GURPS 4th edition presents the "Computer Hacking" skill, but possesses no real hacking mechanic in order to make this activity interesting or marginally realistic (even if under a cinematic campaign). These rules aim to fill this void.

Hacking is the process by which a character who shouldn't be able to, gains privileged access to a device's software systems. This occurs after an attack that gives them a degree of "access” to the target device interface.

There are five access levels:

Access: Penalty: Permissions:
Denied 0 The character has no access and does not get any information about the system.
Guest -2 The character gets only basic and (apparently) harmless information about a system, such as: When it was used, by whom, etc.
User -4 The character is able to execute some commands and has its own personal space on the system where they can open and save files and use some programs designed as "safe".
Privileged -6 Character has full access to system programs, can run any program, and can open any file.
Administrator -8 The character has direct access to the device's operating system and can, if desired, even control its user list. It also has visibility and contact with any other system that are in contact with this one.

The GM is the final arbiter in determining, in each device, what would be the degree of access required for each desired activity. Sometimes, the character who creates the device can also determine this.

Hacking systems[]

Hacking into a system requires the character to have some kind of contact with it. This almost always takes place via radio, although most systems physically accessed. Physical access, in this case, does not mean a network cable, but an actual session open in the target machine through its keyboard or direct input interface.

A systems invasion is a two-step process:

  1. The attacker performs a vulnerability scan of the target system.
  2. If any vulnerabilities are found, they can perform a invasion test. The result of a successful invasion check is the acquisition of a more privileged access level than their previous level.

Required Skills[]

The skill for performing a scan and a hack is “Computer Hacking/TL (IQ/VH)”.

The TL of the system being hacked is extremely relevant. Each difference in TL gives the hacking attempt a ±5 modifier. The lowest possible TL for a system that can be hacked is 7, since computing didn't exist before that.

Vulnerability Scan[]

To perform a scan, the attacker performs a simple hacking test with a penalty equal to the system's complexity.

Many systems, regardless of their complexity, have more robust systems or have programs running whose purpose is precisely to prevent invasions. This may impose an additional penalty on the attacker's attempt.

Whether the scan is successful or not, the defending system is entitled to a "Computer Programming" test to detect the scan. The attacker may take an arbitrary penalty on his scan attempt that will also be applied to the defending system's detection test.

If the defending system succeeds in its test, it is aware of the scan and can, if possible, run countermeasures.


When being scanned for vulnerabilities, a system that is aware of the intrusion can counterattack the intruder. If the system is built into a person (as in the case of a cybernetic implant or a robotic character), or if the system is being actively monitored by a person, the character himself can counterattack with their skill levels. However, sometimes systems have programs created especially for this type of situation, which act as if they have the "Computer Programming" skill at a particular SL.

The hacked system chooses which countermeasure to take. The hacker chooses how they intend to defend against this, neither of the two knows what the other's choice was until both are revealed.

Countermeasure Effect
Total shutdown The device being invaded is turned off. This automatically ends the invasion without any possible resistance from the attacker. However, in many cases this may not be desirable as it may be exactly what the attacker wants!
Communications Shutdown Only possible for radio intrusions. The system can stop all its network interfaces, which cancels the invasion attempt.
Restore User Table The system attempts to restore its user table from one of its backups.
Counter-scan The system itself tries to scan the attacker's interface for vulnerabilities. It is at +3 on this check. If the counterscan is successful, it cannot be hidden. If the intruder doesn't stop to defend against this counter-scan, both the intruder and the invaded gain access to each other. The attacker cannot defend from it with another “counter-scan”.
Port Redirection The system attempts to redirect the attacker's communications to a set of interfaces that point to a protected area of ​​memory where they cannot do any harm.
Defense Effect
DDOS The attacker keeps multiple simultaneous connections open, all trying to maintain contact with the device. Effective against “port redirection”, useless against “restore user table”, neutral against “communications shutdown”.
Stack Corruption The attacker tries to introduce sequences of commands that corrupt network interface memory so that it cannot be overridden by the device. Effective against “communications shutdown”, useless against “port redirection”, neutral against “restore user table”.
Crack Worm The attacker tries to create an invalid user on the system, which may prevent the complete restoration of the user table and keep you logged in. Effective against “restore user table”, useless against “communications shutdown”, neutral against “port redirection”.

