Cybersecurity in Cyberpunk 2077: the good, the bad, and the cringeworthy

Cybersecurity in Cyberpunk 2077: the good, the bad, and the cringeworthy

What game caused some players to experience seizures, allows you to have unauthorized sex with Keanu Reeves, features a lead character who can’t keep the contents of his pants contained, was pulled from the PlayStation Store weeks after release, and still managed to shatter sales and streaming records? 

Of course we’re talking about Cyberpunk 2077, the latest game from Polish developer CD Projekt Red.

In spite of countless, often embarrassing, bugs CDPR created an engrossing open world RPG that even the game’s detractors can’t stop hate-playing. Arguably, a big part of Cyberpunk’s appeal is its setting. Taking place in a fictional American metropolis known as Night City during the year 2077, this dystopian vision of the future attempts to cram every single sci-fi cyberpunk trope into one 30 hour game. Hacking, virtual reality, body modification, sentient computer AIs—it’s all in there.

For all its high tech wonder, some aspects of day to day life in Night City feel familiar. The Internet (or Net, as it’s called in the game) looks about the same as it does in real life, with players browsing websites on a monitor, a mouse, and keyboard. And it’s still possible to get a computer virus. In fact, falling victim to a computer virus is central to the game’s plot.

Since Cyberpunk features computers, hacking, viruses, and has the word “cyber” in the title, we obviously had to write about it.

So, the two members of the Malwarebytes Labs staff who actually played the game were asked to weigh in on cybersecurity in Cyberpunk 2077. And if we get to talk about video games for work, we’re all for it.

SPOILER ALERT: This discussion covers some major plot points.

Who are you?

Philip Christian: Hi! I was an avid gamer through college. Now I play a few major releases per year. I completed the main quest in Cyberpunk. All in, I’ve sunk about 70 hours into the game. I played on Google Stadia (don’t hate me). I work at Malwarebytes so I must know something about cybersecurity, but when it comes down to how threats operate on a technical level, I turn to the experts, like Chris.

Chris Boyd: I’m a Lead Malware Intelligence Analyst for Malwarebytes. I’ve played games dating back to the Atari 2600 days, have worked on a few titles you won’t have heard of many moons ago, and particularly enjoy modding the guts out of Bethesda titles. I’ve put roughly 200 hours into Cyberpunk, and spend a long time looking at hacking in games generally.

The most cringeworthy cybersecurity moment?

Philip: The hacking mini game was total baloney. When you try to hack a computer you’re shown this number matrix and you’re trying to select the correct numbers from the matrix. Not sure what this has to do with hacking unless hacking IRL has something to do with Sudoku.

If I’m being generous, it does bear a vague resemblance to brute force attacks, which are kinda big right now. With a brute force you’re just mashing in numbers, letters, and characters hoping you guess the correct login credentials, but you’re doing it really fast with an automated program entering the credentials for you.

Chris: Would have to agree, the hacking minigame is a horribly confusing pattern matching puzzle which is badly explained and not very realistic. This is common in games, and unless the game is entirely focused on hacking I think the right approach is to try and keep it simple. Sadly, that hasn’t worked here.

The most realistic cybersecurity moment?

Philip: There’s a mission in the game where you need to hack into someone’s password-protected computer. The mission entails looking at websites and figuring out the person’s password from what they’ve shared about themselves online. It’s really just a small part of a larger mission to find a missing teenager. This is a more realistic take on hacking than the numbers mini game. We all reveal way too much about ourselves via social media and cybercriminals use that info against us.

Chris: The cybersecurity realism in the game seems to come from incredibly meta real-world happenings related to the title. For example, the character Goro Takemura is a legendary personal bodyguard / security expert who trains literal cyber ninjas. The gag is he is also absolutely useless with technology, and often sends accidental selfies to the player character while trying to do something else.

Sure enough, a bug occurred in the game which could essentially break saves and prevent progress. The cause? Goro, the guy who can’t use his phone properly, would call the player character and the call would bug out.

“Videogame character who can’t use his phone breaks your game, with his phone” is meta enough. But then we have Elon Musk announcing a Tesla model will be able to play cyberpunk, at roughly the same time it’s announced his Neuralink, Musk’s neurotechnology company, may be trialling computer chips in brains by the end of the year.

Being able to play a game about the dangers of placing chips in your brain, in a car built by somebody who wants to put chips in people’s brains, is the kind of crossover I live for!

Best representation of hacking in the future?

