With the launch of Diablo III Blizzard has been under increasing criticism for its always connected requirement even to play the single player game. Many felt that this was not a good thing at all and in some countries Blizzard is facing lawsuits because of it. They also faced massive criticism for the large number of accounts that were compromised and looted. Some of the people reporting this even claimed that they witnessed the event while they were online. Blizzard’s response to these were less than helpful with the most common comment being that it was the player’s fault. We read through many posts on Battle.net that made the argument that the player must have had malware, keyloggers, etc. and that is what caused the compromise (we will talk about why they think this in a minute).

Blizzard maintained that their systems were secure and that no one had accessed them (at the time). Many felt that Blizzard was dodging the issue and that they would not work to improve security on their systems. We also had our concerns about Blizzard’s reaction and felt that their continued push for the Real Money Auction House (RMAH) was simply a breach waiting to happen.  Since the launch of the RMAH there have been two breaches, in one multiple items were stolen and in this one user information was the target.

According to the statement from Blizzard President, Mike Morhaime:

What we find interesting about the statement is that although Blizzard knew about the breach on August 4th they waited until the 9th to make users aware of the issue.  The list of regions is fairly large which to us would seem to indicate that the breach was in place for some time before the 4th of August. We also know from other sources that some players started receiving spam like text messages about their Battle.net accounts around the 1st of August. The messages usually claimed that a user’s password had been changed or that a security feature was removed from the account. Most of the originating numbers appear to have been spoofed, but this event could mean that the attackers had access to more than just the user account databases.

Blizzard has even made the statement that players might get phishing emails asking for a user’s login information, but there is another possibility here. According to the users we spoke to the text messages prompted the users to immediately log into their accounts. If Blizzard’s systems are still compromised it could allow the attackers to tie passwords to user accounts especially since the text messages were sent over a week ago. Also the fact that the mobile and dial-in authenticator information was stolen is also very concerning as Blizzard has always made the claim that with this type of two-factor authentication you are safe. Now using this information it is entirely possible for someone to spoof a user’s authentication routine and gain access to the system.

Blizzard also makes note that they are using SRP (Secure Remote Password protocol), which is a very good method for encrypting user passwords. Unfortunately, like any encryption, it is not unbeatable. Back in 2005 a researcher found a bug in it and was able to find a method for offline decryption of passwords protected by SRP. Since then the protocol has been updated to fix that particular flaw, but by no means does this mean another has not been found. Now it is the implementation of SRP that has made Blizzard so sure that passwords are not intercepted in transit. The basic theory behind the protocol is that the server has no knowledge of the password at all. Sadly this is only a theory. There is no way to create the initial connection and account without contact and prior knowledge of the user’s information. When you register you are setting up this prior knowledge with the server hopefully over a secure channel. From there a key, generated from the password, is created and stored with the user’s account information.

There are other items that can make SRP less secure, but are often employed to improve performance. One of these is the use of a static safe prime number and generator. By hard setting these is remove potentials for incompatibilities in client versions or software revisions. Another one is using a shorter prime number (current options are 256, 512, and 1024-bit). Some systems will also reduce the effectiveness of the hash used for passwords to improve performance choices are usually SHA-1, SHA-256 and SHA-512 with SAH-1 providing basic protection and SHA-512 the best. In many cases companies are relying on the zero knowledge aspect of SRP to cover using a weak hashing algorithm. All of these allow for better performance, but reduce the security that SRP brings.

Obviously Blizzard is not going to release the information on how they implement SPR in their system, but you can see that simply having SRP is not going to automatically give you a secure setup. If Blizzard chose performance over security it is possible that the SPR protected passwords are more vulnerable. With the advent of GPU based decryption software it is not out of the question that someone will be able to decrypt these encrypted passwords especially considering the amount of information they have. In theory they should be able to perform an offline attack on the encrypted passwords to get returns. Many are calling these attempts expensive in nature, but looking over what can be done with off-the-shelf hardware for decryption we are not sure we buy into the expensive portion of the conclusion we read in many reports.

As stated in one RFC we read:

“If an attacker learns a user's SRP verifier (e.g., by gaining access to a server's password file), the attacker can masquerade as the real server to that user, and can also attempt a dictionary attack to recover that user's password.

An attacker could repeatedly contact an SRP server and try to guess a legitimate user's password. Servers SHOULD take steps to prevent this, such as limiting the rate of authentication attempts from a particular IP address or against a particular user name.

The client's user name is sent in the clear in the Client Hello message.  To avoid sending the user name in the clear, the client could first open a conventional anonymous or server-authenticated connection, and then renegotiate an SRP-authenticated connection with the handshake protected by the first connection.”

Additionally they acknowledge the possibility that someone can use a cryptographic trapdoor to help them calculate the secure prime “An attacker may try to send a prime value N that is large enough to be secure, but that has a special form for which the attacker can more easily compute discrete logarithms (e.g., using the algorithm discussed in [TRAPDOOR]).”

The information taken by the attackers, depending on the implementation of SRP, could compromise the entire system and when combined with the theft of the two-factor authentication data shows a very serious compromise of Blizzard's system even for users that did not have their data taken. Our guess with the delay in Blizzard’s public notification was more damage control than anything else. They needed the time to ensure that they changed certain parts of their security to cover any gaps that existed in both SRP and their two-factor authentication system (which could also indicate they knew about them). This was smart from a security perspective, but is sure to upset a few customers how might feel they should have been notified first.

Unfortunately this breach makes Blizzard look bad in light of their stance on compromised user accounts. While they can still point to the use of SRP and say that their system was “secure”, SRP is not bulletproof and there are multiple methods that an attacker can use to compromise the system (even if they are complex to implement). Hopefully incident will force Blizzard to change not only their security, but how they react to complaints from their users about security and compromised accounts.

Discuss this in our Forum