Riot Vanguard – Myths and Mysteries
Anti-cheat software is par for the course nowadays – a necessary evil to keep the experience enjoyable for everyone. In order to work though, these programs often need some pretty comprehensive permissions in your operating system– and not everyone is happy with that. One such example is Riot Vanguard. Epically named, just like Valorant – the game it’s supposed to protect. The kernel-level rootkit, system threatening, all seeing meme stealing software has been the talk of the day.
Riot pledges it’s all towards maintaining a healthy gaming experience, yet fans (later on this) weren’t too impressed with the service.
What is the mysterious ‘kernel-level’?
At the kernel level a program has complete control over everything in the system. Kernel level is the lowest or highest (depends on which side you look at it) operating level of your system. It’s usually reserved for processes that deal with how your hardware interfaces with your system, how memory is allocated, device drivers operations and etc. Explained in the most layman way possible..
When we talk about Windows, not even Antivirus software work at this level. Operating this deep into the system is more of a liability then a necessity. Additionally, 99% of the threats to your computer are not loaded at this level. In fact, almost everything that runs on your system, software, applications, viruses, antiviruses, cheat software, your Valorant game operate at the user level. The only thing that goes that deep is potentially a rootkit specifically designed to operate in the “mystery realm”.
Riot probably wants their Vanguard working at this level so it can monitor the drivers. Cheaters and “hackers” find it easiest to mask their software by putting their code into device drivers or software that manages their devices like peripherals or fans. Operating at this level would run at system startup and give an option to detect threats preemptively.
What is a rootkit?
We’ve heard this term in movies featuring hackers spewing computer lingo. The Wikipedia description is apt: “A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed (for example, to an unauthorized user) and often masks its existence or the existence of other software”. If you have a rootkit you’d want it operating at the highest level in a system you want to compromise.
Now this is where the debate gets messy. First, Riot’s Vanguard serves as a rootkit for Riot Games. They have kernel level software installed on your system with full access to your “stuff”. This would mean if Riot ever turns into Skynet they have complete access of your system and can easily access your unfiltered Instagram photos and unpublished memes.
The other side of the debate is the vulnerability of Riot Vanguard. They already have a software that players are willingly installing on their system. What if someone (not Riot) intentionally tampers with it for their own gain, then compromises a Riot Vanguard update on people’s systems? It would instantly give access to millions of users to someone nefarious.
SomeOrdinaryGamers was among the first wave of Youtubers to warn players about it:
How vulnerable is Riot Vanguard?
In the words of Paul Chamberlain, Riot’s anti-cheat lead; “We don’t expect that any protection will remain unbreached forever, but Vanguard’s protections are strong, and as cheat developers’ tactics evolve, so will ours.”
In other words, they are expecting to come across incidents sooner or later – hopefully, later. The announcement came amidst a series of other statements, assuring users just how safe it is. Developers working on the project assured users that their data would not be at risk.
Whether this is true remains to be seen – skeptics were quick to point out that they were protesting far too much… and that the very idea of kernel-drivers was utterly unacceptable. Some even suggested sinister interests – for example, that Riot themselves might want access to as much user data as possible.
Riot even went as far as awarding bounties to anyone that finds a vulnerability to their game. One cannot forget Sony had their own rookit installing adventure back in 2005 that caused a heck of headache. Will Riot learn a hard lesson remains to be seen.
Is kernel-level needed for Riot Vanguard & Valorant?
The simple answer is no, absolutely not. It was a choice Riot made deliberately – many other, well-functioning anti-cheat programs do not rely on the use of this deep level of operation, and this one doesn’t need to either. The approach Riot is taking here is highly unorthodox.
Another thing to consider – the software will be always on. After installing it, it will run whether you are playing the game or not, and it will start as soon as your computer powers on. That’s another thing that’s bothering fans – there isn’t a lot of possible justification for why it needs to be running permanently, even if the user isn’t playing the game.
Perhaps in a misguided attempt to reassure users that everything was fine, Riot released a highly questionable blog post about the topic you can read here. Though likely intended to be humorous, to us it reads as condescending and callous.
In the post, an anti-cheat engineer first explains what kernel access is, then proceeds to summarily dismiss and mock potential player concerns on the matter. Despite a casual reference to the possibility of a corrupted Windows system, the writer of the post jokes about the fact that worrying about these new issues might cause stress-related hair loss… and then justifies the new driver by explaining that it wouldn’t give them access to anything they can’t access anyway and that if they wanted to get sensitive user info and data, they already could.
Another thing making users nervous about this is the fact that Riot is offering a bug bounty program that is targeting two areas – unauthorized access to sensitive data, and high-level exploits that allow a user to run unauthorized code by using the driver. The latter could potentially be used to give a hacker access to a computer – a significant risk.
Problems so far
Although Valorant isn’t widely available just yet, players who already have access have been reporting issues already. One already patched problem saw Vanguard blocking drivers from hardware manufacturers that were in charge of cooling the computer via fans, etc.
As of yet unfixed issues include incidents like blue screens of death, a player losing control of their computer and having to reboot in safe mode, and the program disabling the use of MSI Afterburner (a temperature monitoring program used to make sure the PC is adequately cooled).
You have people cheating all over in almost every match, but you block my legit stuff.. classic RIOT!!!
Punish the legit players that say "don't feed on purpose please" and allow the griefers to run rampant in LOL, Valorant is just a continuation? pic.twitter.com/J5D4RRwljI
— PharticusMaximus (@ThePharticusMax) May 7, 2020
In reaction to all these issues, many current players have already started to uninstall the game again, especially given that some players reported that the software was causing their computers to start without any cooling whatsoever – fans not coming to life, and water pumps not pumping.
In an attempt to pacify users, Riot released a patch to the service – allowing users to uninstall the driver if they aren’t playing the game, or to disable it at least. Of course, if they want to play the game after uninstalling or disabling it, they need to either reinstall and reboot the computer or just reboot it – either way, highly invasive and disruptive.
Suffice it to say a lot of gamers are concerned over this, and many potential players are vowing not to touch the game while Vanguard works like this – that is to say, doesn’t really work at all, or at least not reliably and safely.