If an application from a Chinese company installed a kernel driver onto your system with complete access to your computer, but they pinky-promised not to abuse this access and power, would you install the application? Well, if you’re interested in Riot Games’ new hit game Valorant, that’s exactly the question you’re going to have to answer.
Riot Games, the company behind one of the most popular games in the world, League of Legends, recently starting publicly beta testing their new game, Valorant. Two months ago, the company penned a rather condescending blog post detailing their future anti-cheat technology, which would include a Windows kernel driver (running in ring 0, in x86 parlance). Valorant is their first game using this kernel driver, and as it turns out, this kernel driver starts at boot, and due to its very nature has full system access, even when you’re not running Valorant.
According to Riot Games, we just have to trust them on their blue eyes that their kernel driver is fully secure and won’t be exploited by malicious third parties, and that the company won’t use it to spy on people or otherwise violate their privacy. Riot states on Reddit that “multiple external security research teams” have reviewed the driver, but as far as I can tell, these reviews have not been published for public vetting.
What we’re dealing with here is a rootkit, a method more and more anti-cheat systems are employing in the fight against cheating. The argument is that game developers need full, complete, and total access to your system in order to prevent you from cheating, and a kernel driver is how they do it.
There’s a long history of these sorts of things going horribly, horribly wrong. We all still remember the Sony rootkit debacle, where Sony CDs installed rootkits on users’ computers that ended up being exploited left, right, and centre by malicious parties. In 2016, Capcom installed a similar rootkit meant for anti-cheat with Street Fight V, which was an absolute security train wreck. And closer to home for Riot, the game client for their very own League of Legends installed crypto miners on users’ computers in the Philippines.
Despite the inherent dangers in installing closed-source security-by-obscurity rootkits, Riot is dead-set on continuing to use them, and it’s only a matter of time before their rootkit will be forced upon League of Legends players as well – which in my case means I won’t be able to play League of Legends anymore even if I wanted their rootkit on my computer, since I play on Linux through Wine/Lutris, which doesn’t support kernel drivers at all.
Players of Riot’s games will have to ask themselves if they trust Riot to install a rootkit with complete and full access to their system – browsing history, chat logs, email, everything. You have to trust Riot when they say the rootkit is “secure” and won’t be exploited by malicious third parties, and that the company itself won’t use it to invade your privacy.
Interesting sidenote: Riot Games is owned by the Chinese company Tencent, the company behind WeChat. Tencent is, for all intents and purposes, an arm of the Chinese government, so not only do you have to trust Riot Games, you also have to trust their owner, Tencent, as well as who Tencent literally answers to – the Chinese government.
I’m not going to tell anyone what they should or should not do with their computers, and if you trust Riot, Tencent, and the Chinese government enough to let them install a rootkit on your computer, then that’s your right to do so. However, I do feel users need to be at least aware of the choice they’re making.
Honestly I couldn’t care less about what or how many security researchers have looked at it. I respect their findings of course, but what happens if it’s exploited after the game loses support and the ring 0 access is still there?
https://www.youtube.com/watch?v=p-wyIalhdPU
Wow, I watched that exact video just over a week ago and it was still fresh in my mind. Yes, this is Starforce all over again, though this time I suspect it would be worse.
https://www.youtube.com/watch?v=u8ltfyqD3lM
Wow, StarForce is what drove me from PC gaming to consoles – because a locked-down console was nothing I’d do work and banking on, unlike the PC with some Russian rootkit now loaded in the kernel. And once I gave up on the games, it was time to leave Windows for good. So “thanks, StarForce” for making the Sony rootkit and this new one irrelevant to me?
Plot twist! This is so the Chinese government can use our computers to discover the vaccine for COVID-19 and save mankind!
+1 for creativity!
Looks like we’re in an advent of VM for gaming. It’s only matter of time before VMware or other company comes out with a solution for that.
i bet some of those companies will actively try to avoid running in a vm. in the end it will be up to what the userbase decides, but i am not very hopeful here.
unless microsoft comes up with some container tech for games.
