The Cybersecurity of Persona 5

June 1, 2017 | Kim Crawley
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

I'm not only an information security professional, I also happen to be a huge Japanese RPG fan. I've also been playing video games since 1989. The Persona spinoff of the massive Megami Tensei series is one of my favorite game franchises. Persona games feature beautiful art design by Shigenori Soejima and Masayoshi Suto, excellent music by Shoji Meguro, well written stories and characters, and compelling game mechanics.

What's black and red and picaresque all over? Persona 5, of course.

I only write professionally about cybersecurity, I'm not a video game reviewer or critic. I've previously played the PSP version of the first Persona game, the PSP version of Persona 2: Innocent Sin, the PSOne version of Persona 2: Eternal Punishment, Persona 3 Portable, and Persona 4 Golden. I've been eagerly anticipating Persona 5 since it was first announced by Atlus in 2013. This March, I preordered the PS3 version with my own funds, and it arrived at my home via mail in mid-April. As of this writing, I've played about 65 hours of what I expect to be an over 100 hour first playthrough. Persona 5 is an excellent game, and I'm thoroughly enjoying every minute of it even though on occasion I stress out about time management.

I bought the game because I'm a fan. Before I got it, I was aware that one of the characters, Futaba Sakura, is a computer hacker. But I had no idea how significantly cybersecurity themes would be woven into the plot of the game. Nor did I expect my gaming hobby to give me an idea that I can use in my information security writing. But it turns out that many details of the game's plot rely on cybersecurity concepts. If you don't want Persona 5 spoilers, I recommend that you stop reading this.

In the cybersecurity world, women are a minority. I'm a woman, and I've made a point of highlighting other women in my field in a series of interviews for Tripwire's State of Security blog. I've read all of the novels in Stieg Larsson and David Lagercrantz's The Girl with The Dragon Tattoo (Millennium) series. Admittedly, what first compelled me to read those books was the Lisbeth Salander character, a female hacker. I enjoyed reading those novels and watching the Swedish movies, which are based on the Larsson-written trilogy. But I knew that the nature of some of Salander's “hacking” would be unrealistic in real life. (She couldn't have taken money from Hans-Erik Wennerström's bank account in the way it was described in the first novel, for example.) Even with those technical inaccuracies, those books were a lot of fun to read. I don't expect cybersecurity themes in fiction to always be portrayed realistically.

I would describe the setting of the Persona games, Persona 5 included, as contemporary fantasy. It's kind of like Buffy The Vampire Slayer in the sense that the characters live in the modern world with modern technology, but there are also magical or fantasy elements, like vampires in Buffy, or “Persona” spiritual entities with magical attacks in the Persona series. I really enjoy that sort of setting. I enjoy it more than high fantasy, quite frankly. (Come at me, nerds!)

In Persona 5, you play a male Japanese high school student, who you get to name yourself. I named mine Kimiko Kururai, inspired by my English real name. (The closest phonetic approximation to “Crawley” in Japanese is “Kururai.”) Yes, the “ko” suffix makes his name feminine, but “Morgana” is a feminine name for a male non-cat, eh? While in his hometown, your protagonist catches a shady politician while he tries to rape a young woman. The protagonist intervenes, and the politician, with the cooperation of the woman who you tried to rescue, lies to police to get your protagonist arrested.

For his probation, the protagonist is sent to live and attend school in Tokyo. A cafe owner named Sojiro Sakura takes him in and lets him live in the attic above the Leblanc cafe. While on his way to his first day of school at Shujin Academy, your protagonist ends up in a mysterious castle with a Shujin student he just met, Ryuji Sakamoto. While trying to escape the castle, Ryuji and your protagonist meet a cartoonish looking cat named Morgana. Morgana insists that he's really human, and can also help the boys escape. Morgana also teaches the boys about the magical palaces that are created from the twisted desires of real people, such as that castle that was created by Shujin Academy's sociopathic gym teacher. They're acquainted with their mission to “steal the hearts” of troubled people to reform Japanese society. Morgana already knows how to use his Persona, a spiritual being that can fight shadows with magic when aroused from the soul of anyone who's a potential Persona user. Your protagonist and Ryuji awaken their Personas, as do the other main characters who join you over the course of the game, Ann Takamaki, Yusuke Kitagawa, Makoto Niijima, Haru Okumura, Goro Akechi and our hacker girl Futaba Sakura.