After both sides have chosen their options, the attacker performs a hack test and the defender performs a programming test. This test has modifiers according to the chosen options:

Stack Corruption Crack Worm DDOS
Communications Shutdown Invader at +3 Invader at -3 No modifiers.
Restore User Table No modifiers. Invader at -3 Invader at +3
Port Redirection Invader at -3 No modifiers. Invader at +3

If the defender wins this contest, they manage to successfully expel the invader before the invader discovers any vulnerabilities.

If the invader wins the contest, they discover 1 system vulnerability for every 3 points by which they won the contest, plus 1.

In case the hacked system did not notice the scan, and therefore this dispute did not happen, the invader simply discovers 1 vulnerability for every 3 success points in their hacking test.

Repeated Attempts[]

If an attacker is expelled from the system, they can attempt a new attack immediately afterwards. However, each repeated attempt suffers a cumulative penalty of -2. These penalties never decay: they remain constant as long as the target system is not hacked with “Privileged” access.

Vulnerabilities and Intrusions[]

Each discovered system vulnerability allows an attacker to gain better access to a system only once. After an attacker gains some level of access to a system, they will only lose that access if the system notices the intrusion.

Access levels must be acquired sequentially. An attacker always starts with "Denied" access. They should use one known vulnerability to gain "guest" access, another to gain "user" access, then another for "privileged" access, and one more for "administrator" access. For each used vulnerability, they must perform a hacking test with a penalty equal to the system complexity, plus a cumulative penalty of -2 per level. These penalties are absolute, so, for example, an attacker with privileged access who wants to use a known vulnerability to become an administrator suffers a penalty of -8 plus system complexity.

If the number of known vulnerabilities are not enough for the desired level of access, the attacker may re-scan the system for vulnerabilities.

If the test to acquire a certain level of access fails, the used vulnerability is lost and the system becomes aware of the attacker's presence. It can, then, try to kick them out with another contest identical to the contest to prevent a scan.


Systems often have complete layers of protection that serve as intermediaries between the outside world and the system itself. These are called "firewalls".

When an attacker successfully breaks into a system behind a firewall, they actually breaks into the firewall. Once a firewall has been breached, an attacker with “user” access immediately realizes that they are at a firewall. To get past the firewall barrier, they must acquire “privileged” access to the firewall, and then initiate a new process of invasion into the system that exists beyond the firewall.

With privileged access to a firewall, if the attacker so desires, they can order the firewall to restart. This immediately ejects them from the system, but has the effect of canceling all system communications with the outside world for a while. A firewall restart lasts for 15 seconds per level of complexity.

Some systems may be behind more than one firewall.

Creating your own defenses[]

Every computer system, whether it exists in nanobots, in the synthetic brain of an android, in an equipment or inside a cybernetic implant, is built with a specific complexity.

In the case of androids, the complexity of their digital brain is usually half their IQ.

Typically, a device with complexity X can run 2 programs of X complexity, or 20 programs of X-1 complexity, or 200 programs of X-2 complexity, etc.

Hacking-relevant programs that can be installed:[]

Firewall: The entire firewall is an program with complexity X that also serves as a container for 2 X-1 complexity programs. When creating more than one firewall, the character determines how they are arranged (in series, or in parallel), and which systems they protect.

Guardian: A program that has the "Computer Programming" skill level equal to its complexity +6, and can autonomously defend itself against intrusions. If the same system is protected by more than one guardian, all guardians can react in a coordinated way to the attack. Each performs their "programming" tests, and the best result is what counts. If 3 or more guardians exist on a system, they can counter-attack a scan with all 3 defenses simultaneously.

Memory Encryption: A real-time memory scrambler that grants a fixed penalty to all vulnerability scan attempts by an attacker. The penalty is equal to half the complexity of the program rounded up (which adds to the complexity of the system that contains it).

Logic Drill: A kind of program that helps in hacking attempts by granting a bonus equal to half its complexity to one of these activities:

  • Scan
  • DDOS
  • Stack Corruption
  • Crack Worm
  • Invasion

A character can create one of these programs themselves if they have the "Computer Programming" skill at level 10 + the complexity of the created program. No test is needed. The program takes 1 week (at 8 hours a day, 6 days a week) per point of complexity to make, but several programmers can team up to create these programs and divide the time among them. In the end, the program can be easily copied and distributed among them.

Creating these programs requires the use of an extra program, called an “IDE” (Integrated Development Environment) with complexity equal to the complexity of the program being made -2.

