Alright… this isnt exactly “breaking news” per se… but i believe it’s an important topic… and comes with some very real words of warning to anyone who participates in… pretty much ANY mainstream PC gaming.
Lets begin with context. “Anti-cheat”... by and large… is a beneficial and necessary part of online video games. Setting aside a fair bit of controversy with regards to the invasive nature of how some of the software operates… or how it affects individual performance… “anti-cheat” as a general premise is just… flat out necessary.
Think about … any first person shooter… and consider the fact that even a SMALL percentage of players who are able to circumvent game systems… and cheat… will ultimately ruin the experience for everyone. Its actually a very interesting tangent of research. Riot games is the company best known for looking into how a splinter set of players can legitimately destroy the entire community… which revolves around the idea that even 5% of players deliberately ruining a match or cheating… when matches contain 10 players total… will mean that statistically (on average)... half of your games contain some sort of unfair circumstance… and 25% of your games contain someone either throwing the game on your team… or someone CHEATING on the enemy team.
Big picture here… even just 2 - 3% of a player base deciding to utilize third party cheat systems… can totally destroy the future of an online game. Thus… with that in mind… “anti-cheat” as a general premise… is quite obviously required.
Good in theory… necessary in reality… and supposedly a positive impact overall… anti cheat is something we see in… pretty much every single online video game. Sure, there are exceptions… and of course not all anti-cheat is equivalent… but software designed to prevent hackers from tampering with in game code is an industry staple.
HOWEVER. What if that industry staple… was dangerous. What if… instead of protecting you… Anti-cheat software was actually compromising your security… and allowing hackers to infect you with ransomware. What if the “security” measures that modern video games employ… were more dangerous by themselves than anything they might have prevented… and what if this was a widespread danger. Obviously thats a LITTLE BIT hyperbolic… but the point stands… and ill explain precisely how.
Key word. “Kernel” … what is “Kernel level access”... what does “kernel” even mean… and why does it matter. The “Kernel” of an operating system… is basically the nucleus. Its the first step up from mechanical hardware… and manages what can be viewed as the most basic, essential operations on a personal computer. A kernel is effectively the first program loaded on startup, and the last program closed on shutdown. Its basically an interface between user applications… and hardware… which means (in no uncertain terms)... it has TOTAL control of your computer… AKA… full access to every resource, and process.
This is … universally true. I don’t mean that I have the best “technical” definition possible… I just mean that kernel level access is … the deepest and most powerful access you can possibly have to an operating system.
Why does it matter? Simple. It matters because more and more anti-cheat systems in video games… are operating in ring 0… with kernel level privileges. This means that the anti-cheat (in an effort to monitor your system for third party software, hacks, and cheats)... descends into the depths of your computer, with absolute authority… and makes determinations about what should and should not function in the video game.
Theoretically… this is a good thing. In a perfect world, where security flaws and exploits don’t exist… this could prevent all hacking on a local system and preserve game integrity… without risk to the users personal security… but we don’t live in a perfect world. Enter… Genshin impact. Genshin Impact is a game that I do not respect… nor enjoy. Its wildly popular… I understand why that is true… but I hate the game as a result of its Gacha format… balancing… timegating… and overall gameplay. Personal preference… nothing more… like I said its wildly popular and I understand why that is… but Genshin Impact is also much more than just a video game.
Utilizing in-house, proprietary anti-cheat… Genshin impact operates with Ring 0… kernel level access privileges. To combat third party modification software… Mihoyo (the developer of genshin impact)... uses anticheat called mhyprot2.sys… (i assume this means “mihoyo protection 2.system”.... Or something similar)
Here’s the thing… in 2020 Mihoyo faced a bit of controversy… because their anti-cheat systems… (with kernel level access)... were automatically running in the background… and would persist… even when the game had been closed. This was especially troubling when you consider the fact that Mihoyo is a company from mainland china… and that chinese CCP governmental orders (and special intelligence laws) have stated that any and all information from technology companies can be viewed or used by state run intelligence services at their full and sole discretion.
Basically… if the CCP wanted… they could unilaterally gain full access to Mihoyo’s files… and that means that they could have control (or at least all information from) a kernel level piece of software on tens of millions of computers world wide. Obviously thats a reductive way of describing all this… but still… pretty scary.
By itself… that’s already a credible reason to be skeptical of Anti-cheat software operating with kernel level access… at least for this game in particular… but theres more. It turns out that HUNDREDS of games… through various different anti-cheat programs… operate at a kernel level… including many of the most popular games on earth. The primary culprit (as if we needed any MORE reasons to dislike Epic Games)... is “easy anti-cheat”... which can be found in over 140 different games… with a total number above 250 when you account for other anti-cheat software, from different publishers.
