Is Riot's new anti-cheat system, Riot Vanguard, safe?

Is Riot's New Anti-Cheat System, Riot Vanguard, Safe?

In 2023, Riot experienced a significant data breach that resulted in public exposure of the source code for both League of Legends and its anti-tamper software, Packman. This, alongside outdated anti-cheat software and a rise in botting and scripting, prompted them to use Vanguard as a more sophisticated security system. The macOS version of League of Legends would use an alternative method due to the operating system architecture being vastly different from what Vanguard supports.

In this article, we’ll dive deep into how Riot Vanguard works, why it has raised eyebrows within the gaming community, and whether the concerns surrounding its security are justified.

What is Vanguard?

Riot Vanguard is a two-part anti-cheat solution rolled out by Riot Games to defend its games from cheating software. It consists of a client-side application and a kernel-mode driver, which is where much of the controversy lies.

The client-side application works similarly to traditional anti-cheat programs. It monitors for suspicious behavior while a game is running, detecting unauthorized modifications or programs that could provide an unfair advantage. This is a fairly standard approach and exists in several competitive titles like Counter-Strike: Global Offensive or Fortnite.

The kernel-mode driver, however, operates at a much deeper level. Generally, any program that runs inside the kernel and its environment will be referred to as a driver. So, in essence, Vanguard has the same privileges on your computer as a display or memory driver would.

Vanguard's History

When Vanguard launched together with Valorant in 2020, Riot Games made the decision to have Vanguard utilize its on-boot positioning to prevent known signed-but-vulnerable drivers from loading in their entirety. However, Riot were not aware of the extraordinarily specific hardware configurations utilizing bespoke's broken kernel drivers to communicate instructions to relatively obscure devices. In one infamous case, this included a driver that was responsible for keyboard lighting. Cheaters unfortunately were able to use this otherwise properly signed driver to load their own malware, allowing them to "look" like a clean Windows installation (with cert verification still enabled), yet still be running kernel-level cheats. Because this driver was only for keyboard lighting and macros, Riot kept the driver deny-listed until the developers released a new one.

Seeing the old anti-tamper software, Packman, on its last legs, the global release for Vanguard in League of Legends, occurred in patch V14.9. In the week following Vanguard's launch, less than 0.03% of active players had reported issues, predominantly related to common errors resolvable through player support or troubleshooting.

Ring0 Privileges: The Core of the Controversy

What is the Kernel?

In a computer, the kernel is the core software of the operating system. It handles all the fundamental operations, like managing memory, processing tasks, and communicating between your hardware (like your keyboard, mouse, and monitor) and software (like your games and applications).

The kernel operates at the DEEPEST level of your system and has complete control over anything happening in your computer. It decides which programs get resources, serves as a bridge between software and hardware using drivers, and controls essential security measures.

There exists a concept of "Ring protection levels". Their purpose is to define an access level hierarchy in your system. Your everyday apps and games run at Ring3 (least privileged, safest for your system). Specifically, Vanguard runs at Ring0. If you’ve ever heard some stable genius hit you with a “lol my cheat is ring 0 undetected,” this is what they were referring to right before they were banned.

Risks of Kernel-level Programs

Kernel-level software operates with the highest level of privilege on your computer - it can do things that even you can't do. So far we only covered how incredibly privileged this software is on your machine, but let's talk about what could happen.

• Security Vulnerabilities: The most concerning risk is related to security. When a program operates at the kernel level, ANY vulnerability that program has, is a vulnerability into your computer. If exploited, such vulnerabilities can lead to serious security breaches. In the case of Vanguard, any flaw in its design could be exploited by malicious entities to gain deep access to your system.
  Have you ever wondered how viruses "nest" themselves into a system? By exploiting a driver developer's mistakes, malware can leverage the vulnerable driver to load itself into the kernel namespace and bring chaos. One might say that some god-level developers at Riot cannot produce a vulnerable driver, but know this - bugs are a fact of life - the more complex your driver is, the higher the chance of the developer making a mistake. That chance is never zero, not even close. This, however, goes for any driver installed on your computer at all. The matter is more of a question of the quality of developers in Riot Games.
  

• System Stability: Kernel-level software has the power to make changes that can affect the entire system's stability. Ever wondered why you get "bluescreen"? Well, there you go! When an issue occurs inside kernel-level software, it doesn't just crash - it takes the whole system with it, potentially corrupting it before the next boot. This can be caused by a simple mistake by the developer of the driver, which inherently means that introducing unneeded kernel software into your system can increase the chance of instability. In contrast, when a user-level application crashes, you just restart it without threatening your whole system's stability.

