The makers of official licensed game controllers were once pretty good at stopping the clone makers from creating fake controllers. But security research firm IOActive has found that this may not be the case anymore.
The makers of video game consoles often use cryptographic mechanisms to vendor-lock their accessories so third parties can’t duplicate these accessories — like game controllers — with impunity. The third parties want to break these mechanisms to sell compatible accessories, said Andrew Zonenberg, principal security consulting at IOActive in an interview with GamesBeat.
In the course of research, he found that one such machine, deployed in the tens of millions, used a security chip that stopped the copycats from being able to duplicate the official game controllers.In the case of this manufacturer, there were no clones on the market. (IOActive chose not to name the maker of the console or the game controllers). In an older generation OEM controller, there was an off-the-shelf microcontroller. That was paired with a secure element that had the actual cryptographic authentication keys on it.
But then something happened. In one generational change in the hardware, the controller chips were consolidated from multiple chips to just one, with components including an Arm processor.
Lil Snack & GamesBeat
GamesBeat is excited to partner with Lil Snack to have customized games just for our audience! We know as gamers ourselves, this is an exciting way to engage through play with the GamesBeat content you have already come to love. Start playing games now!
“It’s a significant investment to put into a chip design,” Zonenberg said.
Indeed, it takes a serious effort to crack encryption and then create substitute chips that enable cloned hardware.
“We were looking at a game controller from an undisclosed platform and observed that there were a couple of generations of hardware. The first generations were pretty basic,” Zonenberg said. “And then they gradually redid them. They added some additional features, they combined some functionality that were separate chips into one chip, and so on. And shortly after one of these hardware redesigns, unlicensed third-party controllers appeared in the market.”
Presumably, this kind of change was aimed at reducing the number of chips in the system and thereby reducing its cost. But then IOActive saw that a number of third-party unlicensed game controllers began appearing on the market. Some were disguised to look like the real thing. Inside, there were generic chips that could not be identified or tracked to a particular company.
“And so our theory was that all these controllers had some sort of DRM mechanism in them so that you can make third party controllers that will work with the official platform. And so our working theory was that something they did in this hardware redesign introduced a weakness that someone who makes controllers recognized and exploited,” Zonenberg said.
“That had all sorts of tapmer-resistant features, and we opened it up and we looked at the ROM and it was encrypted,” Zonenberg said. “And as far as we can tell, this was never broken. And then shortly after a new hardware version came out, they added Bluetooth functionality to the controller and everything else stayed the same. We didn’t see any difference.”
Then they switched to an all-in-one chipset. It had built-in Bluetooth and a main processor that controlled all the buttons. Very shortly after that appeared, the fakes hit the market. It was clear that this new system was not as secure as the old system, Zonenberg said.
The cloned controllers use a two-chip solution. One odd thing is that the clones use a security chip that can prevent it from being copied by other cloners. That may mean that one party hacked it and then created the fake controller but put in more encryption to stop the copycat from being copycatted itself.
“Our working theory is that there are two reasons for this. The first is someone put a lot of work into breaking this DRM scheme. That’s valuable IP to them. They already have to share the market with the OEM. They don’t want to share it with other parties. And so we believe that this was in part an anti-competitive feature” created by one cloner to keep the other clones out of the market,” Zonenberg said.
He added, “Our second hypothesis, which kind of ties into this, is that it is very possible that the entity that broke the DRM scheme, and the entity that are selling the clone controllers, are not the same. We’re thinking it is possible that someone else broke this system, they took the original OEM key and burned it onto their own security chip, and now sell the security chips to get royalties.”
That is, the thief who broke into it is selling the solution to other thieves to generate revenue streams from multiple thieves.
“And so our thinking is that this was essentially made as a drop-in compatible replacement for the OEM security chip that contains the same key and is mechanically and electrically interchangeable,” he said.
The question was, “How did the hackers figure out the hardware flaw or software flaw and then exploit it?”
Another question was what motivated the hardware vendor-lock in the first place. Perhaps it was because the third-party fakes had poor quality and would lead to brand deterioration for the big company. Another theory was that a fake controller could be modified to enable cheating of some kind. In fact, I know some software that remaps buttons on a controller to make things much easier can be considered illegal cheats. If you are found with such software on your computer, you may get banned in a game.
Of course, the answer may be simply that the console maker wants to limit choices for the consumer and keep the prices high. So there is a real economic incentive for someone to break the cryptography and start replicating the game controllers.
Gunter Ollmann, CTO at IOActive, said his company works with many gaming manufacturers around the world in order to help protect devices. But it is not always authorized to talk about these manufacturers.
“It is interesting there are counterfeit devices in that market space. And so we’re curious about, given all the attack vectors that we discover and to analyze, which of the attack vectors were potentially being used in the latest generation of counterfeiting,” said Ollmann.
Zonenberg said that modern controllers have gone beyond wired devices and use Bluetooth or WiFi connections. That introduces more attack vectors for Black Hat hackers to attack. Devices often update when you plug them in.
Zonenberg said that the fake controllers his company came across were fairly obviously made by third parties, as they didn’t have FCC approval stickers or had flaws in the industrial design. There is no chance of tricking an OEM into buying a fake security chip. They want royalties on the clone market, selling the key to unlicensed accessory vendors.
“Consumers know they’re buying a knockoff (it’s clearly visually distinct from the OEM controller and advertised as a compatible product), but don’t care because it’s cheaper,” Zonenberg said. “Marking the clone security chip to look like the OEM part isn’t deception at all, it’s simply a way to make it more obviously a drop-in so that cloners can easily integrate it. All parties in the transaction know it’s a fake.”
This kind of problem is not so different from printers and ink cartridges. If you can overcome the security of the cartridges, you can replace them with cheaper ink.
“Across all the industries that we look at in the high-tech field, the strength of supply chain, or the integrity of the supply chain is always under threat,” Ollmann said. “In the gaming industry, given its size, there are lots of opportunities” for thieves to take advantage of the supply chain weaknesses.