What’s the Deal With Anti-Cheat Software in Online Games?

Cheat deterrents like kernel drivers are raising legitimate privacy concerns. But it’s not all bad news.

IN THE PAST decade, big competitive online games, especially first-person shooters like Activision-Blizzard’s Call of Duty and Bungie’s Destiny 2, have had to massively scale up their operations to combat the booming business of cheat sellers. But an increasingly vocal subset of gamers is concerned that the software meant to detect and ban cheaters has become overly broad and invasive, posing a considerable threat to their privacy and system integrity.

At issue are kernel-level drivers, a relatively new escalation against cheat makers. The kernel itself—sometimes called “ring 0”—is a sequestered portion of a computer, where the core functionality of the machine runs. Software in this region includes the operating system, the drivers that talk to hardware—like keyboards, mice, and the video card—as well as software that requires high-level permissions, like antivirus suites. While faulty code executed in user mode—“ring 3,” where web browsers, word processors, and the rest of the software we use lives—results in that specific software crashing, an error in the kernel brings down the whole system, usually in the ubiquitous Blue Screen of Death. And because of that sequestration, user-mode software has very limited visibility into what’s happening in the kernel.

It’s not surprising, then, that some people have reservations. But the reality is that security engineers, especially those working to establish fairness in the hyper-competitive FPS genre, haven’t been given a lot of choice. Anti-cheat systems are heading to the kernel in part because that’s where the cheaters are.

“Back in the 2008 era, effectively no one was using kernel drivers, like maybe 5 percent of sophisticated cheat developers,” says Paul Chamberlain, a security engineer who has worked on anti-cheat systems for games like ValorantFortnite, and League of Legends. Chamberlain recalls seeing his first kernel-based game exploit—the infamous World of Warcraft Glider—at the Defcon security conference in 2007. “But by 2015 or so, pretty much all the sophisticated, organized cheat-selling organizations were using kernel drivers.” With the tools available, there wasn’t much anti-cheat software could do against aimbots and wallhacks that lived in the kernel. Around this same time, at a Steam developer conference, Aarni Rautava, an engineer with Easy Anti-Cheat—which would eventually be purchased by Epic Games—claimed the overall marketplace for cheats had grown to somewhere north of $100 million.

Still, games studies were, and often remain, cautious about implementing their own driver solutions. Working in the kernel is difficult—it’s more specialized and requires loads of quality assurance testing because the potential impact of bad code is so much more drastic—which leads to increased expense. “Even at Riot, nobody wanted us to make a driver. Internally, they were like, ‘Look, this is too risky,’” says Clint Sereday, another security engineer who worked on Vanguard, Valorant’s kernel-level anti-cheat system. “At the end of the day, they don’t want to have to put out a driver to protect their game if they don’t need to.” But in the hyper-competitive FPS space, especially a tactical shooter where a single headshot can mean instant death, cheats have an outsized impact that can quickly erode players’ trust. In the end, Riot seemingly calculated that any backlash a kernel solution produced (and there was plenty) was still preferable to being hamstrung from fighting cheaters on even ground.

But to many gamers, who pushed into the kernel first isn’t important. They worry that an anti-cheat kernel driver could secretly spy on them or create exploitable vulnerabilities in their PCs. As one Redditor put it: “I’ll live with cheaters. My privacy is more important than a freaking game.”

A kernel driver could certainly introduce some sort of vulnerability. But the chances that a hacker would target it are slim, at least for the vast majority of people. “You’re talking easily hundreds of thousands of dollars, perhaps millions, for an exploit like that if it’s going to be remotely executable,” says Adriel Desautels, founder of penetration testing company Netragard. “What attackers would rather spend their time and money on are things where they can hit one thing and get a lot of loot,” like other criminal hacks or malware attacks where huge troves of valuable data were stolen or held for ransom.

In most cases, hackers can get what they want without anywhere near that level of sophistication. As part of its penetration testing, Netragard simulates the work of ransomware groups, and “even when we’re delivering the most advanced level of that service, we don’t need to use attacks that go down that low. There’s never been a need or even an inkling of a need at that level,” Desautels says. The credit card information of the average Arma 3 player would absolutely never be worth the effort of a nation-state-level infiltration job. While kernel-level drivers do introduce potential risks, Desautels says, “if any of those things were to be realized in an effective and damaging manner, it would be really an extraordinary situation.”

And if that situation were ever to have occurred, it likely already would have in 2016, when Capcom pushed out a kernel driver for the PC version of Street Fighter V. “It had a vulnerability that let anyone load kernel code arbitrarily. So you could take the Capcom driver and then sideload your own code,” says Nemanja Mulasmajic, who did security for Valorant and Overwatch, which allowed users to bypass “all the signature checks and all the security features the Windows had built up.” An embarrassed Capcom reverted the code shortly thereafter. It might seem like this is even more evidence that kernel-level anti-cheats are huge vulnerabilities, and on one level they are, but most kernel drivers have similar vulnerabilities, and exploiting them requires technical skill and physical access to the computer with the driver installed.

A kernel driver leading to an external attack might be staggeringly unlikely, but many gamers worry that this software is designed, at least in part, to provide game companies themselves with unprecedented levels of access and information about users’ machines. Chamberlain contends there’s “no incentive” for anti-cheats to go on a “fishing expedition” for users’ personal information.

