Disconnecting games with a single packet: an Unreal untold story
2024-10-25 , Europe - Main Room

In 2023, the gaming industry reached a worldwide revenue of US$384.9 billion. Yet, this industry is facing a growing number of cheating actors and techniques.

We introduce new attacks targeting multiplayer games based on Unreal Engine such as Fortnite, PUBG, Valorant... These attacks disconnect a player from an ongoing game session against his will. Cheaters can launch it as a Denial-of-Service against opponents with very few packets (sometimes only one). In most cases, the attacker can steal the victory from the target without exposing himself as a cheater.

It is important to understand that these attacks do not exist because of a vulnerability or an implementation error. They are conscious design choices, dictated by the constraints inherent to a widely distributed multiplayer game. Mitigating these attacks is thus not trivial.

This talk shows how such issues present in a single game engine can spread widely, across several games produced by different editors. It is quite probable that other game engines, such as Unity, are not immune to these issues. However, this presentation solely focuses on the Unreal Engine whose source code is available. We present our analysis of the design and implementation choices made within the Unreal Engine. We explain how to exploit the protocols used. We cover and discuss how to defeat some common countermeasures used on the Internet against IP spoofing, such as Source Address Validation. We mention some mitigation strategies for video game developers. We show videos of these attacks against real popular games.


Introduction

Cheating is a major threat to the Multiplayer Online Game industry, undermining the fairness among players and impacting their user experience.

Unreal Engine: crucial common pieces of many games

Game engine are software framework designed for the creation of video games, providing core functionalities to developers. Vulnerabilities within the engine, shared by multiple games can spread widely. This talk focuses on Unreal Engine (UE), powering some of the most famous games in the industry.

We introduce UE's network architecture, highlighting the UDP-based application-layer protocols used for communication, as well as the encryption components available.

A new attack exploiting Unreal Engine security features

We introduce new attacks that we have reported to all affected games through a responsible disclosure process. The general idea is to disconnect opponents within the same match by sending a single, specific packet. The attack exists under several flavors, with different packets, for different reasons.

We present concrete examples of the attack in practice with three video demonstrations on the following games: Fortnite, The Finals, and Valorant.

We present the methods we applied to investigate the root causes behind these vulnerabilities, combining static code analysis and dynamic profiling using an experimental game, developed with Unreal Engine.

We present and explain our findings: When parsing a received packet, the engine checks the data's validity to detect corrupted values that could propagate to errors in the game logic. In some specific cases, this can lead to the client being disconnected from the ongoing game. This feature is likely to have been designed for security purposes to disconnect suspicious clients trying to tamper with the game packets. However, a malicious player A can exploit this by spoofing player B's IP address and sending a single faulty packet to disconnect B from the game, performing a Denial-of-Service attack against B.

We explain the limitations of Unreal Engine’s encryption components in preventing those attacks.

Practical exploitability of the attack

We present two detailed procedures to carry out this attack in different contexts.
1. By broadcasting the specific packet within a LAN.
2. In an online Game context over the Internet. We outline the steps required: finding the target's IP address (using the ICE protocols to establish a P2P communication traversing firewalls), spoofing an IP address over the Internet (bypassing Source Address Validation), and launching the attack.

We discuss potential mitigations that Unreal developers could implement.

Conclusion

While making the task easier for game developers, game engines inadvertently broaden the scope of vulnerabilities. Consequently, achieving security at the engine level is primordial to strengthen the overall game industry. New powerful attacks targeting big names in the video games industry are disclosed and explained, with a focus on the limitations of the network devices used for security: firewall traversal, and IP address spoofing. It is an eye-opener for that community.

Beyond video games, Unreal Engine is also used in VR, digital twins, automotive HMI, and more. While we haven't identified other exploitations of this vulnerability yet, it could lead to more critical issues in the future. Therefore, it's crucial to raise awareness and fix it.

See also: Slides (2.3 MB)

Hugo Bertin is a Visiting Student in the SeRBER research group at KAUST, Saudi Arabia. He got his master degree in CS from the University of Rennes, France. During this degree he realised different internships at the IRISA research lab, in France, where he could work on isolation units in the cloud under the supervision of Prof. David Bromberg and Ass. Prof. Djob Mvondo. He also studied software engineering and cyber-security as an exchange student at Newcastle University, UK.

He is interested in the network and system aspects inherent to distributed systems, which often involve a trade-off between security and performance. He is currently working on EGaming Security under the supervision of Prof. Marc Dacier and Prof. David Bromberg. The research project aims to investigate the security aspects leveraged by the gaming industry, which has experienced unprecedented growth and is expected to continue to shape tomorrow's virtual worlds. This comes with new challenges to enhance security, mainly to prevent cheating. From a technical point of view, Hugo is investigating synchronization and security mechanisms in game engines such as Unreal Engine.