In context: Nothing can ruin a multiplayer game faster than rampant cheating, so it’s no surprise that developers go to great lengths to devise ways to mitigate it. One controversial method is to install kernel-mode drivers that monitor for anything that tries to tamper with the game’s software. However, many players are not comfortable with granting such low-level privileges.
The latest game publisher to add kernel-level cheat protections is EA. The new EA Anti-Cheat (EAAC) debuts in the upcoming FIFA 23 for PC later this month. Senior Director of Game Security & Anti-Cheat Elise Murphy explained that it would eventually roll out to all of EA’s multiplayer competitive titles.
Murphy says this low-level, highest-privileged software operating in the kernel space is necessary because cheating software has become very good at cloaking itself from user-level mitigation by employing similar means.
“For games that are highly competitive and contain many online modes like FIFA 23, kernel-mode protection is absolutely vital,” she wrote. “When cheat programs operate in kernel space, they can make their cheat functionally invisible to anti-cheat solutions that live in user-mode. Unfortunately, the last few years have seen a large increase in cheats and cheat techniques operating in kernel-mode, so the only reliable way to detect and block these is to have our anti-cheat operate there as well.”
This explanation is all good, except that cheaters voluntarily allow cheat software to run at the vulnerable kernel level. Players installing the latest EA titles do not have a choice but to give the game root privileges. Of course, many will choose not to install EA games, but whether it will be enough for EA to notice remains unseen.
This type of cheat mitigation first started appearing in 2020. League of Legends was one of the earliest games — if not the first — to use a kernel mode anti-cheat called “Vanguard.” Riot Games implemented it in Valorant in 2020. Players were worried that such low-level drivers could compromise their privacy. Security researchers were also alarmed, saying that even if effective at detecting cheats, it was still increasing the attack surface of the devices installed with the drivers.
Murphy says that EA has taken every precaution to ensure the privacy and safety of the community. Unlike Vanguard, EAAC only runs while the game is operating. Vanguard’s drivers load at system boot and run even while the game is not being played. She also notes that EAAC can be uninstalled separately but that any game that utilizes it will not run until it is re-installed, so what is the point?
“It can also be manually uninstalled by you at any time you choose and will be completely removed from your PC,” Murphy said. “Please note that if you uninstall EAAC, any games that require EAAC protection (like FIFA 23) will not be playable until EAAC is reinstalled.”
Even though LoL and Valorant players never reported any intrusions connected with the Vanguard software, that does not mean that kernel-mode drivers are safe. On the contrary, last month, hackers began using Genshin Impact’s (GI) root-level anti-cheat files to propagate ransomware. Even more concerning is that the exploit can work on systems that have never installed Genshin Impact.
Security analysts say the impact of the GI exploit may be felt for years to come as hackers pass the vulnerable files around hacking communities. No amount of patching Genshin Impact’s anti-cheat drivers can reverse what is already out in the wild separate from the game.
Pandora’s Box cannot be closed.