Riot Games’ New Anti-Cheat System Runs at System Boot, Uses Kernel Driver
Cheating is a scourge in multiplayer games. A single cheating player can ruin the fun of 10-20 other people in a competitive match, and while teams of pro gamers have repeatedly demonstrated they can smash cheaters in live play, most ordinary mortals don’t have much of a chance. Riot Games has every reason to work to keep cheaters out of Valorant, its new multiplayer team shooter, but how the company is doing it has raised security concerns.
While the anti-cheat client only launches alongside Valorant, there’s a kernel-mode anti-cheat driver that loads as soon as your operating system boots. According to Riot, this is required because some cheating software also injects kernel-mode drivers into the operating system, making it much harder for userspace applications to detect and stop them. In a blog post earlier this year, Riot wrote:
In the last few years, cheat developers have started to leverage vulnerabilities or corrupt Windows’ signing verification to run their applications (or portions of them) at the kernel level. The problem here arises from the fact that code executing in kernel-mode can hook the very system calls we would rely on to retrieve our data, modifying the results to appear legitimate in a way we might have difficulty detecting. We’ve even seen specialized hardware utilizing DMA to read and process system memory—a vector that, done perfectly, could be undetectable from user-mode.
Longtime tech enthusiasts are likely to get twitchy any time the phrase “kernel-mode driver” is uttered, and for good reason. The Sony rootkit fiasco of 2005 was a security disaster in which Sony BMG installed an actual rootkit on user PCs that was later exploited by additional malware.
Riot is aware that people are concerned about the security implication of this practice, but it argues the following (in condensed form):
- If we wanted to steal data off your computer we could do it in a much easier way.
- Cheaters are using cheats that rely on kernel-level drivers, so we need kernel-level anticheat software.
- Riot’s anti-cheat team can’t spend as much time on this problem with multiple games to support.
- Other anti-cheat services like EasyAntiCheat, Battleye and XignCode 3 use an anti-cheat kernel driver already.
- It’s for your own good.
The company has affirmed that it does not send data back from individual PCs at any time other than when the game is running and that it limits its activities to cheat detection, not any other type of activity. Security experts are divided on whether or not this represents a flaw, with some taking the position that this is a fundamentally bad idea because it intrinsically increases the attack surface against the operating system, while Riot has emphasized its ability to quickly respond and its consultation with multiple expert security firms and code audits to make certain no bugs exist in the existing implementation.
The bottom line is that Riot is right — other anti-cheating systems also use kernel-mode drivers — but people still may not be comfortable granting that kind of access to any company. Malware and scam offers have surged during the pandemic and it wouldn’t be surprising to see black hats looking for new attack vectors to exploit.
Riot does not currently use this system in League of Legends but has explicitly stated it will do so at some point in the future. If you find the concept objectionable it might be best to plan to move to a different game.