Riot Requires Kernel Level Anti-Cheat Software

League of Legends and Valorant Players Being Forced to Run Closed Source Low-Level Software.

2024-01-30 / First Published 2024-01-19
Closed Beta Key Art
Riot is continuing to push their Vanguard anti-cheat software, now requiring League of Legends players to install software which runs upon booting your computer even when you are not playing their games. Do we really want to make running closed-source kernel level software the new norm in online gaming?

When games become more and more competitive, when large sums of money can be won in e-sports arenas cheating isn't slow to follow. Riot Games, the company behind League of Legends and Valorant has introduced an anti-cheat software known as Vanguard. This practice isn't new to the online gaming space, but Vanguard has drawn criticism from gamers and privacy enthusiasts alike. Vanguard runs at the operating system kernel level, which places it between the applications running on your system and the physical hardware. If that wasn't enough to raise an eyebrow, once installed the software is always on regardless of if you are playing one of Riot's online games or not. This level of complete system access combined with the acquisition of Riot Games by the Chinese tech giant behind WeChat and QQ, Tencent has raised some alarms. Today we are going to look deeper into how Riot's anti-cheat software works and what the company's relationship with Tencent means for players.

Vanguard

The Vanguard software was first introduced when Riot released the first-person-shooter in June of 2020. The Vanguard software was quick to draw criticism from the more security conscious gamers due to running at a much deeper level than other applications which may be installed on a user's pc. Vanguard runs at a system layer known as the kernel. Your operating system kernel is the middle man sitting between your software applications and the hardware components which make up your computer. Whatever is running at the kernel level has nearly unrestricted access to anything happening on your device, this is the goal of malicious actors trying to write kernel-mode rootkits. Notoriously difficult to remove, kernel-level rootkits can evade anti-virus software by altering the operating system or AV itself.

Sony BMG secretly installed DRM-protecting rootkit software on the devices of users and it logged listening information even if users rejected the end-user licensing agreement. Riot is trying desperately to avoid this comparison and has issued multiple statements on their website and taking as transparent an approach as possible. Vanguard was released closed source in order to prevent cheat developers from having direct access to the source code, but unfortunately this also denies us a glimpse into what exactly we are granting device-wide access.

What is it and how does it work?

Vanguard "consists of a client that runs while VALORANT is active, as well as the usage of a kernel mode driver." The Vanguard client launches as soon as your pc is turned on and will continue to run in the background scanning to make sure that it does not detect any known cheats which would grant an unfair in-game advantage while also checking for system vulnerabilities which can be exploited by cheat software. You can disable the Vanguard client, but you will then not be able to play Valorant or League of Legends without first restarting your machine.

Vanguard runs in two ways, first it launches a kernel-mode driver as soon as you turn on your pc. This driver scans for known vulnerabilities in other drivers and blocks any which can be used to evade their in-game anti-cheat client. The anti-cheat client runs while you are playing and checks to see if any known cheats are being used. If the kernel-mode driver does not launch when you boot your machine or if you have disabled it prior to starting a game, Riot's servers will not trust your device and you will not be able to play until you restart your machine and allow both pieces of their anti-cheat software to run as designed. Upon booting the Vanguard client will display in your notification tray so you always know when it is running.

Because Vanguard runs at the kernel level, it can identify the specific hardware of your device and use this ID to better block your device from accessing their games should you be caught running any cheating software. It must be said that the Vanguard anti-cheat system has been extremely successful in cutting down on the amount of cheating within both Valorant and League of Legends.

Taking the Low Road.

According to Riot, running their anti-cheat software at the kernel level is necessary in order to have a chance in combating the use of cheating software.

Visualization of relationship between OS layers.

In defending their choice to deploy Vanguard at this level Riot raises the following main points:

  1. Cheat software developers are already releasing cheats that operate at this level. If Riot wants to combat them, it has to do so at the kernel level.
  2. Lots of other companies are already using similar software to prevent cheating.
  3. "This isn’t giving us any surveillance capability we didn’t already have." Claiming that if they wanted to steal data, their example being a secret recipe, then they could already do so in user mode.

This defense is less than reassuring. Sure, they are correct with their first point, but the other two are not going to bring any ease to the skeptical minded gamer. It doesn't matter if other companies are deploying kernel-level software without disclosing their code, the practice itself should raise concern and we should not idly accept this as the new normal.

Their third point is particularly concerning and warrants wider discussion. There is a huge difference in the privilege between user-mode and kernel-mode. Sure both modes can access the unencrypted files and pictures on your hard drive, but kernel access gives a degree of control of the entire device, hardware and software included, that user-mode does not.

Is Riot Trustworthy?

Users on various gaming forums scattered throughout the web reported concerns that this software might slowdown their PC or cause issues with their hardware. Currently, any reports or claims that errors or issues arising are anecdotal and Riot has not confirmed any compatibility issues. Riot is also releasing regular patches to make sure that there are little to no errors for users running their anti-cheat. If you encountering any issues with your device or games after installing Vanguard, make sure that you contact the Vanguard support team.

Beyond these concerns it is important to look at the company itself. Should we trust Riot? They have often been the butt of jokes about code quality and their security practices have come into question as well following breach events that saw the leak of League of Legends sourcecode. Riot themselves issued a warning regarding a rise in new cheats being used in their games following this incident.

Regardless of this reputation, the question of trust gets even more tricky when we look at who owns their company. Tencent.

Tencent

The Chinese tech giant Tencent took full ownership of Riot Games in 2011. This ownership role ads an interesting level of concern when evaluating if you want to run kernel level software on your devices without being able to review the code for yourself. Hear me out, I don't want to go full tin-foil hat, but this is granting complete device access to the company behind WeChat, QQ, which plays an active role in the operation of the social credit scores in mainland China. Concerned players have raised fears that should a zero-day vulnerability be found and not disclosed to Riot through their bug bounty program, it could pose a major threat to those running their software. Theoretically this could allow a malicious actor with a zero-day the possibility of bricking devices which have Vanguard installed. It is worth considering the risks of allowing software which could fall into the hands of an authoritarian government to have near complete access to your device and data.

We know that Tencent's Weixin (the Chinese version of WeChat) has major censorship and surveillance functions in place. This sparks the fear that Vanguard has the potential to fall victim to similar invasive measures. This is speculation, but if you scroll through any of the comment sections beneath articles discussing Vanguard and its inclusion in League of Legends this concern is frequently mentioned. Tencent's ownership of Riot also raises questions regarding restrictions on free speech within in-game chat. Riot has already taken steps to try and limit chat toxicity, but critics claim that this "zero tolerance" wordlist has been pushed to an extreme.

Ultimately the decision to run this software rests with players. If League of Legends is worth offering potential total control over to the company behind WeChat, that is your decision. However, it should be very clear to all players what exactly this software is, what is has access to, and who is behind it. If you are not willing to run this software, there are other games to play.

A sly Ars Technica reader hit the nail on the head when they asked "do I really need to trust going under with your most powerful and dangerous anesthetic for a video game splinter removal?"