Kernel-level anti-cheats are threats to security and privacy. You should care

[gudvinr]

Recently Activision unveiled the Ricochet, the new trojan spyware client anti-cheat for Call of Duty games.

You might have even noticed that it installs kernel-mode driver like Vanguard (anti-cheat software by Riot).

 

Both Activision and Riot are trying to make you think like it's not a big deal and this is a really bad tendency.

Their motivation is all about "sophisticated cheats" that can't be detected otherwise and they try to ensure you that they only do so for "monitoring applications".

 

But why is that bad?

 

There's an easy representation of "protection levels" in OS:

 

 

Basically all games are Ring 3 applications. And applications do not need special privileges to make users happy.

 

Drivers, on the other hand, can't work in unprivileged environment because they need to access any memory directly, without additional abstraction layers.

They need to react when devices come and go before any application would even notice that.

They might need to create virtual devices that will look like real ones (e.g. VPN interfaces).

And so on.

 

Microsoft doesn't really use Ring 1-2 so basically it's all or nothing. Kernel-mode apps even require special kind of signature in Windows that is different from usual application signatures.

Only things that are lower is hypervisor (if you are running windows in VM) and CPU firmware (AMD PSP and Intel ME).

 

That, however, also have additional consequences because of new possibilities that kernel mode gives:

• read memory of every application in your system
• access information about other running applications and services
• restrict users from running applications
• restrict users from uninstalling applications

 

Only thing that stops developer from doing shady stuff is their promises of not doing so. And if they promise, sometimes they don't keep their promises. ESEA, for example, used anti-cheat to create mining botnet.

Game developers aren't security specialists and even if Activision do hire good developers, it's not their goal to make good security for you. Anti-cheat isn't a product that they sell to increase your security. It's there only to increase their profits by securing their side.

 

Even if you do trust game developers that they 100% aren't doing bad things, you should be aware that any developer can miss bugs in their software. Bugs in kernel drivers would mean possibility of attacks on your PC that will have unlimited access to everything.

That includes RCE (remote code execution) vulnerabilities. So if someone will find such kind of attack for Call of Duty/Ricochet, not only they can do funny things with game itself, but also with your whole system.

Even local vulnerabilities are very serious. There is even a PoC for software that uses kernel-mode driver for Genshin Impact to access other applications.

 

There are couple of points regarding overall data usage by companies that force you to accept their intrusive software:

• Activision is a big company and big companies tend to mislead people about usage of their data. Since user data also brings money, it's only a matter of time until they dip their noses deeper into their player's private matters. Of course by covering efforts by "bringing better experience for out precious players and further increasing of protection".
• Riot is a subsidiary of Tencent which is based in China. China isn't the only country that would like to get everything possible about you but it's quite successful in controlling local companies.

So, the question is: would you give an access to your banking paswords for companies like Activision or Tencent?

Or maybe you are willing to share monitoring data with their affiliated 3rd parties which may or may not include advertisement giants or government agencies?

 

At the end of the day, games are just games. They should be fun to play. Why people need to sacrifice privacy and allow game developers to tamper with their system?

It's always possible to choose another game that won't be able to take an advantage of you.

 

Game developers aren't your friends and it shouldn't be a norm for them to put their sticky fingers deep inside your PC.

 

P.S. I am really sorry for all mistakes that I made since English isn't my native language.

If you have some suggestion on how to fix them, you could write me a private message.

Thanks.

[Somerandomtechyboi]

Just run the games in a vm with no important data

¯\_ (ツ) _/¯ 

[Nathanpete]

24 minutes ago, gudvinr said:

Game developers aren't security specialists and even if Activision do hire good developers, it's not their goal to make good security for you. Anti-cheat isn't a product that they sell to increase your security. It's there only to increase their profits by securing their side.

Most companies develop anti cheats not to create money but to protect their customer base from a cheating extravaganza. 

 

The exception is Rockstar and GTA Online, zero fucking anticheat besides money cheats, and it is a real life money printing machine. In this case it is used to make money because what little it prevents is the one thing you can buy with microtransactions. 

[Helpful Tech Witch]

I really dont care. 

 

If your protecting from cheats that are kernel level, your anticheat would also need to be kernel level

[Nathanpete]

1 minute ago, Somerandomtechyboi said:

Just run the games in a vm with no important data

¯\_ (ツ) _/¯ 

Does not work, being kernel level gives it the ability to read configuration data that can reveal it is being virtualized. 

 

Also I hope what u said was satire.

[Helpful Tech Witch]

2 minutes ago, Somerandomtechyboi said:

Just run the games in a vm with no important data

¯\_ (ツ) _/¯ 

Gaming in a vm is a pita tho.

You need two gpus, and to be running unraid to make it work with gpu passthrough

[LIGISTX]

9 minutes ago, HelpfulTechWizard said:

Gaming in a vm is a pita tho.