• Privacy Concerns: Privacy is another area of concern. Kernel-level access means the software could theoretically monitor all activities on the computer at all times, with full permissions and privileges, without asking any questions or even informing you in any way. And rightly so, the entire point of an anti-cheat is monitoring what you're running while the game is running.

• The Contrast with User-Level Software: Normally, your everyday software like games, Discord, or whatever, operates at a much higher, more restricted level - we can call this user-mode. User-mode software runs with virtual allocated memory and has to ask before doing anything. Whenever there is a malfunction, it is limited to that specific program and that specific location in memory, unlike kernel mode software, where the entire system collapses.

What is User-Mode?

It describes a privilege level within an operating system, specifically the most restrictive tier software can run at. Your web browser, your legitimate copy of WinRAR, and your favorite games all run in user-mode. Within it, an application cannot directly “see outside” of itself, and instead, code must generally rely on OS’ native APIs to read or write memory not within its own process.
Essentially, rather than a program being able to interact with things in the memory of other programs, it must rely on the OS's functions to communicate to other programs.

In the last few years, cheat developers have started to leverage vulnerabilities or corrupt Windows’ signing verification to run their applications (or portions of them) at the kernel level. The problem here arises from the fact that code executing in kernel-mode can hook the very system calls League would rely on to retrieve data, modifying the results to appear legitimate in a way League cannot detect, by design of how Windows works. There' even specialized hardware utilizing DMA to read and process system memory—a vector that, done perfectly, could be completely undetectable from user-mode.

Now, while most players might find the idea of a corrupted Windows installation objectionable, a disturbing number of cheaters have shown themselves to be downright enthusiastic about the opportunity to jump onto some guy’s botnet in exchange for the ability to orbwalk. So, most cheats run at a higher privilege level than the previous user-mode anti-cheat did.

Vanguard’s Standalone Features

Environment Security

Where Vanguard starts to further distinguish itself from other anti-cheats is in its enforcement of security standards even further to the left of the game client—on the operating system itself. Several of these requirements aren't totally frictionless, but they inflict many hurdles onto those that want to distribute cheats successfully. For this reason, th anti cheat team is constantly having to make tradeoffs for the security of the game versus the ease with which players can access it.

TPM 2.0

LoL x Vanguard comes with a TPM 2.0 requirement, and while Microsoft originally intended to require one for all new Windows 11 installations, their actual implementation of this enforcement was relatively weak and easily bypassable. Riot took them up on their original offer and instead elected to enforce it themselves. So, a select few Windows 11 users may find their ability to play League is impacted, especially if you modified registry keys to bypass this requirement.

TPM stands for "Trusted Platform Module," and Vanguard requires it for two reasons. The first is because it adds security to cert signing validation (something it relies on to know if other software can be trusted), but the second (and more important), is because it acts as an extremely non-fungible form of hardware ID. If it's on and working, it can be pretty much assumed you don't intend to cheat, because if you did, they could easily just deny the hardware next time you run it. Since it's incredibly hard to change the TPM hardware ID, Vanguard can just refuse to connect if your chip is in the cheater list.

Dispelling Myths

Despite its intended purpose of maintaining fair gameplay and deterring cheating, Vanguard's implementation and functionality have raised concerns amongst the player base. The Head of Anti-Cheat, Phillip 'MirageOfPenguins' Koskinas, tried to shed light on some of the concerns the community has had about the incorporation of Vanguard.

1. Vanguard doesn't give Riot Games any surveillance capabilities they didn't already have. If they wanted to install a keylogger, spyware or a crypto miner, these things can all be done without Ring0 privileges, while inside a user-mode application.

2. Anti-cheat drivers are not new, and Riot Games did not invent them. Several third party anti-cheat systems—like EasyAntiCheat, Battleye, Xigncode3 and PunkBuster—are already utilizing a kernel driver in the exact same way. Games that already use this technology include Apex Legends, ArcheAge, Arma 3, virtually all Call of Duty titles, Dead by Daylight, Helldivers, Genshin Impact, Fortnite, PUBG, Overwatch 2, Smite, Rust, War Thunder, and many, MANY more.

3. Riot Games has put up bug bounties for Vanguard. To reinforce their commitment to security, Riot Games has put up a bug bounty program for the anticheat. The program offers significant rewards—up to $100,000—for anyone who can demonstrate practical exploits leveraging the Vanguard kernel driver.

4. Vanguard is COMPLETELY open-source. This means the entirety of the code is public for anybody to see, dissect, review and possibly contribute to. The uncompiled source code is here, which you can download completely for free.

5. Vanguard itself has no connectivity to a server. It primarily conducts preventative checks upon booting to ensure Windows is in a trusted state. Once a game is launched, Vanguard merely confirms system integrity for gameplay and sends them directly to the League client, without transmitting files back to Riot servers. Koskinas asserts that data collection is kept to a minimum, with stringent retention rates and a focus on shipping queries to clients with binary responses (true or false).

