|
Personal Projects
|
|
Social Engineering has been a “buzz word” floating around different gaming titles for a while now, but what is it really? Are games actually leveraging these Social Engineering techniques in interesting ways? Or are they merely piggybacking on these concepts to further their game’s narrative? Today I plan on exploring what Social Engineering truly means and ways we’re exploring these ideas in gaming! For this we’ll be taking a closer look at Orwell, Mr. Robot:1.51exfiltrati0n.ipa, and The Red Strings Club.
One of the first games that came to mind was Orwell. The premise of Orwell is that you’re a recruit trying out a new type of surveillance software called Orwell. Your job is to use Orwell to investigate suspects of a terrorist bombings in a place called “The Nation.” Orwell allows you to snoop on these individuals, find data fragments, and add these to the suspect’s file. The key point of the game is that you can choose what elements you add to the file, and what to not include. There are times where pieces of information could be out of context and paint the individual in a false light. The main way Orwell allows the players to gather this information is either through web based searches (finding user profiles and social media), listening in to phone calls and chat logs, and in some cases you’re able to hack into their phones and computer files. The depth of the “fake internet” is what makes Orwell so interesting, it feels very similar to searching on the web, social media accounts, the writings is well done and the chat logs feel realistic, and overall feels like normal web activity. It leverages what we already know of engaging with the web, and essentially gamifies it. Where Orwell lacks is that it feels so very voyeur compared to other gaming examples… you don’t really interact with the characters and in many ways the story just sort of plays out in front of you. While the whole premise is that you’re working at a surveillance agency, so in that way it makes sense, it just feels like it’s missing that engagment piece to make it a true simulation of “Social Engineering.” I should be able to use the web as a resource, find information online, and then begin to attempt one of the tactics above. The Mr. Robot’s app, “1.51exfiltrati0n.ipa,” begins with the premise that you’ve found a phone. Upon “booting up” the phone, the app goes through a realistic boot sequence where it pretends to wipe the phone’s SD card and reset. From here the game launches a chat app style interface. Shortly after you start receiving messages from the angry owner of said phone. While you may offer to give the phone back, for some reason, the previous owner is unable to meet you to retrieve the phone… yet they need a file off of the phone that can still be recovered, even though the phone was wiped. The game proceeds from here at real time, where you’ll start receiving messages periodically. At times the messages are story related, and at times it’s the library messaging you to return some books or a confirmation of a pizza delivery. Relatively early on in the experience you’re added to a group chat, where they all believe you’re someone named Karen. Try as you may to tell them that you’re not Karen, they won’t believe you… As the game progresses, you’re soon asked to do some unscrupulous activities. Mainly this entails impersonating other people, or even blackmailing them to find out specific information for the owner of the phone… Early on you’re asked to try and get login credentials from someone named “Lois Berry,” you’re given some preliminary information about her and if you use the contacts in the phone you can find out a few more details about Lois before you begin. From here you can start texting her, and the game presents you with a few different options to go with but I decided to pretending to be from HR. As the conversation progresses you can try to use different techniques on how you’d like to try to get her credentials, I decided to tell “Lois” that there’s been a complaint made about her… thinking that it might make her more eager to help her case. Unfortunately the conversation didn’t end up going too much further, as she decided she really wanted to talk to someone in person, yet she did leak the number for the HR chat line to me before leaving. So while I didn’t get as far as I wanted with Lois, I decided to message the HR line… this time I could pretend to be Lois herself or her Husband… I chose Husband, figuring I could play up ignorance. Going with another believable scenario and telling the HR line that “My wife is sick and can’t remember her login,” I was just then prompted to answer a security question. The security question was where Lois’ Husband works, which was intel I gathered earlier, and so I passed and the HR line forwarded me the login credentials I had been hunting for. This is a great example of social engineering, using what you know and manipulation of human behavior to get what you’re looking for. Within this scenario I tried to pick someone that would appear to be a “Trustworthy” source, granted where it fell apart was that I was messaging from an unknown number to the victim. Then creating a believable narrative for both Lois and the HR phone line, and a few minor details about a person’s life, made the process feel very easy. While I don’t know how believable it is that HR would be the one to fail us in the end, this is social engineering at it’s core. The Red Strings Club is a cyberpunk adventure game, where you’re playing mostly as an enigmatic Bartender that serves more than just liquer. The premise of this game is that you’re a bartender working within the “Red Strings Club,” and you’re also working as an information broker. Using your wits and your spirits, you’re meant to get information out of your patrons. The world itself is largely driven by large corporations, human augmentation, and the impacts of that augmentation. Early on the player is exposed to a potential conspiracy surrounding a company called “Supercontinent”, who plans on releasing a new technology that would moderate people’s emotions on a global scale… Fearing this kind of brainwashing, the protagonist and his cohorts set off to discover “Supercontinent’s” plans and how to foil them. What brought me to The Red Strings Club were specifically some articles that referenced the Social Engineering gameplay within, and so I thought I’d give it a shot. What I found was an interesting variety of gameplay mechanics, some closer to social engineering than others. Most of the game has you playing as the bartender creating specific cocktails at the bar, with each cocktail triggering an emotional state in your target. You have to balance this with what you’re asking, do you want someone to feel confidence or regret when you question them? Overall this felt like a pretty interesting dynamic, yet what I found was that there wasn’t many branching dialog options… in the end the game forces you through all of the dialogue options, but it’s more of a matter of selecting the “right” emotional state for each of the questions. While mechanically interesting and thematically similar, it’s not quite Social Engineering. Yet near the end of the game, there’s a portion where the player is asked to pick the right people to call and who they want to impersonate in order to get certain types of information. For example in one instance you have to figure out the maiden name of an employee, so I chose to call the Human Resource manager and try impersonating the Chief Financial officer… granted it didn’t get me as far as I wanted to, but having to think about how you navigate those roles and information was pretty interesting. There was also an aspect of leveraging certain relationships, where you knew the Marketing Manager was attracted to Scientist and you could use that information to your advantage.
Overall these games are playing with the themes of Social Engineering in interesting ways, and some more strongly than others. The Mr. Robot app seems to probably be the strongest example of Social Engineering, but I’d love to see games go a bit further and incorporate different mechanics. For example it would be great if we were able to do more of our own research on a “fake internet” and social media profiles (Orwell), before going into a dialogue minigame either via text (Mr. Robot) or phone (The Red Strings Club), depending on the scenario. It’s interesting to play with these kind of Social Engineering dynamics, yet it’s also hard to not think of real world implications as well… Is this encouraging others to use Social Engineering to their own gain or is it harmless fun? Perhaps we should be keeping it one step removed from how it works in the real world, and a bit more fantastical. In any case I find it all pretty interesting, using similar ways of how we engage with technology in our day to day and gamifying it a bit… Ironically enough as I finish this post there's news about an Orwell's sequel, it'll be interesting to see how it might change up the formula. Until then I'll be keeping an eye out for other games that may be using Social Engineering!
2 Comments
|
AuthorI make games, I play games... and sometimes I have some thoughts about that. Archives
March 2024
|
Proudly powered by Weebly