The engineering culture behind AAA video games is rotten to the core with regards to security. Everyone thinks they're making Doom 3 and they're really making Windows 2000 Service Pack 1.
The problem in big part stems from the business culture upstream. They're trying to produce a game, but what they're really after is e-sports money. They design multiplayer to be about organized pro play, which brings in all the cheating problems of professional sports, so they end up subjecting every player to e-sports-grade security like those anti-cheat systems, despite 99.9% of the player base not caring about pro play in the first place.
This is the worst possible combination: players are forced to accept first-party invasive rootkits that are disruptive and ineffective, while cheaters still cheat.
IMHO the only sensible solution is to separate out e-sports angle from the game itself. People who want to "go pro" would be free to subject themselves to anti-cheats and drinking verification cans and past some point might as well buy company-authorized computers to play on. Everyone else should just be allowed to play casually and enjoy the game without the anti-cheat nuisance (and a looming threat of false positive).
With main incentive for serious cheating separated out, non-pro players would only have to worry about griefers. Those are a problem too, but they can be dealt with by simpler and less invasive measures than a kernel-level rootkit.
As it is, AAA multiplayer games are basically like if FIFA was to micromanage Town Recreational Leagues and hold them to the World Cup standard, because cheating is a Big Deal so every kid needs to take regular blood tests before the match.
I don’t work in gaming, I know a few people who do, everyone of them does it for the love of the game. Certainly not for the job security or even the money. This idea that they’re also to handle security is too much. It’s not their fault, they’re writing “art” not secure micro services for multi national companies.
Publishers will pay to have 0level kernel ring on your system but not for software securing their game.
> the game runs with admin privileges for the sake of anti-cheat
Nobody higher than the devs thought “this might be risky?”
Because can assure you, the devs felt it stupid and risky.
Your “Everyone thinks their making doom 3”. As I see this is not the developer fault.
Why would there be a strong engineering culture behind AAA video games at all? Game developers are underpaid, overworked and constantly told they can be replaced at a moments notice.
I wouldn't expect anything but code that "ships" out of them, and its understandable why.
It’s definitely games that are the problem. There’s no way that websites are still embedding third party code that is just slopped together shit and wildly vulnerable [0]. Or that domain registrars, one of the core points of trust of the internet would lie about their security practices and be sued by the FTC almost a decade after it[1]. Or that an endpoint management system would take down multiple airports due to basic bounds checks missing [2]. How about a massive software company used by huge enterprises for storing their knowledge bases having an RCE [3]. A global CDN definitely wouldn’t break DNS and take down half the internet [4].
Now you might say, those companies are irresponsible and that well maintained open source software doesn’t have this issue. That would mean no 0 days for linux [5], and that the most battle tested libraries in the world are immune from basic issues [6][7].
Software engineering is broken, it’s not just games. (Although, if you think physical construction is any better I suggest you stick a T square in the corners of your house and figure out how many of your walls aren’t square ). You
These are game developers. Not backend developers. Not web guys. Not remotely trained in infosec. They make games. Not security software. And for the longest time this was acceptable.
I think for a GaaS in 2025 it's unacceptable to not have security minded engineers on staff for the backend stuff. Too much money is involved not to. Especially for studios very familiar with shipping online games.
But I'm also kind of disappointed in how much we're forgetting that these people are not infosec nerds. Last year there was a cute fishing game made by a single dude messing around making things. It got popular and a kid found an RCE bug with the multiplayer. The dude got a TON of shit for the flaw, which feels deeply unfair. I don't expect my mom to configure a router correctly. I don't expect video game developers to understand defensive network programming without training.
Maybe I'm just a little frustrated at the Internet largely unable to understand that defensive programming is something that isn't in a game devs trained skills. I would expect better of Netease however
Great commentary, today the industry is focused on delivering free game with tons of cosmetics (which gives a ton of money) but forgetting about performance and security.
I was literally thinking about this the other day. There are a ton of games using kernel modules for anti-cheat and... just load and interpret data payloads. Certainly some of those payloads could manipulate the funny machines inside of a game executable if they're not careful about their parsing and validation.
Nice PoC!
Update: yes, most game client processes don't run in the kernel. My b. I was just thinking that updates and content payloads might be an interesting vector for langsec.
Yes. For example world of warcraft's anticheat (warden), although it runs in userspace, has been exploited multiple times to gain RCE/server root after receiving malicious payloads from clients.
Also, if you see content distribution networks the way we've been looking into package managers as a vector distributing poisoned payloads... seems fruitful.
I bought a Steam Deck with the sole purpose of having a cheap, airgapped PC to run games on. Game devs just don't have the incentives or discipline to be trusted with security.
