F-Secure comment on EA data breach
Following the EA data breach, Tom Van de Wiele, principal security consultant at F-Secure offers the following in-depth comment:
The EA source code and tools have a surprisingly high value to any company that operates in the shadows and want to get a leg up in competing with the bigger game development companies. Being able to steal an algorithm, approach, or game assets themselves and integrate them fast means not having to develop them on your own and means money and effort is saved that can be directed somewhere else. Especially when those games are released to a limited target group or platform where it is almost impossible to prove any wrongdoing or theft of intellectual property.
The latter is a side effect of the current geopolitical situation but also the fact that in the last 20 years, most modern computer games have a form of Digital Rights Management (DRM). This DRM is enforced by game developers using cryptography to ensure those game cheaters cannot easily see what is going on in the game’s internal logic and reverse engineer the code to create and sell cheat functionality for profit. Because of this, it will be difficult in the future to prove that a competing company has or hasn’t stolen either the design principles or implementation of any part of the leaked code if obfuscated well enough.
Game companies in general, and especially EA which is a video game powerhouse with decades of game development history, must deal with a lot of technology stacks, third parties, and infrastructure that all must work in tandem. The more moving parts and possible interactions, the more susceptible a company is to abuse or misuse that could lead to compromise. Not only do gaming companies have to be able to enforce security on their infrastructure and products in a way that does not impede the creative workforce they so critically depend on, but they also must restrict the functionality that comes with the game so that it cannot be used against others as a platform of attack.
There have been plenty of examples of this in the recent past where not only other end-users have been targeted through games that allow modified user content to take over someone’s computer and network, but we also see examples where this was used to breach Game Developers themselves. Game developers want to see what the community around a game is doing by opening some of the gamer community-made creations, this is where backdoors are added to the functionality leading to compromise of the company.