Opinion

Richard Lewis: Can we trust Valorant’s anti-cheat?

by Richard Lewis

Share


The first week of the launch of the new title from Riot Games, first-person shooter Valorant, has been something of a mixed one for the developer. The almost unprecedented hype around the game saw the closed beta launch reach a peak of 1.7 million viewers on Twitch as people vied for a drop so they could too participate.


The views expressed in this opinion piece are those of the author and are not necessarily shared by Dexerto.


Initial impressions of the game were met with praise from veteran gamers on social media. Then came the revelations that maybe the game’s anti-cheat, which was a big part of the marketing push to attract players of other games, wasn’t all it was cracked up to be with working private cheats being sold in the first few days of the closed beta’s release.

If Riot had egg on their face after that the coming days would bring worse PR their way. On April 12th a post on popular subreddit r/pcgaming would claim that the Vanguard anti-cheat system, which has kernel-level access on the computers that install it, would be launched on booting up your PC regardless of whether or not you were playing Valorant.

Valorant anti-cheat Vanguard
Riot Games
Riot made bold claims about the capabiltiy of their anti-cheat systems.

Advertisement

The post, made by Reddit user u/voidox, read:

“The kernel anticheat driver (vgk.sys) starts when you turn your computer on. To turn it off, you either need to change the name of the driver file so it wouldn't load on a restart, or you can uninstall the driver (it will be installed back again when you open the game).

so ya, the big issue here is it running even when players don't have the game open, from startup no less. EDIT - It runs at Ring 0 of the Windows Kernel which means it always has the same rights as administrator from the moment you boot.

For comparison, BattlEye and EasyAntiCheat both load when you're opening the game, and unload when you've closed it. If you'd like to see for yourself, open cmd and type "sc query vgk.”

Advertisement

The thread quickly filled up with people confirming this to be accurate and expressing their concerns. The finding spread across social media like wildfire and made its way to the official Valorant subreddit. Eventually, Paul “arkem” Chamberlain, the anti-cheat lead, commented on Reddit confirming the claims made by the now many users who had tested out the method detailed in the Reddit post.

“TL;DR Yes we run a driver at system startup, it doesn't scan anything (unless the game is running), it's designed to take up as few system resources as possible and it doesn't communicate to our servers. You can remove it at anytime.

Vanguard contains a driver component called vgk.sys (similar to other anti-cheat systems), it's the reason why a reboot is required after installing. Vanguard doesn't consider the computer trusted unless the Vanguard driver is loaded at system startup (this part is less common for anti-cheat systems).

This is good for stopping cheaters because a common way to bypass anti-cheat systems is to load cheats before the anti-cheat system starts and either modify system components to contain the cheat or to have the cheat tamper with the anti-cheat system as it loads. Running the driver at system startup time makes this significantly more difficult. 

We've tried to be very careful with the security of the driver. We've had multiple external security research teams review it for flaws (we don't want to accidentally decrease the security of the computer like other anti-cheat drivers have done in the past). We're also following a least-privilege approach to the driver where the driver component does as little as possible preferring to let the non-driver component do the majority of work (also the non-driver component doesn't run unless the game is running)."

The Vanguard driver does not collect or send any information about your computer back to us. Any cheat detection scans will be run by the non-driver component only when the game is running. 

The Vanguard driver can be uninstalled at any time (it'll be "Riot Vanguard" in Add/Remove programs) and the driver component does not collect any information from your computer or communicate over the network at all.

We think this is an important tool in our fight against cheaters but the important part is that we're here so that players can have a good experience with Valorant and if our security tools do more harm than good we will remove them (and try something else). For now we think a run-at-boot time driver is the right choice.”

While I was working on this they also put out another clarifying statement, one that assured their players that their anti-cheat absolutely has to run the way it does and no changes to it are likely. If you want a TL;DR for the whole post it basically states “trust us, we’d never do anything bad to our fellow gamers.”

Hacker detected on monitor in Valorant
Riot Games
Vanguard runs from start-up, which some users feel is too invasive.

Advertisement

Right out the gate let’s establish something. Anyone acting surprised about the level of access that Vanguard has is either uninformed or disingenuous. Two months prior to the release of the closed beta the development team posted a blog detailing exactly how the anti-cheat would operate. As the original Reddit poster acknowledges kernel access anti-cheat isn’t anything new and has been utilised by multiple companies in the past. Indeed, it is the only thing that can give an anti-cheat system a fighting chance because most high-level cheats have that same level of access.

What must be said is that someone who is adept in reassuring people should have given this a thorough proofread. While the sentence “this isn’t giving us any surveillance capability we didn’t already have” might seem benign if you take it to mean the capability is zero, given Riot’s history and the company that funds them, it’s a statement that is incredibly difficult to be relaxed about. It also seems to inadvertently contradict what Chamberlain said in his Reddit post because it implies there is some surveillance capability there. If the intent was to communicate that there is no capacity to spy on you once the software is installed then this was a ludicrously ominous way of expressing that. This conclusion seems an impossibility when the following sentence states “if we cared about grandma’s secret recipe for the perfect Christmas casserole, we’d find no issue in obtaining it strictly from user-mode and then selling it to The Food Network.”

We can all appreciate when a game's developer has a sense of humour, both about themselves and their projects. It can lead to great things. Think Devolver Digital. One area you probably don’t want to joke about though is having the potential to spy on your customers. The sinister overtone of “we’d find no issue” as a phraseology can’t be overlooked either. Do they mean technically, morally or both?