How do your protagonist and his friends, who eventually call themselves the Phantom Thieves of Hearts (I named mine “The Crawleys”), access these twisted desires that formed palaces in the first place? Before the protagonist ends up in the castle palace at the beginning of the game, a strange app appears on his smartphone that he can't delete. It turns out that the app is the means of accessing the palaces in the game, which function as the dungeons of this RPG. To gain access to a new palace, the Thieves must try keyword strings related to the target or their palace, and hope for a match.

I don't know of any TCP/IP ports that can transport human bodies to imaginary worlds, at least not literally. If there's anyone reading this who has a vendor neutral networking certification from The Wonderful World of Oz, you may correct me on that matter. So instead, I'll look at malicious mobile apps in the real world.

In the game, it can't be determined whether the protagonist's phone runs Android or iOS, which is probably a deliberate move by Atlus. In Android, sometimes apps that users cannot uninstall are packaged by the device OEM before the user purchases their phone. They can only be uninstalled by acquiring root access. In iOS, there are Apple apps that cannot be uninstalled without a jailbreak if ever.

The Metaverse app ends up on the protagonist's phone only after some time of using it, so we can rule it out as “bloatware.” He also didn't deliberately install the app. Sometimes malicious apps get installed on mobile devices without the knowledge of the user, and some of those even have launch icons, as the Metaverse app does. Most of the time when that happens the malicious app is a Trojan that ended up in the App Store or Play Store. If the security configuration of your mobile operating system is lax, you can also get malicious apps outside of the official stores, such as via the web or an email attachment.

The easy availability of filebinding programs means that an email attachment that doesn't look like an app, such as a JPEG file, can have an app or other sort of executable file in it. Did my Kimiko open a malicious email attachment on his way to Tokyo? Quite possibly. As for Kimiko's inability to remove the Metaverse app icon, difficult to delete icons are a frequently reported issue in both iOS and Android. My protagonist could have tried factory resetting his phone. But what if Igor or Philemon put a mysterious backdoor into his phone's OS?

About midway into a Persona 5 playthrough, after beating three other palaces, the Phantom Thieves start to become famous. Suddenly, some unidentifiable party starts text messaging the protagonist.

A hacktivist group called Medjed threatens the Phantom Thieves. The anonymous person who texts you says they can help you deal with Medjed, but you must cooperate with them first. They want you to find a way into their palace to steal their heart. Huh?

The protagonist is baffled as to how the anonymous person who calls them self Alibaba got his number in the first place. The way that the hacker reaches the protagonist is, in fact, possible in real life. They could have done something like slip RAT malware onto the protagonist's phone via a filebinded image file sent through Facebook Messenger. If the protagonist didn't deliberately hide or anonymize their social networking profile, that's how they could be found and chatted with, by someone pretending to be someone else. With a remote connection and view of the phone, the hacker could find their phone number in the phone settings.

Later on in the game, we learn that Alibaba is actually Futaba Sakura, whose stepdad Sojiro Sakura runs the Leblanc cafe where the protagonist lives. So, what I think most likely happened is that Futaba got physical access of the protagonist's phone while they left it unattended in the cafe. That makes more sense when you consider how Futaba bugged the cafe to listen in on the Phantom Thieves' conversations. The bugs are probably old-fashioned analog style, like the bugs that helped bring down Richard Nixon, because Sojiro Sakura doesn't seem to use any computer equipment while running his cafe.

