Tuesday, July 26, 2005

Electronic Arts (EA) BattleField 2 (BF2) Stats Servers Hacked

Electronic Arts (EA) BattleField 2 (BF2) Stats Servers Hacked

This topic is being discussed in many forums online as many people (myself included) have all the weapons unlocked for their accounts when playing on BF2 Ranked servers. The following quote is from one of the persons who has claimed responsibility,

Well, what a wonderful few days it has been. Since EA didn't take the time to respond (or maybe even read) our emails about various stats-server security holes, it clearly showed us how much they care. Therefore, we came to the conclusion that modifying 5 million accounts wouldn't be that big of a deal.

That being said, accounts with ids from 40,000,000 to 45,000,000 now have all of their weapons unlocked.

What will be next week? Perhaps we'll give everyone their Distinguished Service Medal, or maybe we'll elevate everyone to the rank of Sergeant Major.

The ball's in your court, EA. Time's up at the buzzer, how well will you play?

In addition, the following quote is from an EA representative,

In the future, if you really are concerned about "exposing security holes" to EA (which I sincerely doubt) rather than grandstanding, please e-mail me personally since it appears that you don't have the correct contact info. I will PM you the address.

All of the changes made will be rolled back in the next couple hours. Users may have to rechoose any unlocks they would have legitimately made in the last day or so as a result of the roll-back, but no stats should be lost.

-ben aka [EA]Die Fledermaus

I deal with many vendors and many different patch methodolies and vulnerability report methodologies in the course of my professional services. The question has been asked about the vulnerability reporting in entertainment products before and now here again.

These incidents are no where near as interesting as mission critical servers and services being patched/hacked (usually containing sensitive information such as social security numbers, credit card numbers, etc.) as is the case in the broad IT field, these are usually proprietary applications and services which do not contain sensitive personal information. However, where are the clear guidelines for people to report issues and vulnerabilities with the software?

The retail helpdesk and support services? They often are hard-pressed to handle their current jobs and are not trained enough to handle such escalations, its not that they cannot it is just they there are not trained nor do they have the support infrastructure to do so. When and how will this change things for EA? Is this going to be a small time issues swept under the rug? On the other hand, is this going to wake things and be a catalyst for some improvements in the gaming industry, that the rest of the IT and business world have already been forced to come to grips with.

If as is stated in the claim to the hack, EA was notified? However, not through the “correct” channels? What are the correct channels? I have worked in the gaming industry, and I currently deal with the security industry on the IT side and know what to look for and where, but there exists little information to direct an individual to the correct contact point. (Does one even exist in the some organizations?)

Does that make the actions right, no. As stated by numerous laws local and federal, a crime was committed here, and as such, I am sure EA will pursue all legal interests in this going forward, but there is clear room for all entertainment companies to improve the vulnerability reporting of their products going forward.

More Information:

DSL Reports (AKA: Broadband Reports)

Total BF2 (Thread 1)

Total BF2 (Thread 2)

Total BF2 (Thread 3)
Claim to hack is Post #1 and EA response is #42

No comments:

Post a Comment