A Ready Player One major motion picture directed by Steven Spielberg is scheduled for release in March 2018, resulting in a recent resurgence of popularity of the Ernest Cline cyberpunk novel which serves as its inspiration. So, this seems like as good a time as any for me to briefly revisit the 2011 novel and discuss my personal thoughts on the good, bad, and ugly of its information security content.

Despite an all-star crew (based a bit on extensive online commentary nerd rage from people who read early leaked scripts, but mostly based on the bombastic and wildly diverging contents of the trailer itself), I don’t have particularly high hopes for the movie to express the novel’s techno-philosophical depth in only a couple hours. Nonetheless, I hope to revisit it with the brilliantly apropos MayaofSansar of Linden Labs after release.

Firstly, let me make it abundantly clear that this blog is up to the elbows full of Ready Player One spoilers. If you haven’t read the book and have any desire at all to have the book’s twists and puzzles be a surprise, stop reading here. Really! I highly recommend you pick up a copy of the book. While I have a couple nits to pick with Cline’s character development and my personal interpretation of the plot, it is an iconic cyberpunk novel filled with unfortunately plausible social and technological predictions. It also contains references to pretty much every geek fandom and iconic classic game, ever, in it. Cool beans? Go forth to to Amazon.com and seek victory!

 

Okay. Now that they’re gone, fellow Gunters – let’s proceed!

 

IOI’s Infosec Sucks

Let’s first discuss Parzival/Wade’s daring intrusion into the malevolent IOI mega-corporation’s network. As you probably recall, Wade has a limited period of days to abruptly become an (indentured) employee of IOI so he can access their corporate intranet from a terminal inside their offices. Once inside, he uses a series of black market exploits (which he purchases in advance from disgruntled employees) to escalate privileges and access his target sensitive Sixer team servers.

What I found believable:

From the perspective of an author in 2011, insider threats were a pretty timely topic. Wade isn’t the only insider that factors into his successful exfiltration of sensitive data. He purchases sensitive IOI network data and system exploits from the black market before he enters the facility – ostensibly from (reasonably) disgruntled network technicians. None of this is particularly implausible.

We see few specifics of the exploits and back doors that Wade uses in his espionage, but most of his physical and digital measures are “living off the land”-style abuse of sanctioned network and business operations. No malware is involved. This is generally a smart intrusion tactic.

What I found less believable:

1) The entire McGuffin of IOI’s network being effectively airgapped. Obviously, it provides pivotal drama to see Wade trapped inside a hostile, dystopian corporation conducting espionage. Nonetheless, we see evidence throughout the book that it’s simply not possible that IOI’s office systems are even close to disconnected from the internet / OASIS. Aside from fundamental business operations that go along with running a telecommunications company, we see the Sixers regularly logging into the OASIS. We also see Wade take constant external support chats in his assumed employee identity.

Cline falls back to the unfortunately ubiquitous cyberpunk trope of impenetrable firewalls. In reality, firewalls were already a legacy defense when the book was written in 2011 and today they’re evaded through phishing, malvertising, watering holes, and poor engineering far more often than they are directly exploited.

Wade could potentially have avoided his torturous week of indenturement with a well placed phish or some social engineering. That wouldn’t have made a great story, though. 🙂

2) IOI’s network security really sucks, even by 2011 standards. Certainly, Wade’s tactics would work in plenty of environments today, but it’s far less believable that they all work for a week without any detection at a massively powerful global technology corporation storing ultra-sensitive, incriminating data.

Let’s think about all the times Wade’s activity should have been detected by a competent security monitoring team:

• When he logged into his in-use sleeping quarters computer as a maintenance tech in the middle of the night, with no associated trouble ticket or physical entry.
• When a privileged account was used from a sleeping quarters computer, regardless of the quality of privilege escalation Wade used to obtain access.
• When he created new, highly privileged accounts on the IOI network.
• When he accessed “crown jewel” ultra-sensitive Sixer servers from previously unknown administrative account, via a sleeping quarters computer.
• When he inserted a removable drive without a known maintenance hardware ID into his sleeping quarters computer.
• When he conducted a phenomenally massive transfer of sensitive files to a external drive across the network (it’s later equated to the size of the Library of Congress).
• When he issues a network command for his ankle bracelet to release at night, in a sleeping unit, with no human or secondary check required.

We can actually learn a lot of solid infosec lessons from Wade’s intrusion and it’s consequently one of my favorite parts of the book. However, the premise that these well known attack vectors of 2017 are still not monitored in the most powerful corporation in the world in a technologically advanced 2044 is pretty unbearably dystopian for me. Raise a cheer, pessimistic friends!

Holy Crap! Encryption Backdoors!

Throughout the novel, GSS is presented as a relative bastion of corporate good in opposition to IOI’s faceless corporate greed. Indeed, for much of the novel, co-founder Ogden Morrow acts as a secret guardian for the Five. Morrow finally reveals himself when Art3mis, Parzival, and Aech, and Shoto are in dire straits on the run from IOI hired guns – by materializing as the Great Wizard Og inside Aech’s super-ultra-mega secret encrypted chatroom(!) While there’s some minor protest from the protagonists at this, it’s mostly glazed over in the book as administrative access exclusive to the GSS founders’ accounts, therefore not a concern.

