How dangerous is Riot's anti-cheating software in «Valorant» really?
Background informationGaming

How dangerous is Riot's anti-cheating software in «Valorant» really?

Philipp Rüegg
Zurich, on 24.04.2020
Translation: Patrik Stainbrook

Developer Riot has implemented a new anti-cheat software in its tactical shooter «Valorant». It remains active even when the game isn't running. As Riot is owned by a Chinese corporation as well, some players have security and privacy concerns. An expert puts things into perspective.

Cheaters are a pain. Particularly serious in competitive games such as «Counter-Strike GO» or Riot's new online shooter «Valorant». If a game wants to have a chance at becoming an e-sport, it must ensure that its participants do not cheat. As this is one of Riot's main goals when it comes to «Valorant», the company has put a strong focus on its own anti-cheating software called Vanguard. And it's already hitting the headlines. Not thanks to its efficiency in finding cheaters, but because of their access rights to your system. It requires a restart to be implemented and even runs in the background when «Valorant» isn't open. And Riot, the company behind «League of Legends», was bought up by Chinese megacorporation Tencent almost ten years ago. As a result, many gamers are worried about their privacy and the security of their PC.

I asked IT security expert Tobias Ospelt whether these concerns were justified. His company Pentagrid provides security consulting and analysis for companies. Tobias is also a lecturer for information security at the University of Applied Sciences ZHAW in Winterthur. We also know each other privately.

What can you say about Riot's anti-cheat software? What's so different about it, and why are gamers upset?
Tobias Ospelt, IT security analyst: Riot's anti-cheat software Vanguard gets higher privileges by means of a Windows kernel module that is loaded at computer start-up and without which the game will not run. I think Vanguard is more visible to gamers than other anti-cheats that operate in the background because of the forced computer restart after installation. In addition, there are some unpleasant reports that make me wonder if these are only problems of the first version. For example, Vanguard didn't uninstall itself when you uninstalled the game, or the anti-cheat mechanism started because someone connected their smartphone to the computer. Maybe cheaters are also heating up the discussion.

Tobias Ospelt is an IT security analyst at Pentagrid.
Tobias Ospelt is an IT security analyst at Pentagrid.

In what ways can the software affect your system?
With a kernel module, many possibilities are open. For example, you can try to find out if the kernel has been tampered with or if it tries to hack any attached hardware. Whereby the task of this kernel module is rather to observe than to influence. The question remains for what purposes these possibilities are used by Vanguard.

Is the PC more vulnerable?
The so-called attack surface increases with additional software. There can be exploitable security holes in any software. In this case, the effect of an attack would be more critical due to the higher privileged kernel module. The situation is very similar to antivirus programs. In 2016, for example, Symantec's Norton Antivirus had a serious security vulnerability, which also affected the kernel. Because of such events, antivirus solutions are controversial, the same goes for anti-cheating software. Riot asserts that their concern is to increase security. They also reward people who find a security hole in the module – with a Bug Bounty of 100,000 US dollars. With this high finder's reward for security problems, Riot is suggesting a certain basic trust in the security of their own solution.

Can you tell me about any comparable software?
In addition to the antivirus example, virtualization solutions such as Virtualbox, VMWare or special software for hardware use kernel rights. Even Easy Anti-Cheat, used in «Fortnite», «Rust» or «War Thunder» works according to this principle, as does BattleEye, which is used in «Rainbow Six Siege», «Escape From Tarkov» and «PUBG», among others.

The anti-cheat in «Fortnite» also relies on kernel technology.
The anti-cheat in «Fortnite» also relies on kernel technology.

Some cheaters have already been banned, do the extra privileges even mean anything?
Cheating with the kernel or external hardware is usually more complex and time consuming than writing a traditional cheat code. But with Vanguard, Riot is now trying to fight these cheaters. As a result, the entry barriers for manufacturers and users of cheats continue to rise. However, no anti-cheat will be perfect. In the end, it's a cat-and-mouse game between cheaters and anti-cheats. It seems to be about reducing the mass of cheaters by making cheating more difficult and thus more expensive. In the long run, there will be cheaters that bypass this system as well. I think for Riot, such a solution is satisfying as long as many cheaters give up. Only Riot knows how effective the measures actually are.

Can Riot read your private files with Vanguard?
Yes, but they could even do this without a kernel module. Any software you install on Windows, you also indirectly grant read rights to your documents.

Do you think it's fair for anti-cheat software to demand such rights?
This is difficult for me to judge, as I can't tell how big the problem of kernel cheaters is and if the end justifies the means. I like to play online without cheaters, and I think Riot wouldn't have taken this step if they weren't desperate to fight cheaters. I remember this was a problem with «PUBG». Since I only switch on my gaming computer for gaming and don't store any other data there, the benefit of such anti-cheat software is personally higher for me than the potential security risk. But I also understand if not everyone sees it this way. Especially if users don't use separate systems for games and computer work. I hope that there will be detailed independent analyses of the kernel module that will provide more transparency, allowing a more informed decision to use or reject it.

First cheaters have already been blocked.
First cheaters have already been blocked.

The fact that there's no such thing as 100 percent certainty also becomes evident from current cases at Valve. It was announced this week that the source code for «Counter-Strike GO» and «Team Fortress 2» was leaked. Valve itself claims that there's no risk. What do you think of this?
According to Valve, this is an older code from 2017 or 2018. A third party leaked it, they probably got the code for modding or something similar. I suspect there was a security hole, in this code that made it relatively easy for malware to enter. The question is whether there are still bugs in the code that haven't been patched. Some players now fear that cheating has become even easier. This is quite possible, as this insight gives you a better idea of how the code is structured. But in the end, code remains code. Programmers are under stress. They're also only human and humans make mistakes. Code is a very complex thing, something like this can happen.

«Counter-Strike GO» has also raised security concerns.
«Counter-Strike GO» has also raised security concerns.

What do you think of the espionage concerns that players are voicing regarding Riot?
Basically, we're talking about a Chinese company which primarily wants to make money, I suppose. But just as with Americans, when the NSA comes knocking, Riot will follow suit when the Party is at their door. If data is transferred to China, you can be sure that it will be evaluated. If you have concerns, you should generally not install the game. Kernel rights play a minor role when you install their software to your PC.

So just because of Vanguard, you wouldn't advise against installing «Valorant»?
I think it's important to discuss this approach. But relevance is still individual. Data such as Word documents or stored passwords in browsers on the same system would in principle be vulnerable to attack by any installed software — even without a kernel module. Private files could also be uncovered without a kernel module. The kernel module is just one step further. The question remains which attack scenarios are most probable for the user. I think many people should first ask themselves the question of how to protect themselves at the moment. For example, by not storing confidential data on your gaming computer, but on a better secured separate work computer. In the end, it's a question of trust, since the complexity of installed software is difficult for users to grasp.

71 people like this article


User Avatar
User Avatar

Being the game and gadget geek that I am, working at digitec and Galaxus makes me feel like a kid in a candy shop – but it does take its toll on my wallet. I enjoy tinkering with my PC in Tim Taylor fashion and talking about games on my podcast http://www.onemorelevel.ch. To satisfy my need for speed, I get on my full suspension mountain bike and set out to find some nice trails. My thirst for culture is quenched by deep conversations over a couple of cold ones at the mostly frustrating games of FC Winterthur. 


Gaming
Follow topics and stay updated on your areas of interest

These articles might also interest you

  • Skeleton Loader

    Skeleton Loader

  • Skeleton Loader

    Skeleton Loader

  • Skeleton Loader

    Skeleton Loader