You need two gpus, and to be running unraid to make it work with gpu passthrough

Also… Anticheat looks for you being in a VM… if your in a VM, depending on the implementation the hypervisor can read (and write) to memory, which is the ultimate form of cheating. Direct memory access is basically 100% ownership. So anticheat software tries really hard to know if your in a VM or not as it would be the best way to cheat, lol. 

[Somerandomtechyboi]

10 minutes ago, Nathanpete said:

Does not work, being kernel level gives it the ability to read configuration data that can reveal it is being virtualized. 

 

Also I hope what u said was satire.

Nope, i really didnt know that games can actually detect being virtualized ;-;

 

10 minutes ago, HelpfulTechWizard said:

Gaming in a vm is a pita tho.

You need two gpus, and to be running unraid to make it work with gpu passthrough

Ik, who gives a crap about virtualization, just have a completely seperate drive with no important info at all, that way if they are gathering data they wont be gathering much

 

I prob will take this approach in the future because i dont like how invasive anticheats are and i do somewhat care about privacy (not to the point where i go full lockdown mode but more like taping front cameras of my phone and avioding google so half serious about privacy)

[gudvinr]

2 minutes ago, HelpfulTechWizard said:

I really dont care. 

 

If your protecting from cheats that are kernel level, your anticheat would also need to be kernel level

That's also really dangerous misconception. Game developer (not anti-cheat software) should protect you from cheaters in their game and not from whatever you or anyone else wants to run on their PC.

 

Let's say you forgot that you have vanguard/ricochet/whatever installed and decided to play any single player game with cheats because you want infinite health/ammo/etc. No biggie, right? But do you really want activision/riot/someone else to know that you are running that stuff? They could easily mark whoever they want as potential cheaters and good luck proving them wrong.

I am not saying that you personally would do such thing, but it's just an example on how it might affect some people who have zero intentions on cheating in online games.

 

And what's more important, that even kernel-level uber-protection system won't protect you from cheaters. It just increases cost of cheats and thus decreases amount of cheaters.

People who really want to cheat will cheat no matter what you are running on your PC.

[gudvinr]

16 minutes ago, HelpfulTechWizard said:

Gaming in a vm is a pita tho.

You need two gpus, and to be running unraid to make it work with gpu passthrough

You don't need two GPUs for that. It's just convenient to set up but not a requirement.

It's possible to run host headless and boot into VM that uses GPU passthrough.

 

And strictly speaking, you don't need unraid for that too.

[gudvinr]

8 minutes ago, LIGISTX said:

Also… Anticheat looks for you being in a VM… if your in a VM, depending on the implementation the hypervisor can read (and write) to memory, which is the ultimate form of cheating. Direct memory access is basically 100% ownership. So anticheat software tries really hard to know if your in a VM or not as it would be the best way to cheat, lol. 

While it's true that hypervisor is able to access VM memory, it isn't best way to cheat because not only it's too hard to set up properly for end user but also quite challenging for cheat authors to write and read stuff to right places. For outsiders, memory inside VM is just random mess and contains not just memory of application that you want to modify but also other applications and OS itself.

[Master Disaster]

The best solution to this issue is to stop throwing your money are parasitical game developers who only care about how many lootboxes you open or how mank skins you buy.

 

I'll let y'all into a little secret, these kernel mode detection systems are not really aimed at cheaters, that is just a beneficial side effect. Their real intent is to stop people modding games to circumvent restrictions and grind that are only there to incentivize you to spend more.

 

Activision DGAF if XXxx--Little-Timmy-Did-Ya-Mum--xxXX is aimbotting, as long as hes buying up the premium shit, he's good.

[gudvinr]

11 minutes ago, Somerandomtechyboi said:

Ik, who gives a crap about virtualization, just have a completely seperate drive with no important info at all, that way if they are gathering data they wont be gathering much

You would need completely separate PC to restrict access for data on other drives plugged into your system

[Somerandomtechyboi]

1 minute ago, gudvinr said:

You would need completely separate PC to restrict access for data on other drives plugged into your system

Then just unplug them

[Master Disaster]

9 minutes ago, gudvinr said:

You don't need two GPUs for that. It's just convenient to set up but not a requirement.

It's possible to run host headless and boot into VM that uses GPU passthrough.

 

And strictly speaking, you don't need unraid for that too.

You don't even need to run headless these days. Single GPU passthrough is almost easy to setup as long as your OK with libvirt/KVM & bash scripting.

[Helpful Tech Witch]

35 minutes ago, gudvinr said:

That's also really dangerous misconception. Game developer (not anti-cheat software) should protect you from cheaters in their game and not from whatever you or anyone else wants to run on their PC.