I wish Steam offered a console format of the deck, essentially the same thing, but with better specs, HDMI out and bluetooth for controllers. Would be a massive hit I wager.
Interestingly, the game doesn't run as admin for any good reason. The first thing I did was only let the launcher and game run as the user with RunAsInvoker. The anticheat alone is allowed RunAsAdmin. At the same time, I don't trust any anticheat. It's probably worse than useless, but it is what it is. I thought Microsoft would clean this up after the Crowdstrike incident for all kernel-level code, but I guess there's no incentive for them to only let game companies request runtime analysis / reports rather than run code. As for the anti-cheat industry, they should focus on patterns of user behavior to help game companies moderate the players as much as neccesary.
I have a related question for you... my kids like Marvel Rivals, but I also use Microsoft family tools to limit their screen time so they don't have Admin accounts. However, the Marvel Rivals anti-cheat makes me enter my password every time they launch. Is there any way for me to create a shortcut or something so Rivals will launch without my password?
I'm not a Windows guy and trying to figure this out has been extremely frustrating...
I tried to get Microsoft to stop signing kernel mode anti-cheat drivers with no result. Even when a vulnerable driver is found the vendor is given way too much time to deploy a fix while the vulnerable build is out in the wild with a valid signature. The signature should be revoked as soon as an exploit is found, it's an anti-cheat driver for video games not essential business/government infrastructure.
If anticheat worked then it would be an interesting, perhaps tolerable tradeoff for some. The reality however is that games are absolutely packed with cheaters, there's an international industry in creating cheats for popular games, so what you get is an arms race that as usual only punishes honest users. It's like DRM, pirates don't seem to have much of a problem, but it sure can hurt the rest of us.
Unfortunately both the executives who buy into these things, and the average consumer, are simply too... simple, to understand or appreciate that.
> the game runs with admin privileges for the sake of anti-cheat
"sake of anti-cheat" should be taken lightly here. There is a reason why all the other sane anti-cheats have at least two applications, the anti cheat service which often runs as admin, and the game, which does not. Running the game as admin is quite frankly inexcusable.
The service often does the network comms and communicates to a kernel-mode driver and/or to the application via IPC or similar. Having defined barriers of separation are good things.
In any case, this POC doesn't have huge implications necessarily for most people, but maybe in SEA or China where LAN cafes are more prevalent, it could be a larger concern.
The one implication that I (the author) should highlight for the extra paranoid - this exploit extends to ISP's and cloud vendors that traffic is routed through. Anywhere in the trace route can MITM. It depends on how much you trust those parties.
> This also opens the door up to an entrypoint on PS5.
Does he mean that this is potentially how one could install custom firmware on their console?
Curious because I remember reading somewhat recently that console vendors have locked their consoles down well enough so as to avoid any vulnerabilities which could be exploited to install custom firmware. It would be amusing if that was invalidated by game dev security and I start hearing about ways to install some modded firmware, which include a step of "install one of these games".
IIRC, the web browser on 3DS systems was exploited to install custom firmware rather than a game so it was rather easily patched with a system update (and, indeed, it actually was patched). I wonder if we'll be seeing Sony/Nintendo/Microsoft start to insist on certain security standards as a result of games being exploited to install custom firmware on the devices they sell, presuming the answer to my first question is affirmative.
> Does he mean that this is potentially how one could install custom firmware on their console?
Sort of. It's a userland code execution exploit, which is often the first step, but all games run in a locked down VM specifically to protect against things like this, so you still need a kernel/hypervisor exploit to escape the VM and actually mess with the system in any significant way.
PS5 games are sandboxed, so it only allows an entrypoint to run code. For full PS5 exploitation, another chain is needed to go break out of the sandbox.
Looks like a typical mitm attack, which confuses me a bit, don't the developers use something like tls or dtls to protect their communications?
The most recent game I analysed was helldivers 2, which uses dtls. i would have thought that would be fairly common knowledge.
That's the issue - they don't!
But even games like Helldivers 2 have had silly vulnerabilities (just not RCE) - see https://helldivers.io/freesupercredits for some examples.
I like the other rant at the bottom. But why would game developers care about security when their customers don't care? The customers are fine running anticheat with admin privileges like in this RCE he just found.
I personally encountered a game anti-cheat driver in the wild (Anti-Cheat Expert) that caused BSODs and data loss. I later discovered there were known exploits in it and the signature still hadn't been revoked. I managed to get the developers of the game I was playing to reconfigure it by kicking up a fuss on the subreddit, at least.
> Game developers continue to amaze me at their lack of security awareness.
Because game developers are SUPPOSED to be aware of these things?
