Think twice if you live outside the U.S. and plan to sell your used gaming console.
The Department of Homeland Security has launched a research project to find ways to hack into gaming consoles to obtain sensitive information about gamers stored on the devices.
One of the first contracts for the project was awarded last week to Obscure Technologies, based in California, to devise a forensic tool that will siphon data from the Xbox 360, Wii, PlayStation 3 and other consoles.
The $177,000 contract requires the company to create new hardware and software tools that can extract data from gaming consoles, and to purchase used gaming consoles outside the U.S. to determine what data was left on them by previous owners that can be extracted, including information about communications with other gamers, according to Foreign Policy magazine.
Gaming consoles can store sensitive information such as passwords, credit card numbers and addresses. Newer systems also allow users to communicate with one another via messaging and chat systems, and the government is interested in knowing what data is stored in the systems and can be siphoned out of them. But the systems often employ anti-tampering technologies that can make extracting data from them difficult.
Obscure Technologies was chosen for the contract in part due to its extensive reverse-engineering experience in general and its specific experience in exploiting digital rights management technologies, according to a government document justifying the award of the contract to Obscure Technologies. The company’s lead scientist previously reverse-engineered the Microsoft Xbox, according to the document.
The government says it plans to use the forensic tool only on systems owned by foreigners outside the U.S. and that the research is aimed at investigations of pedophiles who target victims through gaming systems, and terrorists, who DHS says may be using gaming consoles to communicate and plan their activities.
“This project requires the purchasing of used video game systems outside of the U.S. in a manner that is likely to result in their containing significant and sensitive information from previous users,” Simson Garfinkel, a computer science professor associated with the project, told Foreign Policy. “We do not wish to work with data regarding U.S. persons due to Privacy Act considerations. If we find data on U.S. citizens in consoles purchased overseas, we remove the data from our corpus.”
The government has long fretted about terrorists plotting and training in online games, but, as with any networked communication service, law enforcement agencies can subpoena a company running a service, such as Xbox Live, to get information on users. The research project appears to be another method to obtain data; in this case data stored on devices seized in law enforcement and military raids.
Obscure Technologies president Gregory May told Foreign Policy that extracting data from gaming consoles is still in the “exploratory research and development” stage, and that it’s unclear what his company will uncover. “It will be interesting to see, because it’s new to us as well,” he said. “A lot of this stuff hasn’t been done. We’re not sure how complicated it is.”
The government first began looking at game system monitoring in 2008 when law enforcement became concerned that pedophiles were using game consoles to communicate with children. DHS’s Science and Technology Directorate was approached to develop a way to obtain game console data, according to Foreign Policy, which then approached Simson Garfinkel, a computer science professor at the Naval Postgraduate School, to put together a contract for a private company to research the issue and develop a product. [Ed. note: Garfinkel wrote a classic piece for Wired about HavenCo, an attempt to create a new country that would house a data center immune to government takedowns and data seizures.]
The Navy posted the contract notice last February, which included a statement of work calling for a contractor to produce the following:
- Provide monitoring for 6 new video game systems, a maximum of 2 of any type from any given vendor.
- Generate clean data (data that does not contain any identifiable information from real people) from new video game systems.
- Design a prototype rig for capturing data from new video game systems.
- Implement the prototype rig on the new video game systems.
- Provide data captured by the prototype rig, including packets delivered in PCAP format and disk images delivered in E01/EWF format.
- Provide used video games systems purchased on the open market. Used systems provided shall be likely to contain data from previous users.
- Survey console chat room technology and identify potential chokepoints where data may be committed to storage.
- Identify data storage points on used video game systems and attempt to demonstrate proof of concept.
- Extract real data from used video game systems.
- Provide video game system extraction software and/or hardware.
Parker Higgins, a spokesman for the Electronic Frontier Foundation, expressed concern that users might not know what data is created and stored on their gaming devices.
“These consoles are being used as general-purpose computers,” he told the Foreign Policy. “And they’re used for all kinds of communications. The Xbox has a very active online community where people communicate. It stands to reason that you could get sensitive and private information stored on the console.”
Although reformatting a device before selling it should erase such data, researchers at Drexel University have recently claimed they could extract credit card information and a billing address from the hard drive of an XBox 360 even after it was reformatted.