Vanguard, the controversial anti-cheat software initially attached to Valorant, is now also coming to League of Legends.
Summary:
The article discusses Riot Games’ requirement for players to install their Vanguard anti-cheat software, which runs at the kernel level, in order to play their games such as League of Legends and Valorant. The software aims to combat cheating by scanning for known vulnerabilities and blocking them, as well as monitoring for suspicious activity while the game is being played. However, the use of kernel-level software raises concerns about privacy and security, as it grants the company complete access to users’ devices.
The article highlights that Riot Games is owned by Tencent, a Chinese tech giant that has been involved in censorship and surveillance activities in China. This raises concerns that Vanguard could potentially be used for similar purposes, such as monitoring players’ activity and restricting free speech in-game.
Ultimately, the decision to install Vanguard rests with players, but the article urges caution and encourages players to consider the potential risks and implications before doing so.
I find it contradictory how Riot’s own explanation contains the following two statements:
If the first statement was true (which it’s not), then they shouldn’t need any additional capabilities offered by running at the kernel level to surveil the system to detect cheats. As they admit in the second statement though, it is exactly because cheats abuse the OS security model to gain capabilities to both monitor and interfere with the game in an invisible manner that they need to get those additional capabilities to invisibly monitor and interfere with other programs too. The best they can do is a pinky promise that they won’t abuse this power, but they don’t even give us that promise and instead insist they don’t actually have that power. That’s super suspect to me.
I hope people using cheating software understand the dire security consequences of installing and running that type of software too, especially in that it comes from very shady sources.
Also, it doesn’t even remove the capability of cheating. A virtual machine can hide things from the kernel. I’m not sure if there’s an existing implementation that makes it completely transparent to the guest OS that it’s running on a VM, but it’s technically possible to do that if it’s not already being done.
A VM-based cheating system would be more complex than a kernel-mode one, but it’s just the next step in the arms race, unless there’s an even easier one I’m not aware of… I suppose hacking their anti-cheat system itself so that the games think it’s working properly might be possible depending on how it’s done, though that can be defeated by an even bigger security hole: giving it the ability to run arbitrary code from the server in kernel mode.
Another way to cheat that might not be defeatable is to run a hacked version in parallel to a completely legit one. You use the legit one for all server communications and the hacked one to render an overlay over top of the video from the legit copy.
IMO, the way anti-cheat should be going is behavior analysis of players. Do players behave as if they are aware of information they shouldn’t be, like the location of other players that shouldn’t be visible? Is the player less effective if the server feeds them fake invisible data about non-existent opponents? Is there a correlation between how difficult shots should be and how likely the player is to make them? Does the player’s performance drastically change from time to time, more so than someone getting into the zone or having a bad day? Does the player ever talk about cheating in the game’s text or voice chat?
Though that’s assuming the cheating is the reason and not an excuse for this.
Yup, very true. There’s even the possibility of hardware level cheats, just like that new MSI monitor that analyzes the screen with AI. Imagine that but instead it’s a KVM switch like device that can “see” everything happening on the screen as well as the keyboard and mouse inputs. You could train it to recognize and track enemies in an FPS then add in some extra inputs to correct the aim every time you fire, or activate abilities in a MOBA automatically in response to enemy actions. I think this is what Gameshark might be trying to do. Short of requiring cryptographically secure input devices, the only way to detect this type of cheating would be behavioural.
Another commenter linked a video that goes in to detail about how actual cheats are doing it (my comment was just speculation about what’s possible based on what I know about computers work), and they are doing stuff like that. They use raspberry pis and/or arduinos to analyze the screen (or a small square around the centre where the reticle is). Then they intercept clicks and when one is made, add in the corrections to centre the target and then pass on the click. In this case, the Arduino would have a the mouse and usb/network for the image stream as input and it outputs as if it’s a mouse.
And as a man in the middle, it would just make the secure connection itself and pretend it’s just a mouse (spoofing whatever IDs it needs to), so I don’t think cryptographically secure mice would make a difference unless the market is willing to accept only buying approved mice that add their public keys to some database. It would just be another front in the arms race.
Ultimately cheaters have the advantage of having physical access to their device. The scheme we’re talking about would even work on cloud gaming platforms as it’s only using the same information that is already being displayed to the player.
Oh yeah, and for behaviour detection of this, it’s kinda annoying they don’t detect it because I don’t think it would be difficult to do this (either from a problem solving perspective or the amount of computational power that would be required).
Just track the x and y deltas and their derivative over time (in this case, the derivative is just the difference between the current sample and the previous one, so no calculus required, just a subtraction per sample). Then check if they are continuous. X and y deltas are velocity, which must be continuous because the mouse is a physical object and subject to inertia. Acceleration should also be continuous because of the limitations of our muscles (though if your mouse bumps your keyboard or your hand is moving and bumps your mouse, you can see natural acceleration that isn’t continuous, but these wouldn’t directly preceed a successful shot at a target).
Then just watch for spikes in either of those. A better cheat program could smooth the spikes, but it slows down the capability of the aim bot.
Anticheat software, sure that’s what it is. Totally not a excuse to steal total control of a player’s machine, nope not here
I mean I’m not going to jump to the conclusion that they are definitely actively doing this, but more that if they openly admitted that their anti-cheat software has the ability to invisibly monitor everything on your computer from your browser to your password manager, then people would be way less accepting of it just because of the potential risk.