Last week, the video game giant Riot Games revealed that hackers had compromised its “development environment”— where the company stores its source code — with a social engineering attack.
While the company reassured its users that “there is no indication that player data or personal information was obtained,” the hack could still be damaging, as hackers got their hands on the source code for Riot’s popular games League of Legends and Teamfight Tactics, as well as the source code for the company’s legacy anti-cheat system.
The theft of the anti-cheat’s source code — even an old system — could help hackers develop better and less detectable cheats, according to industry experts who spoke to TechCrunch.
“From Riot’s perspective it’s bad (beyond just embarrassing) because it makes it easier for cheat developers to understand the game and therefore easier to develop new cheats, it also makes it easier for third party league servers/clients to get made,” Paul Chamberlain, who led Riot’s anti-cheat team until September 2020, told TechCrunch.
Chamberlain said that the legacy anti-cheat hasn’t been part of League of Legends for five years, but given that developing cheats is “is as much (perhaps more) about the game itself than the anti-cheat system, having access to the game source code means you don’t have to reverse engineer the released binaries (which are often also obfuscated or encrypted) and gives cheat developers better access to the intent of the game code through comments and variable/function/class names.”
“Access to an obsolete anti-cheat system is mostly a curiosity but it could give some insight into how the anti-cheat developers think and what the company prioritizes in terms of what needs protection,” Chamberlain explained.
Riot itself admitted this risk. In a tweet on Tuesday, the company said that “any exposure of source code can increase the likelihood of new cheats emerging,” and that its developers are working to assess the impact of the theft and “be prepared to deploy fixes as quickly as possible if needed.”
When reached by email, Riot spokesperson Joe Hixson declined to answer TechCrunch’s questions beyond the company’s tweets.
An industry insider with knowledge of anti-cheat systems, who asked to remain anonymous as he was not authorized to speak to the press, agreed that the theft of the anti-cheat system’s source code has the potential to hurt Riot and its players.
“They are in trouble if the anti-cheat code gets published,” he said. “If the anti-cheat source code is disclosed, cheat developers will have an easy time bypassing everything.”
The insider explained that Riot’s old anti-cheat system is probably still being used to prevent a number of cheats and working to detect and block them. The theft of the system may compromise Riot’s ability to identify the hardware used by cheaters—game companies use identify and fingerprint the hardware used by cheaters to ban them—as well as the detection systems used to find cheat developers, and may even require a rewrite of the anti-cheat system.
Moreover, the insider said, the source code could even be used by malware developers. “It will be easier to find vulnerabilities in the [game’s] driver that could be exploited by malware,” the insider said.
Motherboard reported on Tuesday that the hackers are demanding Riot Games pay a ransom of $10 million to not publish the stolen code.
“We have obtained your valuable data, including the precious anti-cheat source code and the entire game code for League of Legends and its tools, as well as Packman, your usermode anti-cheat. We understand the significance of these artifacts and the impact their release to the public would have on your major titles, Valorant and League of Legends. In light of this, we are making a small request for an exchange of $10,000,000,” read the ransom note obtained by Motherboard.
Do you have more information about this hack? Do you do cybersecurity research on video games or game consoles? Or do you develop cheats for games or reverse engineer anti-cheat software? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Wickr, Telegram and Wire @lorenzofb, or email [email protected].