 

Let's say you forgot that you have vanguard/ricochet/whatever installed and decided to play any single player game with cheats because you want infinite health/ammo/etc. No biggie, right? But do you really want activision/riot/someone else to know that you are running that stuff? They could easily mark whoever they want as potential cheaters and good luck proving them wrong.

I am not saying that you personally would do such thing, but it's just an example on how it might affect some people who have zero intentions on cheating in online games.

 

And what's more important, that even kernel-level uber-protection system won't protect you from cheaters. It just increases cost of cheats and thus decreases amount of cheaters.

People who really want to cheat will cheat no matter what you are running on your PC.

Anticheats would look for cheats on the game they are configured for.

 

And speakign from expirence, vangaurd only cares if you cheat at val, ive run modded versions of other games and it was fine with that.

I dont understand what you are talking about in pg 1

 

If there a re less cheaters, they are protecting you from cheaters. Ive had one cheater out of like 200 games of val (and thats just number of unr games), and they were booted in less than 10 minutes.

36 minutes ago, gudvinr said:

You don't need two GPUs for that. It's just convenient to set up but not a requirement.

It's possible to run host headless and boot into VM that uses GPU passthrough.

 

And strictly speaking, you don't need unraid for that too.

Ive never seen anyone claim it was possible without two gpus. I guess you mean automating the startup process so you dont need a gpu to display it?

 

Also yeah, but unraid is the one thats already setup to do that.

[LIGISTX]

48 minutes ago, gudvinr said:

While it's true that hypervisor is able to access VM memory, it isn't best way to cheat because not only it's too hard to set up properly for end user but also quite challenging for cheat authors to write and read stuff to right places. For outsiders, memory inside VM is just random mess and contains not just memory of application that you want to modify but also other applications and OS itself.

It’s difficult, yes. But the best cheats are done this way… 

[gudvinr]

2 minutes ago, HelpfulTechWizard said:

Anticheats would look for cheats on the game they are configured for.

You can only say that considering they actually only do what developers claim they do.

Quote

vangaurd only cares if you cheat at val

If they didn't ban you immediately it doesn't mean that they didn't take it into account in one way or another.

Apart from speculations, you can't say for sure if they don't look for something else other than they claim to.

It's a thing that could be easily abused without your knowledge and ability to detect such kind of abuse.

Quote

I dont understand what you are talking about in pg 1

All that I'm saying is that intrusive software on your PC isn't a necessity for protection from cheats. It's just one of the measures and most unreliable one even if it's kernel-mode driver.

Any company shouldn't force you to use their shit to protect you from cheaters. If they can't do that with server-side analytics and game engine that built with "don't ever trust client" rule in mind, then they probably cutting corners by making you responsible for these things because it's cheaper and people don't care much about security until it's too late.

[gudvinr]

19 minutes ago, LIGISTX said:

It’s difficult, yes. But the best cheats are done this way… 

There's always a better way

This kind of stuff can be easily sold at $30 or less in plug-and-go form and trained for any game on PC and console.

Good luck detecting that locally without requiring user to purchase surveillance cameras.

[Heliian]

Good, maybe I'll play again someday.  

 

[da na]

Kernel level anything is something to fear.

Remember those Zoom issues where you could take over someone's entire PC through Zoom without admin access? Yep. Hopefully the same can't be done with these anticheats. 

[Arika]

7 minutes ago, Mel0nMan said:

Hopefully the same can't be done with these anticheats. 

Oh it CAN people just have to find the exploits.

[da na]

Just now, Arika S said:

Oh it CAN people just have to find the exploits.

My school's IT department uses this thing, I believe it's called Ninite - it's a Windows installer on a USB stick that also has an autorun EXE that preloads all the software they need. So they literally plug it in, walk away, come back an hour later, do the account setup, and then unplug it and turn off the computer as it copies scripts that run the next time it starts up that auto run and install those programs. I feel like there could be something like that done with a malicious program that targets those kernel level anticheats but instead of installing Office 2018 it steals your logon info and IP address. 

[Quackers101]

it's not only them, windows etc. Were even basic apps/software gets more access than it should ever need or run when it shouldn't like for example iCUE from corsair.

and why I wish for the control like on your phone (although with the needed security).

from being able to know what it will access, do, and how deep it will go. Also be able to pick when it should run or not.

 

 

this boundary to me, feels more blurred from windows 7 to 10.

[18358414]

I suppose if we normalize the concept of video games requiring kernel-level access then more users will feel comfortable allowing software to access kernel-level resources; then all the work Microsoft put in to making Windows secure goes bye-bye because users have gotten used to blasting away any userspace protections. 

 

Imagine a non-techsavvy user who sees on an OFFICIAL website that "anti-cheat software requires kernel level access"; then they see free random game on the internet and this game asks for kernel-level access.  User has been conditioned to accept that term because they're used to seeing it with official software.  User now has kernel-level bitcoin miner and keylogger.