This is a tricky one. For competitive gaming, you can see that there is a need to absolutely ensure that there is no cheating going on. In those scenarios, a rootkit may be necessary, and a professional gamer may have to accept those terms and ideally use a rig that is dedicated for playing games – with all their non-gaming activity carried out elsewhere.
For the majority of casual users though, this is overkill. And for most people, using general purpose kits, absolutely should not be instructed to install a rootkit. And operating systems should be making it damn difficult for people to install a rootkit.
Really, there ought to be a two lane approach taken to this – that you don’t have to have the anti-cheat installed, but there are some games/tournaments that you won’t be able to join if you don’t.
This has always been my position on it as well. The problem with this approach is MMORPGs and similar games that aren’t strictly competitive/tournament based; there is still a need for anti-cheat mechanisms even in casual games, but how do you balance that? I feel that a server-side approach is the safest for the end user, but it’s obviously not as easy, cheap, or effective for the game publisher as client-side efforts like rootkits, and they will eventually take the path of least resistance at the expense of their customers’ security and safety.
Then (as Thom mentioned), there are those of us who play games on Linux. My main workstation runs Slackware, and I can play many of my casual Windows games like World of Warcraft on it if I don’t feel like booting up my Windows gaming PC, but some games will never work with Linux properly because of anti-cheat restrictions.
Morgan,
IMHO it’s partly the game developer’s fault when they don’t give bot users a legitimate avenue to play games. When I was younger I tried my hand at quake bots not really with the intention of competing that way, but to study and play around with the game mechanics, bots are fascinating and educational for young coders. If you have dedicated game servers where bots and mods are allowed, nobody gets offended by them. Maybe some people want to use bots to cheat, but honestly I think most bot makers are like I was, learning to code and seeking a fun challenge by learning how to mod games. Giving them their own maps is an easy way to get the honest mod/bot users onto different levels. Quite frankly in college we had a hell of a lot of fun playing LAN games that were moded and had cheats enabled, creating totally new game modes like having humans team up against overpowered bots, etc. It wouldn’t be acceptable in a human tournament, but many bot makers wouldn’t bother trying to hack into human-only areas if only there were designated areas for them in the first place.
Ultimately the fact is you can only make it more difficult to mod a game, but that will never be 100% effective. Even “kernel rootkits” and the game code that depends on them can always be tricked. Give bot/mod creators their own areas and encourage them to use it, this helps to build up communities rather than vilify them. It could even be a great recruitment tool.
Long story short, don’t discriminate against game moders, give them their own areas to play in where those things are fair game!
[I know nothing about competitive gaming]
Could Microsoft handle that? Having a locked down mode for Windows which prevents cheat software (limit which SW can run, prevent input redirections….)
this really makes a case for gaming consoles, doesn’t it.
or some kind of locked down steamboxes or gaming pc’s.
How is this a rootkit?
It’s simply a driver, calling it a rootkit is clickbait
Driver in ring0 installed without your consent ? With no WHQL certification I bet ?
How is it without your consent? It’s part of the installer which you run as a privileged user. They’re even blogging about it. WHQL is completely unrelated. It’s an optional certificate that most vendors choose not to obtain anyway.
A root kit is kernel code that silently installs itself, tries to mask its presence, and is usually used for malicious purposes.
This is a driver that Riot are openly taking about, will certainly not be trying to mask its presence and is simply a boot driver being bundled as part of the wider software package.
End users install drivers for all sorts of reasons, the majority of the time without realizing it. AV, hardware, mini-filters (file, network, usb, etc), generic software drivers, etc.
I’m not saying I’d be comfortable installing this one due to the links, just that it’s not a root kit, it’s a regular software driver.
SecuROM, StarForce and all kind of “regular software drivers” to the sake of “DRM” have already been discussed here and now, I see no point in your denial about the reality of this being a rootkit.
gedmurphy,
I call BS on that. Just to make the point clear: a game installer could technically intercept your bank logins and steal all of your money. It would be bogus to say that they had your consent because “it’s part of the installer that you run as a privileged user”. Real consent requires informing the user and the meaningful ability to decline, otherwise it’s deceptive and/or coercive, which are antithetical to consent.
