# Title
Traffic analysis of online game "Pixel Starships" and MITM attack against it
# Abstract
Online game players' virtual possessions should be secured by game developers, otherwise the attackers could benefit from attackers and cause great loss to game players. In the paper, we investigate Pixel Starships, an online game which doesn't protect the market buying. We demonstrate that we could successfully launch a man-in-the-middle attack, causing virtual possessions loss to the player.
# Introduction
With the rapid development of the game industry in the past two decades, online games enjoys an important market share, with many people playing them in daily life. Online game developers can profit from their games in various ways. One typical bussiness model is that a player could pay some money for some "virtual possessions". For example, developers could sell powerful weapons to players who want to have better chance of winning in a battle with other players.
Usually, players' virtual possessions are important for their game experience. Players may spend large amount of money to buy virtual possessions. Therefore, it is very important that their virtual possessions are protected and secured by the game developers, preventing their possessions from being "stolen" or "corrupted" by potential attackers. Attackers have such intention because many times they can benefit from such attack. In Metaverse \cite{ref2}, players may own real estate and it's important the ownership is protected.
Pixel Starships is a bad example of virtual possessions security. The network traffic between player and the game server is unencrypted, allowing man-in-the-middle attackers to modify the traffic. In this paper, we analyze its network traffic and successfully launch an MITM attack against a player. The player suffers loss of 6 "starbuck", while the attacker gain it.
# Related Work
MITM remains an important attack method in the real world. In 2017, credit score company Equifax removed its apps from Google and Apple after a breach resulted in the leak of personal data. A researcher found that the app did not consistently use HTTPS, allowing attackers to intercept data as users accessed their accounts.[^MITM]
# Methodology
## Threat Model
In this paper, we focus on against the missing immutability of the game traffic. Similar to the classic MITM attack, we assume the attacker can monitor and modify the traffic between game client and game server. In practice, the players play games by connecting to a wireless network. If the player is connected to some untrusted public WiFi, the MITM attack becomes possible. Since Pixel Starship can be played on mobile phone, it is realistic.
## Attack Workflow
As illustrated in Fig.1, our attack starts from posting a useless item with high price to the market.
Then we will guide the victim to buy this useless item with high price by two key steps below.
1. Modify market list. To guide the victim buy our uselesss item, we must let the victim think it is a good deal. If the victim is requesting a market list from the game server, our MITM server will hijack the traffic and modify the price of attacker's item to a very low price.
2. Modify purchase packer. After the victim clicked the purchase button on the attacker's item, the MITM server will modify the purchase packet to restore some field that has been modified in previous data exchange so that the game server will not realize there is a MITM.
Once all the attack steps are completed, the victim loses a lot of money that the attacker can gain.
# Evaluation
Before we could launch an attack, we use wireshark to analyze the network traffic between the game client and server. We use "http contains pixel" to filter out traffic unrelated to the game. Since the game uses HTTP protocol, we could easily obtain the content of each request and response, and guess their semantics according to parameter key and value name.
After looking at several packets captured by wireshark, we get to understand two key APIs used in the PSS market. One API is for listing available items on the market. This is an HTTP get request. An example request is shown as follow:
```
params = {
'itemSubType': None,
'rarity': None,
'currencyType': 'Unknown',
'itemDesignId': 0,
'userId': 0,
'accessToken': '4a7bea4b-88bb-4fdd-8fc2-0754e1ee9ba4',
}
```
The access token is established when the PSS game is started.
Another API is for purchasing an item. This is an HTTP post request. An example request is shown as follow:
```
params = {
'saleId': 24606089,
'clientDateTime': '2022-05-08T19:01:07',
'checksum': '5b96d54b0b54dae4e0b084d444786a11',
'accessToken': '3f4f7cb3-38d9-4204-b9d3-8cc16aaa39e4',
'allowConversion': True,
}
```
The saleId indicates which item (posted by a seller) the buyer wants to buy.
After we understand the protocols, we try to launch an MITM attack. The attack environment is in one Windows 11 Education Build 22621.1 machine, with pixel starships installed through Steam. We create two Pixel Starships account, one for the victim and one for the attacker.
We first modify the host file, letting the attacker's server become the man in the middle. Then the attacker posts to the market an item priced 6 starbucks. Then the victim enters the market, sending an HTTP request to get the list of available items. The attacker's MITM server forwards this request to the game server. When the item list returns, the MITM server modifies attacker's item's price to 1 gas (which is cheap). When the victim sees attacker's item priced 1 gas which is rendered in the game client, he decides to buy it. The victim observes that the total amount of gas he owns decreases by 1. When the victim's game client resynchronizes with the server, he will surprisingly find that he has lost 6 starbucks, instead of 1 gas. From the attacker's perspective, the attacker gets 6 starbucks.
# Future Work
In this work, we lauch an MITM attack to "steal" starbucks from a victim. However, this kind of attack badly restricts the attackers' ability, requiring the victim to stay online when the attack happens. As a reason, we leave off-path attack as our future work.
In the future, we could reverse engineer the Pixel Starships client in order to know how the access token and checksum is generated. If we have such knowledge, we could launch an off-path attack even when the victim is offline. Attack of such kind could do more harm, since it could target a larger number of victims.
# References
# Proposol here:
# Proposal
## Content
- Problems to work on and the importance of our work
- The focus of our research will be on the market on Pixel Starships. We are going to, first, analyze the network traffic of the market and understand the protocol used by it. Second, based on the understood and vulnerable protocol, a meticulously designed Man-In-The-Middle attack method against the Pixel Starships market buyer (rather than the server) will be proposed by us. Finally, we are going to propose some effective defence that mitigates such dangerous MITM attack.
- The reason for which we choose the market as our subject is because it uses HTTP protocol and unencrypted traffic, which is vulnerable. Such practice could open up a great variety of opportunities, including MITM attack, for the attackers.
- The importance of this project lies in two aspects. First, Pixel Starships market is a perfect demonstration of what consequences using unencrypted protocol could lead to. Second, our proposed MITM attack will become a good example of how to exploit such vulnerable protocol.
- Here follows a more detailed description of what Pixel Spaceships market does. There are two main sorts of actors in the market, namely, buyers and sellers. All actions in the market should go through the game server. The sellers can post an item to the market by sending a request to the server; The (potential) buyers can ask server what are the available items on the market; The buyers can also buy an item by sending another request.
- Our proposed MITM attack will sit on the network channel between buyers and the market server. The attacker can modify the network traffic between them. As a consequence, the buyers (victims) could suffer money losses from such MITM attack.
- Related work
- Tentative approach
- Firstly, we plan to poison local DNS, for example, by modifying the DNS record of api2.pixelstarships.com to the address of our MITM server. Then we implement the MITM server. In general, the MITM server just forwards traffic between victim and game server. If MITM detects that the traffic from the victim is about the market, the MITM server will modify some key fields in the traffic and forward it to the game server, directing the victim to purchase the attacker's item.
- If the victim really purchased the attacker's item without clicking the corresponding botton, we succeeded.
- Evaluation
- We used wireshark to capture the traffic of Pixel Starships. We found the game client communicate with server over HTTP protocol and the traffic is unencrypted. Therefore we believe the MITM attack is possible.
[^MITM]: 2022. Man in the Middle (MITM) Attack. https://www.veracode.com/security/man-middle-attack
[^META]: Metaverse. https://en.wikipedia.org/wiki/Metaverse
[^PSS]: 2022. Pixel Starships. https://www.pixelstarships.com/
Google Drive
Gist
Clipboard
Sign in with Wallet
