybersecurity for one person and if it does then I'd be happy.
It's for these reasons that I authored an interactive book to teach people about cybersecurity that is as fun as it is educational. Unless whoever you are trying to teach wakes up every day desperate to consume all things cybersecurity, they might need easing into the topic and my book is (hopefully) a fun little way to do so.
About the Author
Alexander J. Roxon likes to take complicated subjects and problems, then make them simpler and less intimidating. Alex works for the Cyber Defense team within Accenture, helping companies implement appropriate cyber security solutions and strategies. In his spare time, he likes to contribute to the industry with things like phishing awareness blogs full of fish puns, or a deck of playing cards designed to teach people about cyber security (The Infosec Deck). Inspired by the Give Yourself Goosebumps series, he decided to write his own interactive story in an effort to make information security more accessible. He is a Systems Security Certified Professional (SSCP) and Factor Analysis Information Risk (FAIR) accredited.
This article was contributed by Alexander J. Roxon, author of Choose Your InfoSec Path: An Interactive Cybersecurity Adventure for Beginners.