The Prince and the Villain – A True Story of a Security Hack

Prince3Once upon a time there was a prince who lived in a flourishing country with a prosperous economy. In his country and the business he was in, businessmen were honest with each other and bought what they needed, rather than stealing it. In business, so the prince thought, no-one would betray you, if only you did it right.

The prince had run his business for a long time and produced hardware which was used for testing in the manufacturing industry. As the years passed by, software became more important and the prince learned how to use it to make his products even more successful. Software was used to control the behavior of the hardware, to turn on and off capabilities and to adjust the capacity. He used licensing to make this possible and ensure that his customers didn’t use more than they had paid for. He was successful and sold his products for a price between $10,000 and $50,000 per unit.

One sunny Thursday afternoon, a servant came to see the prince. The servant had received calls from companies that seemed to be using the prince’s products but were not on the customer list. First the servant had thought it was an oversight on their end, but as it happened more often he became skeptical – and so did the prince.

The prince sent his knights to find out what was going on. What they told him when they got back made him scratch his head:

VillainA villain in another kingdom on the other side of the world had been selling the prince’s products for a lot less money than the original price. To use the prince’s products, a standard management tool from a highly trusted and well-known company in the industry had to be installed and given admin rights. For the products that came from the villain, however, this tool had been modified. Once the software on the device started up, it triggered a villainous service (a debugger) which did a memory patch of the software, changed the identity of the licenses and redirected all calls the software would send home to a “new home” that actually belonged to the villain.

The villain had set up his own license server that sent the expected answers back so that the software did not realize that anything was wrong. It was given a license as expected, just from the villain, not the prince.

The prince asked his best knight: “How could this happen? And how much money did I lose?”

The knight said: “My dear prince, I will tell you the truth. The villain must be smart. He used in-memory patching, mimicked the license generation across the internet and bypassed the security application we are using on our products. We have no connection to these products and I honestly cannot tell you how much money you have lost and how much more you are losing every day.”

“But …” the Prince said, looking perplexed, “I have been told that our products would be safe and that hacking is something that happens with computer games my children play. How did this happen to us?”

“Well,” said the Knight, “you might have treated this a bit lightly. Our products are very successful and we have sold many of them all over the world. Someone must have realized that and wanted to steal from us. It is like protecting our castle. It is an everlasting task and we always have to be vigilant. If we had ever given up on that you wouldn’t be where you are today. It is the same for the products you are selling.”

The prince listened to his knight and took it seriously. And he was able to get help and change the security of his products. He felt much better, was sure that the same thing couldn’t happen again and they lived happily after.

Wait – did they? Unfortunately we don’t know if this tale has a happy ending or more episodes that could ultimately even threaten or destroy the prince’s wealth. But we do know that this tale is actually a true story that has happened and could probably happen to many other princes (aka producers). The prince will have to protect his products and the software on it as good as he protects his own castle – every day.

What can we learn from this true story?

  • Villains become more sophisticated and more tenacious every day.
  • There are different types of villains (aka hackers) that try to break licensing processes: Some do it just for fun or to show they can do it, some want to get free access to software, and the third group has clear commercial interest.
  • When setting up their security policies producers should think about all groups. Many producers today underestimate the sophistication of hackers that do it for commercial reasons.

 

Readers also liked:

 

Leave a Reply

Your email address will not be published. Required fields are marked *