UW Computer Security Research and Course Blog

Within the last couple of years, Valve Corporation (of Half-Life fame) over in Bellevue designed and implemented a content distribution platform called “Steam” with the intent of distributing its games through a distributed network placed around the world. Their goal was three-fold: (1) make it simpler to roll out updates instead of forcing clients to manually download patches, (2) make a streamlined interface to purchase, configure, and use the games, and (3) cut out the middle-man (the publisher) and take the additional profit to implement Steam.

Despite Steam’s rocky inception in 2003, it has gained popularity in the gaming community for its ease of use and lax restrictions of installation. All purchases made with a username and password combination are forever tied to that account, allowing the user to download the base Steam program, log into their account, and have access to play and download all their purchased games at any internet-enabled computer in the world. Over the years, Valve has added games created at other gaming studios to be available for purchase and distribution on Steam, making Steam more ubiquitous and more handy to use than ever. Valve recently re-released an updated version of their friend’s list, allowing a user to add friends (on an opt-in basis) and see what games and what server they are playing in.

Starting here, there are several assets and security goals worth mentioning (assets first):

• Ownership of individual games tied to the user account, and
• Integrity of purchases.

With those assets, some security goals come to mind:

• Passwords and usernames of clients must be hard to guess, obtain, or brute force, and
• The purchasing system must be encrypted (at the very least using SSL), an
• The game files themselves must be encrypted such that only the purchaser may use them.

Given these two areas, we then get potential adversaries to the content distribution system:

• Clients who wish to amass games without legitimately purchasing them, and
• Clients who wish to hijack accounts in order to create a “botnet” or backup accounts, and
• Evil companies who wish to automatically push spyware out to the unsuspecting consumer.

The major flaw of Steam today seems to be weak passwords (the fault of the user) and high susceptibility of some users to phishing attacks. There have been documented cases of Steam users falling prey to Valve impersonators asking for usernames and password. Since this is the only information required to log into an account and access all games that the user owns, it’s often a simple exercise in social engineering using Steam’s built-in instant messaging.

Over the years, Valve has implemented some controls to Steam that detect invalidity of the user to an account. One such control is fraud detection using credit cards – if too many failed purchases are attempted, the account locks down. Another (highly-debated) control is IP geotracing. If an account is used almost simultaneously at two points very far in distance from one another, the Steam backend will shut down the account. To unlock an account, a very non-automated procedure requires the affected user to contact Steam support with identifying details, such as CD keys (if retail copies were bought), credit card numbers, and confirmation numbers.

In my opinion, while the current controls are great, more automated controls need to be put in place to protect against hijacking. In my experience, people do not move from one computer to another too quickly with Steam, and thus there’s a possibility of implementing some sort of MAC address filtering. On the first computer that Steam is installed on, a hash of the current computer’s MAC address could be stored on Steam’s content servers. On each subsequent logon, the hashed MAC address could be checked with the value stored on a server. If the user wants to install Steam on a separate computer, they must authenticate that computer with additional information about themselves or the account, like the last game bought or your first elementary school.

There has been no record of anyone tampering or successfully obtaining access to encrypted game files using the Steam distribution platform, although it does seem like a legitimate attack vector. All game files seem to be encrypted similarly – possibly a secret key may be all that’s needed to break it. I’d imagine that the scheme works similar to Kerberos in some sense in terms of authentication of user account to game files.

The more ubiquitous Steam becomes, the more profitable dodging the system becomes. Although most of the security problems with this software stem from the users not protecting the integrity of their accounts, it becomes important to educate your users with the intent of securing the platform.