Riot Requires Kernel Level Anti-Cheat Software

League of Legends and Valorant Players Being Forced to Run Closed Source Low-Level Software.

Closed Beta Key Art

Riot is continuing to push their Vanguard anti-cheat software, now requiring League of Legends players to install software which runs upon booting your computer even when you are not playing their games. Do we really want to make running closed-source kernel level software the new norm in online gaming?


Table of Contents:

  1. Vanguard: Riot’s Anti-Cheat Solution
  2. Vanguard: What is it and how does it work?
  3. Kernel level access gives near total device control
  4. Who can we trust?
  5. Who is Tencent?

When games become more and more competitive, when large sums of money can be won in e-sports arenas cheating isn’t slow to follow. Riot Games, the company behind League of Legends (LoL) and Valorant has introduced an anti-cheat software known as Vanguard. This practice isn’t new to the online gaming space, but Vanguard has drawn criticism from gamers and privacy enthusiasts alike.Vanguard runs at the operating system kernel level, which places it between the applications running on your system and the physical hardware. If that wasn’t enough to raise an eyebrow, once installedthe software is always on regardless of if you are playing one of Riot’s online games or not. This level of complete system access combined with the acquisition of Riot Games by the Chinese tech giant behind WeChat and QQ, Tencent has raised some alarms. Today we are going to look deeper into how Riot’s anti-cheat software works and what the company’s relationship with Tencent means for players who are concerned about their privacy and security.

Vanguard: Riot’s Anti-Cheat Solution

The Vanguard software was first introduced when Riot released the first-person-shooter in June of 2020. The Vanguard software was quick to draw criticism from researchers and more security conscious gamers due to running at a much deeper level than other applications which may be installed on a user’s pc.Vanguard runs at a low system layer known as the kernel. Your operating system kernel is the middle man working between your software applications and the hardware components which make up your computer. Whatever is running at the kernel level has nearly unrestricted access to anything happening on your device, this is the goal of malicious actors trying to write kernel-mode rootkits. Notoriously difficult to remove, kernel-level rootkits can evade anti-virus software by altering the operating system or AV itself. It is worth asking why does league of legends require this kind of access for its anti-cheating software? Is this overkill or a common digital rights management (DRM) practice?

Sony BMG secretly installed DRM-protecting rootkit software on the devices of users and it logged listening information even if users rejected the end-user licensing agreement. Riot is trying desperately to avoid this comparison and has issued multiple statements on their website and taking as transparent an approach as possible. Vanguard was released closed source in order to prevent cheat developers from having direct access to the source code, but unfortunately this also denies us a glimpse into what exactly we are granting device-wide access.

Anti-Cheat Software: What is it and how does it work?

Vanguard “consists of a client that runs while VALORANT is active, as well as the usage of a kernel mode driver.” The Vanguard client launches as soon as your pc is turned on and will continue to run in the background scanning to make sure that it does not detect any known cheats which would grant an unfair in-game advantage while also checking for system vulnerabilities which can be exploited by cheat software. You can disable the Vanguard client, but you will then not be able to play Valorant or LoL without first restarting your machine.

Vanguard runs in two ways, first it launches a kernel-mode driver as soon as you turn on your pc. This driver scans for known vulnerabilities in other drivers and blocks any which can be used to evade their in-game anti-cheat client. The anti-cheat client runs while you are playing and checks to see if any known cheats are being used. If the kernel-mode driver does not launch when you boot your machine or if you have disabled it prior to starting a game, Riot’s servers will not trust your device and you will not be able to play until you restart your machine and allow both pieces of their anti-cheat software to run as designed. Upon booting the Vanguard client will display in your notification tray so you always know when it is running.

Vanguard must be launched when the machine first boots otherwise you won't be playing any games without a restart.

If Vanguard doesn’t launch from the point of booting the machine a restart is required before playing any games.

By utilizing this low-level anti-cheat software, Riot is able to detect and prevent cheating at the end user’s device which runs the illicit software before it reaches their servers. This is an efficient way of combating hacks and cheat programs which give one player an advantage over another, like auto-aiming. This allows it to quite effectively prevent hackers from completely dominating games with unfair tactics and scripts which ensure that they can win.

Because the Vanguard anti-cheat runs at the kernel level, it can identify the specific hardware of your device and use this ID to better block your device from accessing their games should you be caught running any cheating software. It must be said that the Vanguard anti-cheat system has been extremely successful in cutting down on the amount of cheating within both Valorant and League of Legends, which leads to a more pleasant gaming experience for those of us who are not employing game-breaking cheat software.

By Running at the Kernel Layer Riot is Taking the Low Road.

According to Riot, running their anti-cheat software at the kernel level is necessary in order to have a chance in combating the use of cheating software.

A visualization of relationship between OS and Kernel layers. Does Riot’s Vanguard need to run at kernel level? Is it possible to keep games fair and prevent cheating without compromising security? If you ask me, this is a step too far.

