The Baltimore-based computer security company that hacked into the sizzling, hot iPhone and broke the encryption on wireless gas payment cards and car keys used by millions of drivers is at it again. But this time, analysts there uncovered serious vulnerabilities in two highly popular fantasy worlds frequented by hundreds of thousands of online players around the globe.
Using flaws discovered in the games' coding, Independent Security Evaluators said it was able to read confidential files on massive multiplayer online (MMO) games Anarchy Online and its best-selling successor, Age of Conan. ISE, which will reveal the research today on its Web site (securityevaluators.com), said it was also able to take control of a player's computer in the older game.
The vulnerabilities, ISE says, expose a growing concern among industry experts. Many say players of such games should start worrying more about malicious attacks that can endanger confidential and financial data than the virtual battles that revolve around crushing demon skulls and laying siege to ancient towns.
"Most people, by now, know not to open e-mails and click on links that aren't from people they know," said ISE security analyst Stephen Bono. "But players of these online games are more focused on whether they can walk through walls than whether someone can hijack their computer and steal personal data. The awareness is not there. That's a big problem, since many of these virtual games involve online economies where real money is exchanged for virtual money and goods.
"As these games get bigger and bigger, and more and more people play, and more real money is involved, it's ripe for criminals," Bono said.
Now all this talk of fake money, virtual worlds and fantasy lives might leave many of you addled. Don't we have enough to worry about in the real world?
What's not hard to understand is that there's a lot at stake in this multimillion-dollar industry that gains new fans every year.
To put it into context using some rough numbers, senior lecturer David Grundy at Newcastle Business School at Northumbria University said, "Star Wars is generally thought of as being the biggest movie of all time at around [a] $1 billion take. "Thriller" still is about the biggest song ever recorded, with sales of $500 million. One MMO game alone, World of Warcraft, a game which many of your readers will have never heard of, has for almost four years dominated PC game sales and revenues, with estimated global proceeds of over $4 billion.
"It is, simply put, the biggest single entertainment product ever," said Grundy, who is co-author of a virtual security blog, MetaSecurity.net.
By comparison, consider the 1 million copies of Age of Conan that Norwegian firm Funcom sold this year and the 700,000 subscribers who pay about $15 a month to role-play with thousands of players around the world. That amounts to an income stream of $10.5 million a month.
That's why, Grundy says, "criminals are targeting the online gaming world" and why giant Microsoft Corp. warned developers at a recent games conference in Seattle: "Those of you who are working on massively multiplayer online games, organized crime is already looking for you."
There's real money at stake, and should players feel less secure about these online games, they could stop playing.
Players, Grundy said, should "consider everything they ever type into their computer. Every user name and password they ever use, every bank code they use and so forth."
In a recent demonstration of ISE's findings, analyst Gabe Landau logged into Age of Conan to highlight the vulnerabilities. He showed how sending a routine invitation to visit his player's team Web site using two booby-trapped links to another player could allow him to read confidential files. Data could include anything from passwords to bank account numbers off the other player's computer.
To protect real players of the game, the other player in ISE's demonstration was Landau's colleague, Dan Caselden.
In the second serious breach, ISE said vulnerabilities in Anarchy Online allowed them to read files and take over the other player's computer, which could then be used to launch attacks on Web sites or send spam.
"It's a whole new world of electronic fraud," Bono said.
It's also a huge headache for game makers like Funcom, which was notified of ISE's findings almost six weeks ago.
Before anyone panics, Funcom said Thursday that it has patched the holes.