That's a tremendous number of games… requiring the MOST privileged access to your system that can be given… and as I went through looking at this topic… I had to make special mention of this… because it seems like once in a while, on occasion… there is a big controversy for one SPECIFIC game… lamenting the fact that kernel level access is being used by the Anti-cheat… but very little is ever said about the literal HUNDREDS of other popular titles that also have it.
Example… after doom eternal announced that they would use kernel level access denuvo anti-cheat… there was a MASSIVE amount of backlash. Admittedly… this also had to do with DRM measures that denuvo contained as well… which affected game performance… but a significant component of this backlash… was against kernel level access for the games anti-cheat… so much so in fact… that Bethesda eventually backtracked… and removed it.
I find this… funny… because as justified as that is… and was… why is this outrage so obviously selective. One game will make media headlines for a week over the pushback against this type of security intrusion… while other, more popular… even larger games… containing the EXACT SAME type of access… never see the same kind of exposure. Its odd… and don't really understand why.
Regardless… hundreds of high profile games contain kernel level access anti-cheat… and with that access comes the risk of vulnerability. Some creators (and security professionals) have been warning about this for years… stating that risks far outweigh the benefits. In my own experience (having extensively scoured a number of third party hacking forums for a couple of video topics about a year ago)... it is readily apparent that there are plenty of hacks that already bypass anti-cheat software with kernel level access… rendering it effectively obsolete anyway when compared to other, less invasive options… but the primary concern here is that anti-cheat operating at ring 0… can be a vehicle for malicious actors.
That is PRECISELY what has now happened… with Genshin impact. Keep in mind… Anti-cheat software is not something that has been integrated for your “safety”… its a program that has been integrated by gaming developers (not security experts) to preserve the integrity of their in-game economy… or prevent player base decline as a result of unfair matches. This is for the security of the “game”… not for the security of your MACHINE… and that is a key fact of the matter to understand going forward.
In august of 2022… Identified by trend micro… Genshin Impacts ring 0 anti-virus… was being used by third party hackers… as a ransomware vehicle. Without getting too technical here… the anti-cheat of genshin impact was exploited by malware… to infiltrate, and shut down the local anti-virus protections… which made it possible for complete control of an infected system.
Users who installed genshin impact… even if they themselves were not administrators… or technically inclined… were also installing the “anti-cheat”... which would descend into their system… and become an exploitable rabbit-hole where attackers could get access to their machine… at a level… that they as a “user” didn’t even have access to… all because of the video game itself.
Another example? The ESEA (the “esports entertainment association”) had “anti-cheat” client software… that members could download. This was as far back as 2013… and that “anti-cheat” (through elevated and privileged access) was actually a mechanism to deploy and execute a massive bitcoin mining botnet. Its unclear precisely how many machines were infected… but the crucial thing to remember is that “Anti-cheat” software is not actually PROTECTING you… it is simply protecting the intended format of in game operations. You? Your system? Yeah… Anti-cheat makes you MORE vulnerable… not less.
There are free hacks on github to exploit Genshin Impacts proprietary anti-cheat… but for those still skeptical… who expect more examples in order to support my initial (admittedly hyperbolic statements)... how about this. Punkbuster… (the second most prominent kernel level anti-cheat software behind Easy)... has a SIGNIFICANT number of vulnerabilities… outlined by dedicated battlefield community members. This anti-cheat software can be used to execute remote attacks… and it can be found in DOZENS of high profile video games.
There are SOME examples of anti-cheat software… operating with kernel level access… that seem to be functioning as intended… and are not widely exploited… but the option for them to be used in such a way will always exist. Right now, its Genshin impact. (they may have fixed the issue by now since I initially looked at this and wrote my script, or patched it… but the point stands)... which had an estimated 60 MILLION monthly active players as of August 2022.
If an exploit were to be uncovered for easy anticheat? Thats hundreds of millions of players collectively who would be vulnerable… and all because there is an effort by developers to prevent sophisticated third party cheat programs. They already LOST that battle… I can say this from a position of certainty… but as they continue to double down… the very programs they are using to try and “increase security”... are becoming dangerous to the players who download them.
Bottom line… i stand by my initial statement. Anti-cheat software is far more dangerous than pretty much anything it prevents… because in a devils trade… players are sacrificing their own system security… in order to have a few less hackers who ruin their in-game experience. I understand the desire… I understand the need to fight against third party cheats… but ring 0, kernel level access is NOT the way it should be done.