Advertisement

Still, most people let it slide because there is a growing sentiment among online gamers that they’re willing to take the risk of a big company violating trust with their data to ensure a cheat-free environment. It’s certainly not a sacrifice I would be willing to make and I think anyone willing to do so should probably assess their life priorities, but provided people are informed I believe it is a choice that should be up to the individual. It comes down to a matter of trust. So the only question that matters is how comfortable are you in allowing Riot Games that level of access to your computer?

Some things to consider then. Riot’s history when it comes to data breaches is less than stellar. In 2014 I detailed how they had kept a major hack, one that compromised millions of accounts, secret and then downplayed the details when it became public. The hacker behind that incident was able to continue to gain access after it was brought to the public attention after a warning for players to change passwords wasn’t heeded by a senior Riot employee. Even the President of the company, Marc Merrill, had his Twitter account compromised during this time. It was a hugely embarrassing and costly lapse in security.

Given that this took place between 2011 – 2013 you might be inclined to give them a pass and say it was early in the company’s history. It is worth remembering then that in July 2018 when Riot Games were legally obliged to comply with requests to share data with their customers under the newly adopted General Data Protection Regulation (GDPR) in Europe, they also had a security lapse. Some players were sent other people’s data, which included name, phone number, email and date of birth. While Riot were quick to respond and said it was only a “few” who were affected, the scope of the problem will never be known.

It also doesn’t help alleviate fears when you consider the fact that invasive anti-cheats have been abused in this space before. The Counter-Strike pick-up game system ESEA decided to secretly turn their kernel access anti-cheat into a bitcoin miner, violating their consumer’s trust and damaging user’s machines in the process. They would receive a $1 million fine for this malicious activity, two thirds of which would be scrubbed if they avoided any other violations for a ten year period. In court, the company would blame a “rogue employee” for doing it despite evidence of the owner of the company having made public comments about how they could turn their anti-cheat into a bitcoin miner without customer’s knowledge prior to the incident. Some of the staff that worked on the ESEA anti-cheat are now working on Vanguard.

Developer working on Valorant
Riot Games
Some of the staff from ESEA's anti-cheat are now working on Vanguard.

Then there’s the elephant in the room… China. Riot Games is now wholly owned by Chinese mega-corporation Tencent. It is career suicide in the gaming industry to talk about how Chinese money and influence directs many of its biggest companies. Whether it’s Activision Blizzard punishing a player for expressing solidarity with the Hong Kong protestors, Mesut Ozil disappearing from PES and FIFA Online in China due to his comments about the persecution of Uyghur Muslims or game stores adhering to Chinese government censorship in order to sell their products in that country, China gets what it wants and games developers let it.

Tencent has become ubiquitous across all of gaming and tech. They own a piece of practically everything it seems. Where their money goes sympathies towards the authoritarian Chinese government seem to build. Indeed, Tencent enjoys a close relationship with Chinese government officials and has been exposed as having used their software for gathering information on their behalf. In March last year, a Dutch hacker revealed that 300 million private messages had been gathered through Tencent applications and stored on a database that could be accessed by police stations in cities and provinces across China.

Now, doubtlessly you’ll say “but that’s in China and there’s no way an American company would ever sign off on people’s data being used that way.” I’d hope you are right but it is hard not to believe that Chinese government influence isn’t present already. For example, last October, League of Legends players found that the game was censoring iterations of the word “Uyghur” and “freedom”. Riot staff took to social media to explain this away as a censoring error and that explained that sometimes the system just bans words by mistake. Interesting then that one of those words would happen to be the name of a minority group persecuted by the Chinese government who wants the atrocities committed against them to be hidden from the eyes of the world. What a crazy coincidence.

Put all this together and at best you should be healthily sceptical about deciding to give across such access to your computer. I’ve seen the arguments made that anything you sign up to can be subject to a hack. Of course, this is right but not everything you sign up to can be used as a surveillance tool without your knowledge and you should absolutely weigh up whether or not you want to opt into this simply to play an online game.

A final consideration… Maybe you are the type of person who is so frustrated with cheaters that you’d be willing to roll the dice on your personal data being used for something nefarious or a malicious entity gaining access to your computer files. So far the anti-cheat has fallen well short of the expectations it was generating before the closed beta launch. We had working private cheats being sold two days into the closed beta and the embarrassments keep coming.

Gun shooting in Valorant
Riot Games
Cheaters were spotted in Valorant only days into the closed beta.

Spanish CS:GO pro Oscar "mixwell" Cañellas was locked out of playing while streaming for charging his mobile phone via his USB port. He wasn’t the only player this happened to (Riot has since addressed the issue, and stated that Mixwell was in fact not banned, but instead hit by a bug that affected digital bootcamp participants who were accidentally still using the alpha build to play the closed beta).

Indeed, some cheats in the past have operated via injection from an external device. This false-positive suggests that at best, the anti-cheat is being overcautious and needs some fine-tuning. Meanwhile, T1 player Braxton "brax" Pierce had two cheaters in one of his games while streaming. Currently, it seems we are relying on manual bans to keep cheaters out of the closed beta, which makes a mockery of the whole idea of having this “revolutionary” anti-cheat in the first place.

So, to conclude, you guys can make your own choices. I personally think Riot Games should yield ground on the idea that Vanguard needs to be working on start-up as this would bring it in line with other kernel access anti-cheats we already have. The argument that it “helps” their fight against cheaters is lame when you consider the potential cost and the fact that so far the anti-cheat software looks like a false bill of goods. Failure to compromise or do more to reassure their players could be a not insignificant factor in the game’s potential success when it leaves this beta phase.