Detecting an Intruder[]

Any attack made by an intruder can trigger a detection by the system. Whenever an intruder performs one of the attacks listed below, the hacked system is allowed a “Computer Programming” test to detect it. This is a simple test, but attackers may deliberately cause a penalty to this detection by taking on a penalty on their hacking test.

If the detection test is successful, the system can attempt to expel the intruder by initiating a countermeasure that can be defended by the attacker, just as in the case of a vulnerability scan.

If the system countermeasure is successful, the attacker is kicked out and all their accesses are revoked. The vulnerabilities they knew about become invalid.

If the countermeasure is not successful, the attacker managed to hide from the system and the system lost its trail. The initial attack attempt could not be completed, but they can try again (at a cumulative -2).


When attackers gains some kind of access to the system, they are able to launch attacks on it. Each attack below requires a specific permission access.

Every attack performed by an attacker can alert the system to the presence of an intruder. The attacker can take on an arbitrary penalty on their hacking roll to try and hide the attack. The system takes a penalty on its detection roll equal to the penalty taken on by the intruder.

System slowdown[]

Requires guest access

The attacker is able to cause system slowdowns focused on the execution of a specific program, or the entire system.

The exact details of the effects of this slowdown are up to the GM.

In case the slowing system which coordinates an actual advantage, the advantage takes more time to be activated. For every 2 points of success by the attacker, the time needed to use the advantage is increased in 1 second. Instant advantages now require 1 second of concentration for the first degree of slowness.

This slowdown lasts as long as the attacker wishes, or until they are kicked out, or until the system restarts.

This attack receives a +2 bonus for each attacker's access level higher than "guest"

Database crack[]

Requires user access

Often, when attackers enters a system, they are after a specific information. This information is stored in a database that needs to be cracked. With a hacking test, the attacker can access the system's database and acquire the desired information.

The test has a penalty equal to the complexity of the program that runs the database. This complexity is almost always 4.

This attack receives a +2 bonus for each attacker's access level greater than "user"

General instability[]

Requires user access

A more advanced form of “system slowdown,” this attack causes widespread instability that not only slows down the system, but can interfere with the programs it runs.

The exact details of the effects of this instability are left to the GM.

If the unstable system is managing an actual advantage, the advantage becomes weaker than normal. For every 2 points of success the attacker's test, the maximum level of the advantage used drops by 1 (up to at minimum level 1). If the advantage requires a test to be used, the attacker can direct part of their margin of successes to impose a penalty on the test to use the advantage. They can also cause the system to run slower as in “system slowdown”.

This instability lasts as long as the attacker wishes, or until they are kicked out, or until the system is restarted.

This attack receives a +2 bonus for each attacker's access level greater than "user"

Create vulnerability[]

Requires privileged access

An attacker could create vulnerabilities in the system that could later be used by themselves or another attacker to gain access.

The attacker makes a hacking roll at -5, with an additional penalty equal to the complexity of the system. On a success, they create a vulnerability, and one more for every 5 points of success.

System restart[]

Requires privileged access

The attacker could force a system-wide restart. This causes them to be immediately expelled from the system, but it also makes the system unavailable for 1 minute per point of complexity of the system while it restarts. The attacker can only try to invade the system again after a complete restart.

This requires a hacking roll at -3.

Logical corruption[]

Requires administrator access

The attacker manages to permanently corrupt system memory, making it unusable. A corrupted system must be completely reset before it can be reused. This entails either a complete backup restore or maybe it has to be re-programmed in its entirety.

This requires a hacking test with a penalty equal to the complexity of the system.

Physical overheating[]

Requires administrator access

The attacker could cause the system to overheat and cause a serious physical malfunction. This required the very physical equipment to be rendered useless.

If this attack is made on a system within someone else (such as a cybernetic implant or an android), every 2 points of success in the hacking test cause 1d points of burning damage which bypass DR.

This requires a hacking test has a penalty equal to the complexity of the system -3.

Install rootkit[]

Requires administrator access

The attacker is able to install a permanent access that allows them to later return into the system, even if they are discovered by the system.

When installing a rootkit, the attacker performs a hacking test. The system is entitled to a detection test as normal, but even if it does detect expel the attacker, it needs to perform a second detection test to find the rootkit. This second test has a penalty equal to twice the attacker's margin of success when installing the rootkit.