Anti-Cheat Systems: Security through Obscurity
5 November 2020
Anti-cheat solutions are a common sight in online games. Most studios even have their own proprietary anti-cheat system. Easy Anti-Cheat (EAC), Valve Anti-Cheat (VAC), BattlEye, are well-known and commonly used. These systems are useful to have, they deter the average hacker and stop opportunists at the door. It’s the perception of the anti-cheat and the consequences of being caught that are enough to put off most typical hackers. But if a malicious attempt is made and is successful, that anti-cheat is now defunct, and it becomes a cyber arms-race between patching and hacking to stay ahead.
Hackers will always test the security. Don’t leave gaps
Hackers aren’t dark, shadowy figures sitting alone in front of a bank of monitors watching code scroll by. They have communities, forums, groups, communication. They cooperate and unify their skills. These communities work day-by-day just to pry the anti-cheat off a game and have the unsecured version ready for distribution to players. The developers, of course, work just as hard. Each time an intrusion occurs, each time a breach is made, a patch is deployed. We find the point of entry and seal it up but make no mistake that the hackers will find or make a new one.
It is an endless game of hacker cat and developer mouse. With anti-cheat and client-side security, breaches are only a matter of time. With server-side security, however, you aren’t looking at a matter of time to breach. It is much more secure and significantly harder to access.
If there are questions on whether hackers will always make these attempts, one must only look into the monetary value that can be earned by selling on exploits. It exists because it is a hugely profitable business. With the games industry always growing, there is no doubt that the hackers will match that growth.
How do you tackle a cyber arms-race?
It’s important to remember that anti-cheat is good to have. They do keep a game secure for the most part. However, anti-cheat security is client-side and can be fully bypassed by those with the right tools and experience.
Until a patch is released, the game is compromised. The players who remain honest are subject to all manner of cheats and hacks as those abusing the intrusion take leaps and bounds ahead of any others.
So, the solution is an additional layer, one that can’t be touched by players or a malicious actor. One far out of reach. This is where server-side security takes the stage, its code unobtainable by a player. By implementing the right server-side security, developers can ensure they remain in control of their own code. Ensuring fair play and a balanced experience.
The easiest way to win the arms-race against ever-evolving hackers is to simply play a different game entirely. There can’t be any competition if the opposing force can’t even touch your protection.
Top of the line security, far from hacking hands
Security is about limiting injection points without sacrificing performance or bottlenecking. At Cyrex, we are in the unique position of offering penetration testing to gaming. As native gamers, we know how games work from the ground up and know what weaknesses are often exploited. We have the security mindset to match our gaming knowledge, to know where weaknesses lie and how to reinforce them.
As game hacking experts, we know where to counter the typical intrusions. We implement the defence and combat it directly. Time and time again we see client-side security simply work as a deterrent to the normal player. It’s a measure that looks like security but a hacker can bypass it. It is security by obscurity. They substitute true security for secrecy. Meaning once the trick to bypass it is found, the security is non-existent. Moving towards a server-side security solution is one that will keep your game safe and ensure your honest players go unpunished.
Infallible, impenetrable security is a big ask. With client-side security, it’s just a question of how long until it is broken. Server-side security has a much higher level of protection against any potential hackers or malicious actors. Cloud gaming is a good example of this, only providing players with a stream and all security must then be server-side. If a player attempts to hack the stream, they are both limited by their inputs and file access, but they are also hugely limited by the lack of modifiable code. This is what server-side security offers, a significant leap in protection. This server-side security, when matched with a strong anti-cheat system results in the best possible security package.
These measures are about you as a publisher and developer being in control of your own code. And if you’re in control of your code, you’re in control of your risks.