No, it technically is a rootkit, it provides kernel-level access to the hardware to a third party for a purpose other than actually providing the user access to that hardware. That’s _not_ a driver, not by any means other than the purely technical reasoning that it’s using the kernel driver infrastructure.
The big issue here isn’t so much that as the fact that it’s loaded at boot time and never unloaded. Even some of the well known anti-cheat and DRM tools that use drivers are loaded on-demand when the application using them starts and unloaded when the application exits.
Can’t believe no one’s picked up on it yet, but maybe the solution here is for gamers to… RIOT?!
Shit like this is why I bought, YES BOUGHT, PSO any then never got to play it. Sorry my machinem what I want on there, no no uninstalling it for you, find a better way.
Never ok.
Is there some reason why games cannot run in a fenced off fuckbox if they have to and not bother other things?
Well, thats why OSes, which allow such deep access to not trustworthy software, have to be run in a VM on top of a real OS.
e.g. Linux -> KVM -> Windows with PCIe passthrough -> Games
derstef,
You’re likely referring to the GPU. I prefer device virtualization to PCI passthrough because it doesn’t always make sense to dedicate physical devices to a VM. Maybe some day virtualized GPUs will be mature enough to be usable in practice.
I’m curious if anyone can verify that windows games that use DRM still run under linux VM? There’s no reason it couldn’t, but they might use heuristics to try to detect a VM. IIRC QEMU identifies itself under CPUID in the VM.
Ever since the days of Knoppix, I’ve wondered why no game MFR distributed their game as a bootable disk, thus giving them full control of the hardware while running. This seems like a better idea than ever in light of shenanigans like what is being described. I can think of no other way to balance the integrity of the game with the security of the users. And even then, I suspect this grossly invasive method will probably be fooled by innovative and hardworking cheaters .
Hmmm, what does it mean for the Mac Os version. Can they do the same trick.
But for me, playing TFT on linux now, it might be over. I dont like to play it on my work computer (macbook) and I dont want to install Windows on my HP laptop.
I might have to look for something else. Bummer.
Does ring 0 mean it runs above any virtualization or containerization methods? I’m curious if Windows new containers efforts can help, er, contain this sort of thing. Would that circumvent the effort to thwart cheating?
It’d be real nice if Microsoft would work with game makers to provide some sort of safe, system level solution to cheating, rather than letting anyone and everyone install root kits… Stuff like this makes me think Apple is honestly on to something with the execution model in iOS.
CaptainN-,
No, ring-0 was created with the invention of protect mode on x86. To get an idea what it is, think back to DOS, there were no protection levels and the CPU would execute whatever instructions it came across without restrictions: port IO, access all memory, etc. There was no mechanism by which to protect the system from software bugs. In windows 3.x (not sure about windows 2.x) the CPU was switched into protect mode, making it possible for the OS running in kernel space to supervise userspace programs. “Ring-0” refers specifically to the permission level for kernel space code with no restrictions. There’s actually a hidden “system management mode” with even more permissions than ring-0, but we don’t normally deal with it as it’s intended to be used by the bios.
CPU virtualization extensions are kind of similar to think about, but it’s completely distinct from the normal CPU ring levels. When you run VM, the virtual CPU has it’s own ring levels, and the OS running in the virtual CPU is (theoretically) oblivious to the fact that it has been virtualized. Ring-0 running inside the virtual machine is the most privileged mode inside the virtual machine, but it is less privileged than the host.
I prefer to call it “modding” rather than cheating, because not all modding is done for the purpose of cheating. That aside, running in a VM might work. It would certainly be possible to patch code running inside the VM, but if the DRM were designed to detect the VM and stop working, it could require the title to be patched before it would work. And although this would be possible, if you’re going to have to patch the DRM anyways, I don’t know that there’s any technical benefit applying patches inside a VM instead of patching the game code directly…?
I’m not sure if today’s DRM are bothering to block the use of VMs, but such blocks could be coming in the future. Even so, it won’t be fail proof as no DRM is permanent, although it might create new headaches. But the ultimate defense against the modding community is to implement more and more of a game’s functionality on the server-side.
This is really a big issue these days and many https://do-my-assignment.com recent blogs and articles are being published on the same topic. installs rootkit with their new hit game Valorant is really one of them.