6. Tencent is completely disconnected from Vanguard's development. A common concern is the perception of Riot's ties to its parent company, Tencent, headquartered in China. Many players worry that due to the fact that Tencent operates within the People's Republic of China, Riot Games is subject to the National Intelligence Law of China. This law states that in the scenario where the Chinese government finds it necessary for its nation's state security, it is able to compel businesses that are registered or are operating in the People's Republic of China to divulge data regardless of which country that data came from and to do so clandestinely.
   Koskinas clarified that Tencent does not have access to Vanguard and highlights minimal interaction between the two companies. Tencent does not utilize Vanguard in China, mainly because they have different problems to solve. They instead use Tencent's anticheat, ACE. Their attack surface is huge and they still have to support Windows 7, an operating system not supported by Riot Vanguard.
   

7. Vanguard cannot alter BIOS settings. Some niche bug involved users' BIOS settings, which some rumors claimed were changed by Vanguard. Users are responsible for configuring BIOS settings as needed. Programs that are able to do this are usually incredibly secure, rare and specialized. Examples include things like utility tools for specific motherboards, such as ASUS. A tool like this has to be tailor-made for each specific motherboard, though. It'd be impossible to create a program that's authorized to change BIOS settings on such a wide array of motherboards and BIOS versions.
   For instance, one player had inadvertently enabled SecureBoot with a highly customized configuration. While Vanguard utilizes SecureBoot for Valorant, it is not employed for League due to potential compatibility issues with older hardware, which was a key factor in the delayed launch.
   

8. Vanguard is not really "running all the time." The driver loads at boot, but nothing is making calls to it, and there's no network connectivity until you run one of Riot's games. It's literally just sitting there (menacingly), so that it can attest to the fact that nothing's happened between Windows loading and the game starting that would break the operating system.

9. When you launch League, the Vanguard client contacts the driver to confirm that it thinks everything is 100%, and if so, you receive a valid anti-cheat session and may connect to the game server. Instructions from the client then start enabling features within the driver to watch for things that might tamper with the signed League process and prevent them. You can always disable the driver whenever you'd like-you'll just need a fresh reboot to "recertify" the integrity of the trust chain before you jump into game.

Vanguard's Limitations

Vanguard operates at the kernel level, allowing it to identify cheat software that also functions at this level or lower, which encompasses most cheats. However, some cheats may operate with elevated privileges, which can enable them to avoid detection.

For instance, DMA-based cheats can access system memory directly, circumventing standard detection methods that monitor external processes. Likewise, scripts made with Auto Hot Key and Pixel bots can automate gameplay actions in a way that closely resembles human behavior, enabling them to bypass Vanguard.

On the other hand, external or hardware methods of cheating, such as modified mice or cheat-specific devices, can completely evade software detection. As cheating algorithms continue to evolve, it raises the question of whether a kernel-level anti-cheat driver like Vanguard can effectively counter the occasional kernel-level cheats. This challenge is common across all competitive gaming environments.

Riot Games has faced difficulties in addressing the changing landscape of cheating techniques. Koskinas pointed out DMA-based cheats, which often use external hardware to subtly inject cheat code into gaming systems. Nick 'Everdox' Peterson has dedicated nearly six years to researching this technology, and his knowledge has helped Riot stay ahead of the most significant threats.

Player’s Perspective: Safety vs. Security

For many players, the question of whether Riot Vanguard is safe comes down to balancing privacy and security with the need for a fair, cheat-free gaming environment. The majority of Valorant players seem to have fared just fine during the earlier versions of Vanguard.

However, there remains a vocal group of players who are uncomfortable with the idea of kernel-mode access, no matter how necessary it may be for stopping cheats. They argue that the risks, while minimal, are still present, and that the gaming industry should focus on developing anti-cheat systems that don’t require such deep-level access to users’ computers. This is a universal issue for all anti-cheat software.

Conclusion

From a technical standpoint, the anti-cheat team has gone to great lengths to ensure that Vanguard doesn’t compromise users' security or privacy. Their bug bounty program and transparency efforts help reinforce their commitment to a safe anti-cheat solution. However, ANY kernel-mode driver inherently carries risks, and it’s up to individual users to decide whether they trust developers to manage these risks responsibly.

For now, Riot Vanguard appears to be incredibly effective at stopping cheaters, while maintaining transparency and keeping the program open-source. There’s still a possibility for a time where Riot Games could choose to go for less transparent solutions, but as of 2024, Vanguard remains more transparent and stable than most other anti-cheat systems like PunkBuster or EasyAntiCheat.