Riot turns on ability to turn off kernel-level anti-cheat tool

Riot Games announced last night that a new update to the Vanguard anti-cheat system used in Valorant will let users disable and/or easily uninstall the kernel-level security driver via a system tray icon.

That doesn’t mean cheaters can just turn off the anti-cheat tool and do whatever they want, though—Vanguard still needs to be installed and running to actually play Valorant. If you shut off the service from the system tray, you’ll have to restart your entire system before loading up Valorant. And if you uninstall Vanguard altogether, it will automatically be re-installed when you launch the game, requiring another restart.

The system tray tool will also notify users when Vanguard blocks certain third-party apps from running on your system. Users can disable Vanguard at that point and run the suspect app normally.

While Riot says “most players will never run into such a scenario,” the vast majority of such app-blocking behaviors deal with “software [that] has a known vulnerability or is being exploited in the wild.” That includes apps found in CVE databases that could let a cheater load unsigned code into the system kernel.

“Ultimately, you get to choose what software you run on your computer,” Riot writes. “You can uninstall or stop Vanguard to allow your software to work, but that will have the side effect of not allowing Valorant to work until you reboot.”

While Riot acknowledges that there are already working cheats out in the wild for Valorant, the company maintains that Vanguard “make[s] it difficult for all but the most determined to cheat, while also giving us the best chance to detect the cheats that do work.” Cheaters that do get through the Vanguard system can still be “remove[d]… from our ecosystem by leveraging other game systems,” Riot writes.

The changes come as Riot continues to try to quell concerns about Vanguard’s use of a startup-loaded kernel-level driver, which it says is necessary to monitor system integrity and user-level hacks from outside of Valorant. The company says the driver “isn’t giving us any surveillance capability we didn’t already have” and that Vanguard “does not collect or send any information about your computer,” in any case.

But the driver itself could potentially be exploited for serious kernel-level attacks on Windows systems, a setup that independent security researcher Saleem Rashid told Ars “introduces a large attack surface for little benefit.” Riot has expanded its bug bounty program to encourage hackers to report any unknown driver exploits, and Riot anti-cheat lead Paul Chamberlain tells Ars the company would “likely be able to respond within hours” to disable the driver if such a vulnerability were found.

Listing image by Riot Games

Riot addresses “kernel-level driver” concerns with expanded bug bounties

Artist's conception of hackers lining up for these new bug bounties.

Enlarge / Artist’s conception of hackers lining up for these new bug bounties.

Last week, we took a look at the new Vanguard anti-cheat system being used in Riot’s Valorant and the potential security risks of the kernel-level driver it utilizes. Now, in an effort to allow “players to continue to play our games with peace of mind,” Riot says it is “putting our money where our mouth is” with an expanded bug bounty program, offering more money for the discovery of Vanguard vulnerabilities.

Bug bounties aren’t new to the gaming industry or even to Riot Games, which says it has paid out nearly $2 million in such rewards since launching its bounty program in 2016. But Riot is now offering “even higher bounties” of up to $100,000 specifically for the discovery of “high quality reports that demonstrate practical exploits leveraging the Vanguard kernel driver.”

The largest bounties in Riot’s newly expanded program are available to attacks that are able to exploit the Vanguard driver to run unauthorized code at the kernel level—something of a nightmare scenario that could give an attacker full, low-level access to a machine—but exploits that merely provide “unauthorized access to sensitive data” will also be rewarded. The bounties apply to network-based attacks that need no user interaction, vulnerabilities that require user action (like clicking on a malicious link), and exploits that require “guest user” access to the system itself, in declining order of potential reward.

Offering bug bounties is an attempt to skew the incentive structure for potential Vanguard attackers, making it more lucrative to report flaws than to exploit them for use by cheating programs or hacking tools. Riot anti-cheat lead Paul Chamberlain said a similar issue of incentives was behind Riot’s decision to use a kernel-level driver for Vanguard in the first place.

Beating a kernel-level driver “requires a different (more strenuous) approach from cheat developers to attack,” Chamberlain told Ars. “For cheat developers operating at the kernel level, they need to work around the restrictions Microsoft places on kernel level software. This extra work reduces the incentives for cheat developers because their cheats become harder to make, less convenient for players to install, and just overall less profitable to sell.

“We don’t expect that any protection will remain unbreached forever, but Vanguard’s protections are strong, and as cheat developers’ tactics evolve, so will ours.”

Earning player trust

In announcing the new bug bounties, a group of high-level Riot security employees wrote that they “understand the decision to run the driver component in kernel-mode can raise concerns.” That said, they also want to reassure players that “we would never let Riot ship anything if we weren’t confident it treated player privacy and security with the extreme seriousness they deserve.”

The statement reiterates that while the signed kernel-level driver runs at start-up “to prevent loading cheats prior to the client initialization,” a user-level client “handles all of the anti-cheat detections while a game is running.” At that point, the user-level client uses the driver “to validate memory and system state and to make sure the client has not been tampered with.” The driver itself “does not collect or send any information about your computer back to us,” they wrote.

“We’d never let Riot ship something we couldn’t stand behind from a player-trust perspective (not that we think Riot would ever try),” Riot’s security representatives wrote. “Players have every right to question and challenge us, but let’s be clear—we wouldn’t work here if we didn’t deeply care about player trust and privacy and believe that Riot feels the same way. We’re players just like you, and we wouldn’t install programs on our computer that we didn’t have the utmost confidence in.”