When Riot Games introduces the Vanguard anti-cheat to League of Legends, you should STOP playing and you must NOT install the anti-cheat when you get the pop-up. Vanguard is a kernel-level anticheat and these anticheats operate at a privilege level HIGHER THAN YOUR OWN. The anti-cheat can do things that even YOU can't do, without asking or letting you know. It's like Riot installing a camera in every room of your house and getting a copy of every key inside.
Here are just a few examples of what they can do:
- Gaming co ESEA hit by $1m fine for hidden Bitcoin mining enslaver
- Gaming Company Fined $1M for Turning Customers Into Secret Bitcoin Army
- Easy Anti-Cheat hacked
Just a random player with a cheat developer past, that likes to reverse-engineer malware occasionally.
Anticheats are getting more and more intrusive, it's getting out of hand and people should have a better understanding of how intrusive and dangerous kernel mode software, in general, can be. It's driving me crazy how game developers get away with this.
I want to convince you NOT to voluntarily install kernel-level software of any kind (anti-tamper, or whatever they try to push to you), shooting yourself in both feet.
All you ordinary gamers. This articles explains in simple terms the issue at hand.
- "Lower" and "higher" access levels: consider lower -> closer to hardware, meaning MORE privileged (may be counter-intuitive to some)
- Any software that runs in the kernel namespace is referred to as a "driver".
Only after diving into the world of reverse engineering and cheat development was I able to understand how incredibly intrusive anti-cheats can be. I get it, we all do, cheating is bad, ruins legit players' experience, and so on - but that's not the point here. The point is - that cheating is inevitable, so why force your player base to install a rootkit into their PCs?
The only difference Vanguard will bring is that the cheating players will just have to spend a bit more money for the premium kernel-mode cheats since a user-mode anti-cheat can hardly deal with a kernel-mode one. Valorant has Vanguard, so what? It still has cheaters and the premium cheat developers are not even charging that much. Speaking of "premium cheats", all this introduces a whole new problem, more usage of kernel cheats, which means just like with Vanguard - the user will voluntarily infect their PC with yet another kernel-level software to mine some crypto and share their bank account with their favorite cheat developer <3.
Why don't game devs implement better detection methods server-side while keeping the user-mode piece of the anti-cheat? Because it's cheaper to deploy a rootkit to everyone's PC! You can detect and log "unrealistic" behavior without installing a rootkit into your players' PCs. We're not just talking about another piece of software, this is the core of your computer's operating system.
In a computer, the kernel is the core software of the operating system. It handles all the fundamental operations, like managing memory, processing tasks, and communicating between your hardware (like your keyboard, mouse, and monitor) and software (like your games and applications).
The kernel operates at the DEEPEST level of your system and has complete control over anything happening in your computer. It decides which programs get resources, serves as a bridge between software and hardware using drivers, and controls essential security measures.
There exists a concept of "Ring protection levels". Their purpose is to define an access level hierarchy in your system. Your everyday apps and games run at Ring3 (least privileged, safest for your system). Can you guess who wants to be in Ring0? That's right - viruses, rootkits, spyware. Everything that can compromise your system and privacy, casually running kernel-level software that YOU DON'T NEED exposes you and your system to risks that we cover below.
After these few sentences you might say "Wow the kernel sounds important and complex!", well IT IS, THAT'S WHY YOU DON'T LET RANDOM SOFTWARE IN THERE.
Consider this:
When you are having guests over at home, do you hand over a key to your house to each one of them when they first come? NO??? Why not? They won't have to ring the doorbell next time, think of the insane convenience that this brings. What? They can come at any point, even when you are not there? Naaaaah come on why would they do that, they even promised not to! Wait what? You don't want to give them keys? Well too bad since it was not a question or a request, prepare to be evicted.
That's you, inviting Vanguard over, FOREVER... well technically until you uninstall it but with such privileged software a complete OS purge is recommended alongside all your drives.
Repeat after me, again, kernel-level software operates with the highest level of privilege on your computer - it can do things that even you CAN'T DO!
So far we only covered how incredibly privileged this software is on your machine, but let's talk about what CAN happen.
-
Security Vulnerabilities: The most concerning risk is related to security. When a program operates at the kernel level, ANY vulnerability in that program can potentially open the door to the entire system. If exploited, such vulnerabilities can lead to serious security breaches. In the case of Vanguard, any flaw in its design could be exploited by malicious entities to gain deep access to your system. Remember earlier about the keys? if someone untrustworthy gets a hold of them, they have access to everything inside. Kernel drivers are the keys to the kingdom. Have you ever wondered how viruses "nest" themselves into a system? By exploiting a driver developer's mistakes, malware can leverage the vulnerable driver to load itself into the kernel namespace and bring chaos. You are essentially voluntarily nesting kernel software into the kernel namespace :). One might say that some god-level developers at Riot cannot produce a vulnerable driver, but know this - bugs are a fact of life - the more complex your driver is, the higher the chance of the developer making a mistake. That chance is never zero, not even close.