I'm impressed by how the writers of the game developed Medjed. Years ago, I wrote about hacktivist groups like Anonymous. Anonymous, the first hacktivist group to ever become famous, started on 4chan. In 4chan forums, users are called “Anonymous” by default. The culture of 4chan, even a decade ago, encourages people to make outrageous posts while sharing no identifying information about themselves-not even a reused username.

The writers of the game did an excellent job of modelling Medjed on Anonymous. Futaba reveals that she started Medjed, possibly on a forum like 2ch, the Japanese precursor to 4chan. She claims to have nothing to do with Medjed's recent activities. That's because anyone on the internet can claim to be Medjed, there's no organizational hierarchy like in a conventional organized crime group. That's precisely how groups like Anonymous and its LulzSec spinoff have worked.

Medjed even has a slogan that's kind of like Anonymous's. Anonymous used, “We are Anonymous. We are Legion. We do not forgive. We do not forget. Expect us.” Medjed says, “We are Medjed. We are unseen. We will eliminate evil. “ (I'm just using the official English translation of the game, because that's the version I'm playing and I don't speak enough Japanese.)

Once Futaba joins your team, even though she's a Persona user, she doesn't directly fight battles in your party. Instead, she can offer random buffs to your team members, such as to increase your attack power. She can also help you navigate palaces and Mementos, the side quest dungeon. Her l33t skills come in handy when you need to crack or penetrate the equipment that foes use in palaces.

Futaba Sakura, like Lisbeth Salander of Stieg Larsson's novels, is introverted, socially awkward, and has a troubled past. I can relate to both characters in those ways. But although I'm not neurotypical either, I think I can fake extroversion better than they can. Plus, I'd much rather write about cyberattacks than ever try any in real life. Maybe I'll be a pentester one day. Or maybe I'll just write about cybersecurity for the rest of my life.

I've met many people in my industry, and I've also met people who thought they could become the next Kevin Mitnick. The information security professionals I've met are obviously all very brainy people, and we're generally more introverted than the norm. People in my industry are also more likely to be paranoid, even when they never do anything illegal. Futaba definitely has character traits that I've seen in both cybersecurity professionals and script kiddies with unrealistic dreams of infamy. You must be able to enjoy thousands of hours of solitude to learn skills like computer programming or penetration testing. Computer nerds do sometimes need to interact with each other, but most of the time that interaction is over the internet rather than in meatspace. Futaba feels natural as the kind of 15-year-old girl who would have a subscription to 2600 Magazine, where I've also written about hacker culture.

Atlus and P Studio have done an excellent job of making this game, and I look forward to playing the 35+ hours left of my first playthrough. Because of the constraints of writing fiction for video games, and also because the Persona games take place in obviously fictional contemporary fantasy settings (even though the Tokyo of Persona 5 does use areas that look just like places in real world Tokyo), not all of the “hacking” is completely realistic. But what they deliberately got right is actually true of real world technology and the cultures that computer technology have created.

Images from Atlus.

Kim Crawley

About the Author: Kim Crawley, Guest Blogger
Kim Crawley spent years working in general tier two consumer tech support, most of which as a representative of Windstream, a secondary American ISP. Malware related tickets intrigued her, and her knowledge grew from fixing malware problems on thousands of client PCs. Her curiosity led her to research malware as a hobby, which grew into an interest in all things information security related.By 2011, she was already ghostwriting study material for the InfoSec Institute’s CISSP and CEH certification exam preparation programs. Ever since, she’s contributed articles on a variety of information security topics to CIO, CSO, Computerworld, SC Magazine, and 2600 Magazine.Her first solo developed PC game, Hackers Versus Banksters, had a successful Kickstarter and was featured at the Toronto Comic Arts Festival in May 2016. This October, she gave her first talk at an infosec convention, a penetration testing presentation at BSides Toronto.She considers her sociological and psychological perspective on infosec to be her trademark. Given the rapid growth of social engineering vulnerabilities, always considering the human element is vital.
Read more posts from Kim Crawley ›

‹ BACK TO ALL BLOGS

Watch a Demo ›
GET PRICE FREE TRIAL