With tech companies accused of harvesting tranches of user data, anyone could be forgiven for harboring suspicions. For Desautels, once again, the issue is quickly contextualized by pure financial and reputational motives. “If [hackers] found that gaming companies were effectively carrying out acts of micro-espionage or stealing people’s information or whatever, they would write that up fast, that’d be great for their credibility,” he says. “That would be a treasure for them.” And to that end, some anti-cheats do offer significant bug bounties to the sort of gray hats who might be inclined to take this software apart.

The relative risk of programming in the kernel also tends to be an advantage for the privacy-minded. “Scans that look for cheats or scans that analyze game behavior, or anything that sends information back to the game developers’ servers, that will usually not be running in the kernel and not be active unless the game is active,” Chamberlain says. “The reason is that kernel programming is actually kind of difficult to do. And so you want to do as little of it as possible.” The driver primarily uses its god-like permissions to silo the game, preventing other processes from dropping in and tampering with the game state—less an all-seeing eye than a highly intimidating bouncer.

It’s worth recalling that non-kernel anti-cheats have been accused of these sorts of overreaches in the past. In 2005, Blizzard’s Warden was accused of harvesting raw user data; in 2014, Valve Anti-Cheat was called out for supposedly snooping on players’ web histories. Neither of these claims ended up holding water. More modern anti-cheat software, both kernel-level and otherwise, might look at a list of software installed on a machine, or what DLL files are being injected into the game, according to Chamberlain—things he believes the majority of users would not consider sensitive (although whether you want Riot or Activision Blizzard to know what you have installed on your PC is up to you). “Anti-cheat developers are trying to make these calls as to what is reasonable for them to look at. And they’re usually very conservative about what they check,” he says. But ultimately, as any developer will tell you, all software is a matter of trust. If you feel uncomfortable with a kind of program or a specific company, your best bet is to simply not install it, even if that means sitting out the latest big game.

Of course anti-cheat software isn’t without problems. In the past, it’s been known to cause issues loading other drivers, and in some cases it has even blocked drivers that tools like fan controllers and temperature monitors used to function. Like any anti-cheat, it sometimes registers false positives, suspending players who were playing fair. But typically these issues get resolved relatively quickly.

While game developers have been trying hard to build user trust in kernel drivers, earlier this year Microsoft seemingly lobbed a grenade into the discussion with a blog post for the forthcoming Halo Infinite. “Our anti-cheat philosophy is to make cheating more difficult in ways that don’t involve kernel drivers or background services … When people do cheat, we’re focused on catching them through their behavior and not from data that we’ve harvested from their machines,” security engineer Michael VanKuipers wrote. “It almost felt like a comment straight to us [the Vanguard team],” Chamberlain says of his former colleague. “Like, ‘Hey, we were building a kernel driver together, and then you went to Microsoft and now you’re like, definitely not building one.’”

As any developer will tell you, all software is a matter of trust. If you feel uncomfortable with a kind of program or a specific company, your best bet is to simply not install it, even if that means sitting out the latest big game.

VanKuipers and Microsoft declined to comment for this story, so it’s hard to know what they have up their sleeves or why they appear to be playing on these specific fears and doubts. “As an OS vendor, they have access to a lot of information that third parties don’t have, so we’ll see how effective it is for Halo,” Sereday says. The franchise has also almost entirely been released on console, where these types of cheats are significantly more difficult to develop, and vanishingly rare in practice. But one of Halo Infinite’s big selling points was that it would launch on console and PC simultaneously, and with crossplay between the platforms.

Tellingly, within days of launching, the Halo subreddit exploded with complaints about the absence of anti-cheat measures. “I’ve played Halo since day one of the original,” one user wrote, “There is always someone with a modded controller, or [several players] who come in as a group and troll instead of playing to the objective, but never have I EVER seen cheating on this scale.” More than a few gamers—and games publications—have strongly suggested making crossplay optional in order to insulate console players from the fairness issues endemic to PC play.

Whatever the case, kernel drivers (or the absence thereof) are only a piece of the puzzle that keeps multiplayer games fair. “Good security comes in layers,” Sereday says. Game design itself plays a big part in incentivizing positive behavior, while it can also make restarting a fresh character after a ban extra painful. Binary protection—which makes games more difficult to crack open, thereby limiting cheaters’ ability to reverse-engineer them—can act as a first line of defense. It’s something Sereday and Mulasmajic are embarking on in their new venture, Byfron.

Then there are detection methods, which look for what’s happening in the system state and decide if anything seems off. Machine learning makes sure players are acting like humans rather than bots. Device IDs make it harder for banned players to make new accounts with the same hardware. And the nuclear option—lawsuits—are employed to take down cheating rings when they’re discovered. These are only a few of the tools games companies have had to build to ensure some level of fairness in the modern age. But somehow kernel drivers have become both a buzzword and a boogeyman. 

Once a critical mass of players believes their losses stem from another person’s unfair advantage, trust is exceedingly difficult to recover. The same applies to preventative measures; the most elegant piece of code will still fail if consumers are reluctant to go along with it. If cheaters continue to escalate their tactics, security engineers may respond in kind, potentially with even more invasive systems. It ultimately comes down to balancing necessity, cost, risk, and perception.

“When we evaluate a new piece of anti-cheat technology, that’s kind of the criteria that we’re assessing,” Chamberlain says. “How are players and the public in general going to react to this idea? Like, are they comfortable with this tradeoff? Sometimes the answer is going to be no.”