[Updated] Fallout 76 PC Multiplayer Is Unsecure and Could Allow Major Exploits

[Update 11/6/18] Bethesda has responded to claims that their multiplayer game Fallout 76 is vulnerable to hacking and exploits. They provided comment to IGN contesting the validity of teetharejustdone’s information.

“Many of the claims in the thread are either inaccurate or based on incorrect assumptions. The community has however called to attention several issues that our teams are already actively tracking and planning to roll out fixes for. Our goal is always to deliver a great experience for all our players. Cheating or hacking will not be tolerated. We know our fan base is passionate about modding and customizing their experience in our worlds and it’s something we intend to support down the road.”

Alongside Bethesda’s response is another Reddit user yaosio diving into the network traffic of Fallout 76, and finding encrypted traffic in the latest beta.

[Original Story] The Fallout 76 PC version has been having a rough go at it, and the game isn’t even out yet. Last week’s PC beta started with users getting their entire Fallout 76 folder deleted by a bug. Then players discovered that Fallout 76 relies on an archaic system that ties physics to frame rates. Turns out, Fallout 76‘s multiplayer code is even worse than some imagined.

Reddit user teetharejustdone posted on the r/fo76 subreddit dedicated to Fallout 76. They posted a host of information regarding the game’s netcode and client/server relationship, which might have major impacts on the final release. Teetharejustdone, a Fallout 4 modder, gave several reasons why the Fallout 76 PC netcode is a mess.

Firstly, there are no server checks to verify file integrity. Teetharejustdone suggests modders could make trees smaller, or highlight player models without the game’s servers (or other players) knowing. Secondly, all terrain and collision is handled client side, meaning players can edit the game’s .esm file to allow themselves to walk through walls. The Fallout 76 PC servers don’t check for integrity on the .esm file.

Furthermore, there is no encryption or obfuscation of client-to-client communication. Player IP addresses, and game information is sent in plain text between clients. Teetharejustdone says people can use Wireshark or similar programs to get player locations, health info, and more directly from network packets. The Fallout 76 PC servers supposedly don’t check anything they are being told, and because of the plain text network traffic, the game can be exploited by constantly sending certain information. The example teetharejustdone gave was to capture and then resend the information that you have full HP. One final example they gave was being able to forge a packet with the disconnect command from those plain text IP addresses you got earlier.

Mods for Fallout 76 PC have already made it to Nexus Mods, with one pointed out by teetharejustdone exploiting the game’s weak network security. That mod showcases the lack of file checks, and that the server listens for information without parsing if that information is legitimate.

Bethesda Game Studios has not responded to questions from the community regarding the validity of this information, but many are speculating that—like the beta’s speed hacking exploit—a fix won’t be coming for quite some time.