In the past decade, major competitive online games, especially first-person shooters like Activision-Blizzard’s Call of Duty and Bungie fate 2had to massively expand their operations to combat the booming business of rogue sellers. But an increasingly vocal subset of gamers are concerned that software designed to detect and ban cheaters has become too broad and invasive, posing a significant threat to their privacy and the integrity of the system.
At issue is kernel-level drivers, a relatively new escalation against scammers. The core itself – sometimes called “ring 0″ – is an isolated part of a computer where the main functionality of the machine is performed. The software in this region includes the operating system, the drivers that communicate with the hardware—such as keyboards, mice, and video cards—and software that requires high-level permissions, such as antivirus packages. While errant code executed in user mode—”ring 3” where web browsers, word processors, and the rest of the software we use lives—causes that specific software to crash, a kernel bug brings down the entire system, usually in the ubiquitous blue screen of death. And because of this sequestration, user-mode software has very limited visibility into what’s going on in the kernel.
It’s no surprise, then, that some people have reservations. But the reality is that security engineers, especially those working to bring justice to the ultra-competitive FPS genre, haven’t had much of a choice. Anti-cheat systems target the core in part because that’s where the cheaters are.
“In the era of 2008 virtually no one was using kernel drivers, like maybe 5 percent of sophisticated cheat developers,” says Paul Chamberlain, a security engineer who has worked on anti-cheat systems for games such as Valorant, Fortniteand League of Legends. Chamberlain remembers seeing his first kernel-based exploit game—the infamous one World of Warcraft Glider — at the 2007 Defcon security conference. “But by 2015 or so, almost all sophisticated, organized cheat-selling organizations used kernel drivers.” With the tools available, there wasn’t much anti-cheat software could do against aimbots and wallhacks that lived in the kernel. Around the same time, at a Steam developer conference, Aarni Rautava, an engineer with Easy Anti-Cheat — which would eventually be bought by Epic Games — said the overall cheat market had grown to somewhere north of $100 million.
Still, gaming studies were, and often remain, cautious about implementing proprietary driver solutions. Working in kernel is hard – it’s more specialized and requires a lot of quality assurance testing because the potential impact of bad code is much more drastic – leading to increased costs. “Even at Riot, no one wanted us to make a driver. Internally, they said to themselves, ‘Look, this is too risky,'” says Clint Ceredei, another security engineer who worked on Vanguard. Valorantkernel-level anti-cheat system. “At the end of the day, they don’t want to release a driver to protect their game if they don’t have to.” But in the ultra-competitive FPS space, especially in tactical shooting, where a single headshot can mean instant death, cheating has a huge an impact that can quickly erode player confidence. In the end, Riot seemingly figured that any backlash produced by a core decision (and there was a lot) was still preferable to being interrupted by a cheater fight on an equal footing.
But for many gamers, WHO pushed into the core first is not important. They worry that an anti-cheat kernel driver could secretly spy on them or create exploitable vulnerabilities in their computers. As one Redditor said, “I’ll live with cheaters. My privacy is more important than the fucking game.
A kernel driver could certainly introduce some kind of vulnerability. But the chances of a hacker targeting it are slim, at least for most people. “You can easily be talking hundreds of thousands of dollars, maybe millions, for an exploit like this if it’s going to be remotely executable,” says Adriel Desautels, founder of penetration testing company Netragard. “What attackers would rather spend their time and money on are things where they can hit one thing and get a lot of loot,” such as other criminal hacks or malware attacks where massive amounts of valuable data are stolen or held for ransom.