-
System Stability: Kernel-level software has the power to make changes that can affect the entire system's stability. Ever wondered why you get "bluescreen"? Well, there you go! When an issue occurs inside kernel-level software, it doesn't just crash - it takes the whole system with it, potentially corrupting it before the next boot. This can be caused by a simple mistake by the developer of the driver, which inherently means that introducing unneeded kernel software into your system can increase the chance of instability. In contrast, when a user-level application crashes, you just restart it without threatening your whole system's stability.
-
Privacy Concerns: Privacy is another area of concern. Kernel-level access means the software can monitor all activities on the computer at all times, with full permissions and privileges, without asking any questions or even informing you in any way :). I am sure that Vanguard will only "enable itself" while you are playing league, but that's just a "promise". You can't rely on such "promises" when your privacy is at stake. You are giving it your house keys and pretending it didn't happen.
-
The Contrast with User-Level Software: Normally, your everyday software like games, discord, or whatever, operates at a much higher, more restricted level - we can call this user mode, userland, or user level. Userland software runs with virtual memory and has to ASK before doing ANYTHING. Whenever there is a malfunction, it is limited to that specific program, unlike kernel mode software, where the entire system collapses. There is absolutely no reason for a normal user to expose themselves to this just to play a game.
Now that we have a clearer understanding of the risks involved in purposely allowing a piece of software access to the kernel, we can say a few things about the intrusive aspect of it all.
-
Deep System Access and Privacy: Kernel-level anti-cheats have an unparalleled depth of access to your system. The traditional anti-cheat "most of the time" operates only on the game files and starts up with the game ONLY. With Vanguard and other kernel-level anti-cheats, your whole system is being observed and monitored, including non-gaming related activities, even when you are NOT PLAYING :) It's like having a security camera that's meant to monitor your front door but ends up recording every corner of your house???
-
Continuous Operation: Another aspect of intrusiveness is the continuous operation of such software. With Vanguard and other kernel-level anti-cheats, your system is being monitored completely, from boot to shutdown, since the software boots up with your PC, and DOESN'T JUST RUN WHEN LEAGUE OF LEGENDS IS ACTIVE, it runs ALL THE TIME :) This constant surveillance raises concerns, not just about privacy, but also about the impact on system resources and performance.
-
Potential for Data Collection: And of course, we must mention the "anonymous" data constantly being collected by the anticheat. With kernel-level anti-cheats being so intrusive, do you really trust them with the data they collect? There is absolutely no control over what the software can monitor, we are working on promises here...
Don't believe me how dangerous this is?
- Gaming co ESEA hit by $1m fine for hidden Bitcoin mining enslaver
- Gaming Company Fined $1M for Turning Customers Into Secret Bitcoin Army
- Easy Anti-Cheat hacked
And MANY MORE that did not get caught, as it's extremely hard to get caught with this :)
So, there we have it, we managed to barely scrape the surface on the topic... overall, it's your job to protect your privacy, since apparently the incredibly intrusive kernel anti-cheats are somehow still legal.
If you choose to install Vanguard and keep playing League, just remember that someone has unrestricted access to your PC the entire time it is being turned on (in the case of Vanguard at least) and that someone doesn't need your permission when he wants to do something :)
Is it worth sacrificing a piece of your digital freedom and security to continue playing League of Legends?
Stay safe, stay informed:
- https://en.wikipedia.org/wiki/Kernel_(operating_system)
- https://en.wikipedia.org/wiki/Rootkit
- https://documents.trendmicro.com/assets/white_papers/wp-an-in-depth-look-at-windows-kernel-threats.pdf
- https://cpu.land/
- https://www.youtube.com/watch?v=nk6aKV2rY7E (I'm pissed off as well mate)
- https://www.theregister.com/2013/11/20/esea_gaming_bitcoin_fine/ driver mining bitcoin
Update 1: Added TL;DR
Update 2: Added ring protection levels
The issue isn't what it can do, it's that it can do it without you knowing or needing your permission, they don't need to tell you or inform you they installed a Crypto Miner as some of the links pointed to other companies doing, it's not the what or why it's the how, and the how is, without your consent or knowledge. The issue isn't just the developers either, it's the possibility of a weakness or backdoor being left in and being exploited, I doubt Riot would, but having the kernel level access there means it's a possible point of entry for bad actors, we saw what happened with Apex, now what if someone had more power than that and you were unaware. The has or will it happen is moot point, the point is it's possible because of the kernel level access, and it's completely unavoidable..