In defending their choice to deploy Vanguard at this level Riot raises the following main points:

  1. Cheat software developers are already releasing cheats that operate at this level. If Riot wants to combat them, it has to do so at the kernel level.
  2. Lots of other companies are already using similar software to prevent cheating.
  3. **“This isn’t giving us any surveillance capability we didn’t already have.” ** Claiming that if they wanted to steal data, their example being a secret recipe, then they could already do so in user mode.

This defense is less than reassuring. Sure, they are correct with their first point, but the other two are not going to bring any ease to the skeptical minded gamer. It doesn’t matter if other companies are deploying kernel-level software without disclosing their code, the practice itself should raise concern and we should not idly accept this as the new normal.

Their third point is particularly concerning and warrants wider discussion. There is a huge difference in the privilege between user-mode and kernel-mode. Sure both modes can access the unencrypted files and pictures on your hard drive, but kernel access gives a degree of control of the entire device, hardware and software included, that user-mode does not.

Vanguard’s always-on approach to anti-cheat software makes them unique.

Riot is not the only company employing kernel level anti-cheating software. There are other players in the anti-cheat space and two other popular software packages that run at the kernel level are Easy Anti-Cheat and BattlEye. Similar to Vanguard, these programs run at the lowest layer on players’ machines, but there is a major difference between the operating times of these alternatives. Unlike Riot’s solution to cheating, Epic’s Easy Anti-Cheat and BattlEye only run while the player is playing and do not require this “always-on” status. Not only does this leave players feeling less “watched” by the creepy possibility of persistent kernel access, but it also provides a degree of protection. Should Vanguard be compromised, all machines using it which are powered on have the potential to be hit by exploits simply because the software is always running. Players using the solution from Epic, may find themselves not exposed to attack if their software is not running while they do other things on their machines.

Always on doesn’t mean always secure.

Is Riot Trustworthy?

Users on various gaming forums scattered throughout the web reported concerns that this software might slowdown their PC or cause issues with their hardware. Currently, any reports or claims that errors or issues arising are anecdotal and Riot has not confirmed any compatibility issues. Riot is also releasing regular patches to make sure that there are little to no errors for users running their anti-cheat. If you encountering any issues with your device or games after installing Vanguard, make sure that you contact the Vanguard support team.

Vanguard warning notification example from Riot Customer Support site.

Examples like this raise concerns that the AI powered software might just pose a security threat.

Sure, Valorant and LoL’s usage of Vanguard software has led to a decrease in cheating, but does this mean that we should accept that kernel level, always on, AI powered anti-cheat scanning should become the default solution for companies looking to crack down on malicious actors? Should we be worried that the success of the Vanguard software will inspire developers from around the world to demand kernel level access for their software?

Anti-Cheating success doesn’t ensure confidence

Beyond these concerns it is important to look at the company itself. Should we trust Riot? They have often been the butt of jokes about code quality and their security practices have come into question as well following breach events that saw the leak of League of Legends sourcecode. Riot themselves issued a warning regarding a rise in new cheats being used in their games following this incident. This track record doesn’t inspire a great deal of confidence and players are right to be concerned about allowing the LoL anti-cheat software free reign on their machines.

Regardless of this reputation, the question of trust gets even more tricky when we look at who owns their company. Tencent.

Tencent: the questionable parent company

The Chinese tech giant Tencent took full ownership of Riot Games in 2011. This ownership role ads an interesting level of concern when evaluating if you want to run kernel level software on your devices without being able to review the code for yourself. Hear me out, I don’t want to go full tin-foil hat, butthis is granting complete device access to the company behind WeChat, QQ, which plays an active role in the operation of the social credit scores in mainland China. Concerned players have raised fears that should a zero-day vulnerability be found and not disclosed to Riot through their bug bounty program, it could pose a major threat to those running their software. Theoretically this could allow a malicious actor with a zero-day the possibility of bricking devices which have Vanguard installed. It is worth considering the risks of allowing software which could fall into the hands of an authoritarian government to have near complete access to your device and data.

Anti-cheat software and weighing the risk of APTs

We know that Tencent’s Weixin (the Chinese version of WeChat) has major censorship and surveillance functions in place. This sparks the fear that Vanguard has the potential to fall victim to similar invasive measures. This is speculation, but if you scroll through any of the comment sections beneath articles discussing Vanguard and its inclusion in League of Legends this concern is frequently mentioned.Tencent’s ownership of Riot also raises questions regarding restrictions on free speech within in-game chat. Riot has already taken steps to try and limit chat toxicity, but critics claim that this “zero tolerance” wordlist has been pushed to an extreme.

Ultimately the decision to run this software rests with players. If League of Legends is worth offering potential total control over to the company behind WeChat, that is your decision. However, it should be very clear to all players what exactly this software is, what is has access to, and who is behind it. If you are not willing to run this software, there are other games to play.

A sly Ars Technica reader hit the nail on the head when they asked “do I really need to trust going under with your most powerful and dangerous anesthetic for a video game splinter removal?”