> It's very hard for security researchers to report bugs to most game dev companies. On top of that, most do not have bug bounty programs
Yet the OP blames the GAME developers…
They already have harder jobs than the majority of us, picking on them for not knowing skills outside of their area is just being mean and OP is targeting frustration at the wrong group.
You’re right - I should have specified more explicitly. I am not referring to the game dev that is developing game features or content - I am specifically talking about the “security engineering” organizations within game developer companies. NetEase hired security engineers to specifically do security related tasks (see NetEase AntiCheat @ https://dun.163.com/locale/en?force=true).
NetEase Games doesn’t have an excuse for not conducting a security review on a massive game like Marvel Rivals - and this isn’t some corner case, this is part of the core architecture.
And this is not a story unique to NetEase. I have multiple other examples that I’ll probably talk about in the future.
>> Game developers continue to amaze me at their lack of security awareness.
> Because game developers are SUPPOSED to be aware of these things?
If a civil engineer amazed people with their lack of structural integrity awareness, they wouldn't be trusted to build a house of cards let alone a bridge open to the general public. Software developers write defective, bug-ridden and unsafe public-facing devices and services that are open to the entire world and we shrug whenever there's a major cybersecurity or software crash catastrophe.
If software engineers were held to the same standards of accountability and liability as real engineers when they apply their signature at the bottom of a design calculations document, maybe we'd stop shoveling trivially wormable garbage onto the Internet without a second thought.
YES. Did you read the part where the game devs use RCE with admin privileges to run patches? Any developer who does that should be aware of the security risks they’re taking.
If you sell software to millions of people that runs with access to sensitive data you have an obligation to do a good job, sorry. If you don't like that, make it MIT licensed on an open source site instead of $70 on Steam.
doctorpangloss|1 year ago
TeMPOraL|1 year ago
This is the worst possible combination: players are forced to accept first-party invasive rootkits that are disruptive and ineffective, while cheaters still cheat.
IMHO the only sensible solution is to separate out e-sports angle from the game itself. People who want to "go pro" would be free to subject themselves to anti-cheats and drinking verification cans and past some point might as well buy company-authorized computers to play on. Everyone else should just be allowed to play casually and enjoy the game without the anti-cheat nuisance (and a looming threat of false positive).
With main incentive for serious cheating separated out, non-pro players would only have to worry about griefers. Those are a problem too, but they can be dealt with by simpler and less invasive measures than a kernel-level rootkit.
As it is, AAA multiplayer games are basically like if FIFA was to micromanage Town Recreational Leagues and hold them to the World Cup standard, because cheating is a Big Deal so every kid needs to take regular blood tests before the match.
bilekas|1 year ago
Publishers will pay to have 0level kernel ring on your system but not for software securing their game.
> the game runs with admin privileges for the sake of anti-cheat
Nobody higher than the devs thought “this might be risky?”
Because can assure you, the devs felt it stupid and risky.
Your “Everyone thinks their making doom 3”. As I see this is not the developer fault.
Thaxll|1 year ago
devmor|1 year ago
I wouldn't expect anything but code that "ships" out of them, and its understandable why.
maccard|1 year ago
Now you might say, those companies are irresponsible and that well maintained open source software doesn’t have this issue. That would mean no 0 days for linux [5], and that the most battle tested libraries in the world are immune from basic issues [6][7].
Software engineering is broken, it’s not just games. (Although, if you think physical construction is any better I suggest you stick a T square in the corners of your house and figure out how many of your walls aren’t square ). You
[0] https://mrbruh.com/chattr/
[1] https://news.ycombinator.com/item?id=42849632
[2] https://en.m.wikipedia.org/wiki/2024_CrowdStrike-related_IT_...
[3] https://www.csoonline.com/article/2138177/atlassians-conflue...
[4] https://techcrunch.com/2021/07/22/a-dns-outage-just-took-dow...
[5] https://www.indusface.com/blog/rce-zero-day-vulnerabilities-...
[6] https://en.m.wikipedia.org/wiki/Log4Shell
[7] https://heartbleed.com/
cubefox|1 year ago
But it is way ahead with regards to efficient hardware utilization!
agoodusername63|1 year ago
These are game developers. Not backend developers. Not web guys. Not remotely trained in infosec. They make games. Not security software. And for the longest time this was acceptable.
I think for a GaaS in 2025 it's unacceptable to not have security minded engineers on staff for the backend stuff. Too much money is involved not to. Especially for studios very familiar with shipping online games.
