Kernel-Level Anti-Cheat: A Growing Security Concern
Kernel-level anti-cheat drivers from Riot, EA, and Epic face scrutiny over ownership ties, data collection, and security vulnerabilities in major games.
Kernel-level (ring-0) anti-cheat drivers used by major game publishers run with the same privilege as the Windows kernel, granting full access to memory, filesystems, and hardware — yet remain closed-source and unauditable. Ownership tracing reveals Vanguard (Riot) is wholly owned by Tencent, while FACEIT and EA's pending acquisition trace to Saudi Arabia's PIF sovereign wealth fund. This raises concerns given China's National Intelligence Law compelling corporate cooperation with state intelligence, and a documented precedent of Saudi-linked espionage through Twitter insiders.
Independent research (ARES 2024) found these drivers collect system-wide data continuously, with some exhibiting rootkit-like behavior such as hiding from other processes. EAC generates persistent hardware fingerprints even absent cheating suspicion. These drivers also constitute genuine attack surfaces: Genshin Impact's anti-cheat driver was weaponized by ransomware to disable antivirus software, and EAC recently had a privilege-escalation vulnerability formally assigned a CVE.
Despite the invasive access, cheating persists — cheaters have simply moved to external hardware below the kernel layer. Meanwhile, Microsoft has begun retreating from kernel-resident security software following the 2024 CrowdStrike outage, signaling it may restrict third-party kernel access going forward. For engineers, this raises fundamental questions about supply-chain trust, closed-source auditability, and the security tradeoffs of granting root-level access for anti-cheat enforcement.