Philip: My favorite NPC in the game is Delamain the AI taxi driver. He looks like a cross between Johnny Cab from Total Recall and Death from Bill and Ted’s Bogus Journey. Anyway, his system gets infected by a rogue AI and it’s up to you to help him clean it out and regain control of his fleet of computer controlled taxis. Cars today are computers on wheels and car hacking is already a thing.

Chris: More than the hacking mini game, the real hacking meat on the bone here concerns Biohacking and more technology-centric body modifications. Almost everyone in the game is walking round with some sort of Internet-connected body part at all times.

People can overload your ocular implants, fry chips in your body, shut down devices and leave you at a standstill, wipe your short-term memory, and more.

It’s only natural we’ll see an increasing number of technological solutions for medical issues, and the tech industry has a habit of connecting things to the Internet without much care for security. In some ways the future is already here, and has been for some time.

Pacemaker hacks already exist. “Looping”, a DIY method for hacking your own insulin pump, has brought about a surge in purchases for the device needed to do it. A killer-app remote control for insulin pumps? Yep, those exist too.

As we creep towards Transhumanism, we’re going to have to be very careful regarding our final destination. If we aren’t careful we’ll quickly arrive at a point where anybody could be running anything. How do you prepare for that? How do you secure it? It’s entirely possible that we won’t be able to.

Scariest representation of hacking in the future?

Philip: Someone put out a mod that swaps the Johnny Silverhand skin (modeled and voiced in-game by Keanu Reeves) with one of the sex workers (aka joytoys), allowing your character to have sex with an NPC that looks exactly like Keanu. It’s more weird than anything, but the incident got me thinking about deepfakes. This incident isn’t a deepfake in the strictest sense of the word, but it does give us a high profile example of a real person’s likeness being manipulated with technology. It’s something we’re just starting to see and we should expect to see more of it in the near future.

Chris: In games specifically, character swaps are nothing new. As good as Cyberpunk 2077 looks, even the highly detailed models such as Keanu’s are very much video gamey and not very realistic looking, once you get up close. It’s more an approximation of what the developers think he looks like, as opposed to even a fairly basic deepfake which can look very real indeed. Having said that, the developers were well within their rights to shut the mod down because the modder didn’t have Keanu’s permission. The issue of consent is paramount, whether the mod is ultra-realistic or some sort of PlayStation 2 callback.

I think games have a long way to catch up to deepfake levels of controversy, and this would be a subject to revisit if and when realistic models of real people work their way into VR titles.

What else caught your attention?

Philip: I liked how you could hack mundane items like soda vending machines, TVs, and security cameras as a way of distracting enemies. IRL it’s already possible to hack IoT (Internet of things) devices, control them remotely, and cause them to behave in weird ways. There’s examples of coffee machines being hacked, baby monitors, smart TVs—you name it. If it’s connected to the Internet, it’s susceptible to hacking so maybe think twice. Does your refrigerator really need to be connected to the Internet?

Chris: A major aspect of the game is trying to cheat death by any means necessary. Replacing vital organs and upgrading body parts, even when there’s no medical requirement for it, to make yourself run faster or punch harder. You can even scan people in the street with ocular implants tied to the city’s crime database (hello, facial recognition glasses).

The biggest push where that’s concerned involve’s the game’s main quest. Corporations offer immortality by copying your consciousness to a computer chip, and the ramifications thereof.

It’s amusing to me that we’re playing through this fairly common sci-fi/technology trope at the same time as Microsoft’s patent for dead relatives revived as AI chatbots was discovered.

Where this technology goes from here is anyone’s guess.

Is it safe to mod your game?

Philip: Going back to the Keanu Reeves sex mod thing. CDPR had the mod removed from the site where it was being hosted. Since it’s not available through legitimate channels I think people who are curious will try to obtain it through less safe backchannel methods. This is a perfect scenario for scammers and criminals. In fact, CDPR recently advised gamers not to install mods from unknown sources due to a vulnerability that might allow criminals to remotely execute code on the target system.

Chris: They’ve already updated the game to address issues from that vulnerability, which is great news. Having said that, there’s always a risk from modding any game where you download unknown code and files. Most major mod sites perform some sort of security check on files offered for download, but gamers should always run some tests of their own. You’re entrusting your whole system to random people offering you files.

Some of the mental safeguards we deploy to avoid sketchy downloads tend to come down when modding. “I’m on a trusted site, everything here is legit, what could possibly go wrong”. A little caution is always a good thing where modding is concerned, whether it’s your favorite game or your ocular implants.