But I'm also kind of disappointed in how much we're forgetting that these people are not infosec nerds. Last year there was a cute fishing game made by a single dude messing around making things. It got popular and a kid found an RCE bug with the multiplayer. The dude got a TON of shit for the flaw, which feels deeply unfair. I don't expect my mom to configure a router correctly. I don't expect video game developers to understand defensive network programming without training.
Maybe I'm just a little frustrated at the Internet largely unable to understand that defensive programming is something that isn't in a game devs trained skills. I would expect better of Netease however
Xunjin|1 year ago
agentultra|1 year ago
Nice PoC!
Update: yes, most game client processes don't run in the kernel. My b. I was just thinking that updates and content payloads might be an interesting vector for langsec.
Liquix|1 year ago
agentultra|1 year ago
mavhc|1 year ago
kibwen|1 year ago
Reminder that all three Dark Souls games allowed full RCE to any users connected to the internet: https://flashpoint.io/blog/rce-vulnerability-dark-souls/
Etheryte|1 year ago
lockemx|1 year ago
zwily|1 year ago
I'm not a Windows guy and trying to figure this out has been extremely frustrating...
kevingadd|1 year ago
EA-3167|1 year ago
Unfortunately both the executives who buy into these things, and the average consumer, are simply too... simple, to understand or appreciate that.
bangaladore|1 year ago
"sake of anti-cheat" should be taken lightly here. There is a reason why all the other sane anti-cheats have at least two applications, the anti cheat service which often runs as admin, and the game, which does not. Running the game as admin is quite frankly inexcusable.
The service often does the network comms and communicates to a kernel-mode driver and/or to the application via IPC or similar. Having defined barriers of separation are good things.
In any case, this POC doesn't have huge implications necessarily for most people, but maybe in SEA or China where LAN cafes are more prevalent, it could be a larger concern.
shalzuth|1 year ago
sanktanglia|1 year ago
lcnPylGDnU4H9OF|1 year ago
Does he mean that this is potentially how one could install custom firmware on their console?
Curious because I remember reading somewhat recently that console vendors have locked their consoles down well enough so as to avoid any vulnerabilities which could be exploited to install custom firmware. It would be amusing if that was invalidated by game dev security and I start hearing about ways to install some modded firmware, which include a step of "install one of these games".
IIRC, the web browser on 3DS systems was exploited to install custom firmware rather than a game so it was rather easily patched with a system update (and, indeed, it actually was patched). I wonder if we'll be seeing Sony/Nintendo/Microsoft start to insist on certain security standards as a result of games being exploited to install custom firmware on the devices they sell, presuming the answer to my first question is affirmative.
bakugo|1 year ago
Sort of. It's a userland code execution exploit, which is often the first step, but all games run in a locked down VM specifically to protect against things like this, so you still need a kernel/hypervisor exploit to escape the VM and actually mess with the system in any significant way.
shalzuth|1 year ago
tart-lemonade|1 year ago
Just build a JSON API! It's not that hard! You don't need to RCE your game every time it launches just for microtransactions.
X-Cubed|1 year ago
I agree that a JSON API is a better approach, but it's possible for AAA game developers to screw that up too: https://arstechnica.com/gaming/2021/03/developers-to-update-...
S0y|1 year ago
sanktanglia|1 year ago
jauntywundrkind|1 year ago
It would have been a tiny bit funny if it had been the same company that was just briefly banned that was allowing a remote exploit.
xnx|1 year ago
empath75|1 year ago
zxilly|1 year ago
shalzuth|1 year ago
plagiarist|1 year ago
kevingadd|1 year ago
foco_tubi|1 year ago
wyldfire|1 year ago
Nannooskeeska|1 year ago
bilekas|1 year ago
Because game developers are SUPPOSED to be aware of these things?
> It's very hard for security researchers to report bugs to most game dev companies. On top of that, most do not have bug bounty programs
Yet the OP blames the GAME developers…
They already have harder jobs than the majority of us, picking on them for not knowing skills outside of their area is just being mean and OP is targeting frustration at the wrong group.
shalzuth|1 year ago
And this is not a story unique to NetEase. I have multiple other examples that I’ll probably talk about in the future.
boricj|1 year ago
> Because game developers are SUPPOSED to be aware of these things?
If a civil engineer amazed people with their lack of structural integrity awareness, they wouldn't be trusted to build a house of cards let alone a bridge open to the general public. Software developers write defective, bug-ridden and unsafe public-facing devices and services that are open to the entire world and we shrug whenever there's a major cybersecurity or software crash catastrophe.
If software engineers were held to the same standards of accountability and liability as real engineers when they apply their signature at the bottom of a design calculations document, maybe we'd stop shoveling trivially wormable garbage onto the Internet without a second thought.
munchler|1 year ago
kevingadd|1 year ago