One of the appealing parts about Ubisoft’s upcoming Watch Dogs video game is just how plausible its scenario is in the real world. In Watch Dogs, a hacker named Aiden Pearce and his friends take over the “city operating system” in a near-future Chicago. They spy on smartphones and use security cameras for their own surveillance. They cause traffic accidents by making street signals change unpredictably, creating an Orwellian nightmare that turns the tables on the authorities.
Could it really happen? An IBM executive I interviewed was skeptical. But Ubisoft made sure it was realistic by tapping Vitaly Kamluk, the chief malware expert at antivirus/security software firm Kaspersky Lab in Moscow. He consulted for a year and advised Ubisoft’s developers on how to balance both realism and entertainment in the game, which comes out in May. We interviewed Kamluk, who helped uncover a cyber-espionage ring called Red October back in December, about the theme of Watch Dogs and security in the real world.
GamesBeat: How long have you been consulting on Watch Dogs?
Vitaliy Kamluk: We were approached last year, the beginning of last year. Most of the game was ready, but they were changing the script still to make it look more realistic. That’s where we joined.
GamesBeat: What was their proposal? How did that get started?
Kamluk: At the beginning of last year — I think it was January when we published our big research paper about a cyber-espionage campaign called Red October. That was a great toolkit for doing cyber-espionage activities – stealing data from computer systems, collecting information from smartphones, infecting smartphones, recording voices if the system has a microphone, hacking webcam streams and uploading it to a server. It was pretty advanced and powerful. We researched it and made our findings public.
GamesBeat: Was that based on a real-world thing that already existed?
Kamluk: Right. We uncovered a cyber-espionage campaign, presumably of Russian origin. We believe that the developers were native Russian speakers. They’ve infected more than 150 different organizations around the world, mostly high-profile organizations like research centers, embassies, military contractors, oil and gas companies, and telecoms.
GamesBeat: What could they actually control remotely?
Kamluk: The main objective was to collect information. They were chasing pure intelligence goals, stealing data that could be used for geopolitical decisions or give an advantage to a particular government.
GamesBeat: Did you trace it back pretty far? Do you have any idea who did it?
Kamluk: Normally, we’re not after attribution. Law enforcement agencies handle that. But of course, we collect bits and pieces of information that are in the malicious software, and we can put it together and create a general picture of who might be behind it. That’s how we came to this conclusion that they’re mostly likely Russian speakers. We had several clues pointing to a Russian-speaking origin. We can’t definitely say that it’s the Russian Federation – it could be Ukraine, Belarus, Kazakhstan.
GamesBeat: What did you think about that, when you faced this question of how you could make Watch Dogs more realistic? What advice did you give?
Kamluk: As far as our expertise, [me] and two of my closest colleagues were involved in this cooperation with Ubisoft. We worked on investigated these threats. We do code analysis and forensics. We look at all these hacks that are happening and see what’s feasible and what isn’t, especially when we talk about the kind of hacks that you see in the game.
Most of them are automated control systems being compromised. This is a new trend that’s started several years ago, since the appearance of the Stuxnet worm, which hit industrial control systems. That was an example of how a computer program can break things in the real world. They actually broke physical equipment. That’s what we see in the game. It’s becoming more and more realistic.
Our role was to polish those parts of the game, where it should look like the real world. At the same time, it was very hard work for the developers to find a balance between real-life hacking – which takes a very long time — and the action in the game. They have to keep the action going, because you can’t just let the main character sit around analyzing code for days.
We found a nice compromise by introducing this application on the smart device that the character is using. That gives you an advantage – the idea that you have a set of tools, a set of exploits prepared that can be launched against particular systems. That way, it looks more realistic.
GamesBeat: Somebody is spending all of that time breaking that code in front of a computer for him.
Kamluk: Yeah. The main character isn’t a nerdy person, but he has very good support in the background. He has friends who help him work through all these obstacles with the advantage of these tools in his smartphones.
GamesBeat: There’s a close connection to reality where IBM has been proposing smart cities and this idea of a city operating system. It’s a real plan that some want to create to make cities run better. But it’s not quite here yet, so it seems very futuristic Watch Dogs. As long as those things aren’t yet connected, you can’t have this degree of control that you have in this game.
But are we heading in that direction? I wondered what your own thoughts were on reality now versus what’s envisioned, where everything is connected.
Kamluk: When I first learned about the idea of the game, I was amazed. Ubisoft made a good bet on the future as far as how cities will look like in five or 10 years. The game gives you a good opportunity to see what might happen if control goes into the wrong hands. You can take this control for yourself and play with it and see people experiencing difficulties. Your actions can hurt or kill someone. You can bring a lot of chaos to the city if you wish, or your enemies can.
We hope that this game will be a good chance for people to think about the security of future city operating systems. Security has to be considered extremely seriously in such cases. The game is an interesting simulation of how this might run if it’s misused.
GamesBeat: Everyone is talking about this so-called Internet of things as well, making devices smarter and more connected.
Kamluk: That’s right. The Internet of things might actually be a disaster. The number of devices around us is growing very fast, and we’re not updating these devices. Nobody’s responsible for that. You buy new devices every now and then, they’re left running, they’re not up to date, and they’re vulnerable. This creates a risk. They’re exposed to attacks. A potential hacker can take advantage and use these devices for their own purposes.
GamesBeat: It seems like the problem is that you can make a camera smart. You can also connect it. But if you make it foolproof, that’s a higher cost.
Kamluk: That’s correct, yes. Talking about cameras, one of the hacks you can do in the game is taking control of public CCTV cameras. That’s already happened in the real world. It happened with webcams, a service where the cameras were streaming media to a central server. The directory of these streams was exposed to anyone. If you knew the number of a camera – I think it was four digits – you could connect to it and control it and look through it. If you changed the digits, you could connect to someone else’s camera and control it – see what it transferred and move the camera.
GamesBeat: What about hacking into your Kinect on your Xbox or your PlayStation Eye camera?
Kamluk: Yeah, another possibility. The same with all these smart TVs that have integrated cameras for videoconferencing. These are potential targets. There are other examples, like the traffic lights you can control in the game. We haven’t seen anything exactly like that yet, but speed cameras in Moscow were attacked at the beginning of this year. Several thousand speed cameras were completely taken down by an unknown hacker. They had to spend a couple of weeks recovering all those systems.
GamesBeat: I bounced this off an IBM executive a few months ago, talking about what would happen if hackers took over a city operating system. He said, “When they start breaking things, you know it’s happening, and you shut it down.” He didn’t necessarily think that this sort of persistent control of a city is possible. I don’t know what you think from your perspective.