That’s not how any of this works.

If the Og and Anorak (and ultimately Parzival) avatars have exclusive access to privately encrypted chat rooms in the OASIS, that means that there is a functioning crypto backdoor for the OASIS chatroom software. Given IOI’s cutthroat study and exploitation of OASIS software and staff, a backdoor for the server’s encryption and the associated cryptographic weakness would have been a juicy target for Sorrento and his IOI superiors, putting all Gunters at risk. To top that off, Morrow maintained his backdoor access even after leaving GSS – a weakness GSS’s security team might not even be aware of.

Wade’s Anti-Forensics

Zeroizing and melting drives. Not bad, kid.

Finding the Five

At the climax of the novel, Sorrento and his IOI Sixer team track down the Five in real life, to bribe, kidnap, and eventually attempt to kill them as they become increasingly successful in the Hunt for Halliday’s Egg. Let’s spend a little time considering the implications of how each of the Five is located:

– Parzival is found because he makes a minor OPSEC mistake long before the contest begins (and he doesn’t draw this connection until it’s far too late). His private school transcripts, including his full home address, were linked to his OASIS account. IOI simply bribes a school adminstrator for the information after a rival student leaks the fact he’s in high school on a public message board. Of course, Wade improves his personal security substantially after this, creating and adopting a fake real-life identity.
– Art3mis, Shoto, and Daito are presumably found and profiled a little later through a combination of similar OPSEC failures and their use of IOI subsidiary networks to connect to the OASIS. Services like anonymous VPNs don’t seem to exist in Cline’s 2044.  We might presume that Daito is the first one of them found as IOI operatives successfully murder him in his home during a critical battle.
– Aech is the only one of the Five that IOI never successfully gains surveillance on. Helen’s unintentionally brilliant OPSEC includes her consistently faking her real name, race, and gender since childhood, even on school registration and among friends. She also lives in an RV and stays mobile, traveling from city to city. IOI is able to detect her logins on subsidiary wireless access points, but she moves too unpredictably for them to locate.

Once again, we have a portion of Ready Player One where Cline gives us quite a lot of food for thought about privacy and identity online in 2017 and beyond. The issue of internet service providers collecting browsing and location data and associating it us is an extremely relevant one today as debates over digital privacy and net neutrality rage globally. The potential abuse of internet activity data by advertising companies or by rogue employees certainly creates another incentive for privacy measures beyond simple TLS.

In addition, considering our OPSEC as our online personas, and the potential for those personas to be matched to our real life identities through legal or illegal means, is always timely.

The Stunning Lack of Reversing and Exploitation

There have been countless in-game and out-of-game MMORPG competitions in today’s world, with some substantial and coveted prizes and bounties at stake. However, nothing has ever come close in magnitude to the hunt for Halliday’s Egg. Competitive intelligence is real, and it’s not implausible that IOI would hire an entire staff and devote immense resources to winning the billions of dollars on the line.

What struck me as immersion-breaking unbelievable, throughout the book, was how little system exploitation was done in the course of the hunt. Decades of MMORPGs have built a multimillion dollar exploit, bot, and farming industry. There are minor mentions in the novel about GSS’ measures to ban cheating players and the pretty dire real-world consequences of a lifetime ban on citizens. However, with the utterly insane money at stake in the Hunt and the extreme measures that IOI is willing to go to to win, my tactics would have been quite different as a vile and unscrupulous Sorrento. I would have hired an army of reverse engineers to analyze the OASIS code, resources, and databases, searching for unusual locations and items by keyword and statistical anomalies – aided by paid spies at GSS with access to the back-end servers. It’s really pretty difficult to hide an implemented item, character, or environmental elements inside the resources and indexes of a modern game. Simply locating instances of Anorak’s avatar and voice samples would have been invaluable to narrowing the search.

Essentially the only consistent exploitation we see in the game even by the most desperate characters is IOI hacking their local biometric authentication hardware as a means to share biometrically locked characters. The Sixers mostly play by a twisted interpretation of in-game rules.

Since the Sixers are still certainly breaking the EULA of the OASIS, this can’t simply be written off as them wishing to avoid nullification of a victory for cheating. They seem to skip a rather trivial corporate espionage step with their extensive resources, proceeding directly to kidnapping and murder in the real world.

We’re STILL Using Unique One Word Handles in 2040??

No, no we are not. Not unless everybody wants to be named like randomly generated passwords or Sixer IDs.

---

This was infosec-specific commentary in which I didn’t delve into the abundant online gaming implications of the OASIS multi-world system or the extreme complexity of quest and skill-level balancing between technological, magical, and physical skills. (Or the horrifying implications of professional avatar permadeath.) I’ll leave that blog for my gaming industry pals. I’d love to hear your thoughts and interpretations of Ready Player One and cybersecurity in the comments. Until next time!