China’s internet cafes full of young nerds glued to Starcraft 2 might soon be taking on more than Zerg hordes and Protoss Colossi. One group of anti-censorship researchers wants to turn those games themselves into a weapon in the war for web freedom.
A group of graduate researchers at Stony Brook University in New York have built what they describe as a prototype tool for exploiting “covert channels” in real-time strategy games, the genre of desktop videogames that includes Starcraft, Warcraft, Shogun 2, and Company of Heroes. Their program, which they call Castle, is designed to encode secret messages into those multiplayer games’ communications with opponents and teammates across the Internet, translating emails, articles, and even web pages into the game’s commands and siphoning them to players who live in censorship regimes like China or Iran.
The researchers published their open source stealth tool this week on GitHub, and they’re still testing it for security. They hope it will not only circumvent censorship and surveillance, but that it will also impersonate normal game data closely enough to avoid even alerting authorities that their filters have been thwarted. “Tools which have distinctive features can be detected and blocked by censors. As a result, there is increasing interest in disguising censorship circumvention traffic as benign protocols,” they write in an as-yet unpublished paper they plan to submit to security conferences. “The current video game landscape [presents] advantages that distinguish games from other covert channels and make them amenable to winning the arms race between censors and circumvention tool developers.”
Castle doesn't impersonate a game's data so much as it simply <em>plays</em> the game.
Castle works by converting messages into scripts—a series of game moves that it executes automatically. It takes advantage of some universal tropes of real-time strategy games: “units” of soldiers that can be selected and moved around a map from overhead and commanded to “rally” at certain map points or buildings. Castle loads the same custom map on both players’ screens, then runs scripts coded in Autohotkey and python to execute commands like moving and rallying those units in patterns. Real-time strategy games tend to keep a log on all players’ computers of those moves as part of their “replay” function. And that log of in-game commands can be read by the other player’s copy of Castle on the receiving end and interpreted to decode the hidden messages.
Here’s a quick demo:
The advantages of that game-based technique, the researchers say, include the fact that real-time strategy games can switch between a server-based mode and one where players connect directly to one another if the server is blocked. The games already send a lot of data between players, which is usually encrypted to prevent cheating. This further obscures the communications channel from censors. And unlike other protocols that secret communications have impersonated in the past, such as Skype, a communications session of video game data can last hours without raising suspicion. “A three- to six-hour Skype call could look strange,” says Phillipa Gill, one of the Stony Brook researchers. “One of the nice properties of games is that the packet timings match and the session durations match.”
Another advantage of games as vessels for secrets is that the modern gaming industry has provided plenty of real-time strategy games to choose from, all using a similar map-based gameplay, the researchers say. That means that they can easily port their system over to a new one in a matter of hours, spreading their secret traffic among potential targets. So far, they’ve adapted Castle to send secret messages through an open source game still in development called Zero AD, as well as a more popular commercial game they declined to name for fear of creating controversy for the developer. “If the censors begin to block one of those games, we can move it to another,” says Rob Johnson, the computer science professor leading the group. “We have a lot of flexibility and mobility.”
In their testing so far, the researchers say that they’ve achieved communication bandwidths of up to 1.5 kilobits a second while still keeping their secret communications hidden. That’s a ridiculously slow speed for most kinds of modern communication, but they suggest it’s enough for sending emails and sharing articles, and if it were built into a browser plugin, web browsing with images disabled. And they’re working to widen that thin straw of bandwidth in future versions of the software.
Stony Brook’s real-time strategy game technique may have the potential to be more secure than some other methods of steganography—the science of trying to make secret data look like other less sensitive data, says Paul Vines, a graduate researcher at the University of Washington who has worked on steganographic techniques. Castle, after all, doesn’t impersonate a game’s data so much as it simply plays the game. And the fact that it’s playing it with automated scripts could be tough to spot, given that a typical game’s normal communications are encrypted and as much as 70 percent of those messages are routine game-state checking between computers that has nothing to do with the player’s commands. Vines says there may be enough room for randomness or “entropy” in game data to hide messages more effectively than by embedding them in a Skype call, as other tools like SkypeMorph and FreeWave have done. “Games have a lot of user input,” he says. “That provides a lot of natural entropy compared to some applications.”
In fact, the Stony Brook researchers aren’t the only ones using games as a covert data channel. Developers at a Human Rights Watch conference last year proposed using steganographic videogames to smuggle data into North Korea, albeit on off-line USB sticks. And Vines at the University of Washington is experimenting with hiding data in games, too: Last month he and another researcher released Rook, a tool for hiding messages in the communications of first-person shooter games. (Bizarrely, Vines says they had never heard of Castle when they named their tool Rook.) But unlike Castle, Rook doesn’t assume the data sent by the game is encrypted. So to hide that data, it has to much more closely mimic human playing. That restriction vastly reduces the amount of data Rook can send, Vines says.
Castle’s dependence on the game’s own encryption, however, means that Castle users could be more vulnerable to detection if game makers quietly gave censors access to decryption keys, says Vines. “I could see policies put in [by game companies or governments] to break that encryption,” Vines says. “If you stripped away the encrypted layer on the game channel, you could detect it relatively easily.”
In fact, it’s still far too early for anyone to trust Castle with truly sensitive data. The system’s Stony Brook developers claim it’s undetectable with traditional port blocking or deep packet inspection, but they admit they’re still testing it against machine learning techniques that might be able to distinguish Castle traffic from normal game traffic.
But despite its early stage, Vines says that Castle, and the more general videogame approach to stealthy messaging, holds promise. “It’s a pretty good system, and it could be practical to use this in the near future,” he says, “Right now it’s already a very compelling use of games for this kind of work.”
Read the researchers’ full paper below.