Last week, video game giant Riot Games revealed that the hackers had compromised its “development environment” – where the company stores its source code – with a social engineering attack.
While the company has reassured its users that “there is no indication that any personal player data or information has been obtained”, the hack could still be damaging, as hackers have gotten their hands on on the source code of popular Riot games. League of Legends and Teamfight Tacticsas well as the source code for the company’s old anti-cheat system.
Stealing anti-cheat source code — even an old system — could help hackers develop better, less detectable cheats, according to industry experts who spoke to TechCrunch.
“From Riot’s perspective, this is bad (beyond embarrassment) because it makes it easier for cheat developers to understand the game and therefore develop new cheats, it also makes it easier to build servers/ third-party league customers,” Paul Chamberlain, who led Riot’s anti-cheat team through September 2020, told TechCrunch.
Chamberlain said the anti-cheat legacy hasn’t been a part of League of Legends for five years, but given that the development of cheats is “as much (perhaps more) about the game itself than the anti-cheat system cheats, having access to the game’s source code means you don’t have to reverse engineer the released binaries (which are often also obfuscated or encrypted) and gives cheat developers better access to the intent of the game’s code via comments and variable/function/class names.
“Access to an outdated anti-cheat system is mostly a curiosity, but it could provide some insight into how anti-cheat developers think and what the company prioritizes in terms of protection,” Chamberlain explained.
Riot itself admitted this risk. In a tweet tuesdaythe company said that “any source code exposure may increase the likelihood of new cheats appearing”, and that its developers are working to assess the impact of the theft and “be prepared to deploy fixes as quickly as possible if necessary”.
When contacted by email, Riot spokesperson Joe Hixson declined to answer TechCrunch’s questions beyond the company’s tweets.
An industry insider with knowledge of anti-cheat systems, who asked to remain anonymous because he was not authorized to speak to the press, agreed that stealing the source code of the anti-cheat system could potentially hurt Riot and its players.
“They will have problems if the anti-cheat code is released,” he said. “If anti-cheat source code is leaked, cheat developers will have a hard time getting around everything.”
The insider explained that Riot’s old anti-cheat system is likely still being used to prevent a number of cheaters and working to detect and block them. System theft can compromise Riot’s ability to identify the hardware used by cheaters – game companies use the identification and fingerprints of hardware used by cheaters to ban them – as well as the detection systems used to find cheat developers, and may even require a rewrite of the anti-cheat system.
Moreover, the insider said, the source code could even be used by malware developers. “It will be easier to find vulnerabilities in the [game’s] driver that could be exploited by malware,” the insider said.
Motherboard reported on Tuesday that hackers are demanding Riot Games pay a $10 million ransom for not releasing the stolen code.
“We got your valuable data, including valuable anti-cheat source code and full game code for League of Legends and its tools, as well as Packman, your user-mode anti-cheat. We understand the importance of these artifacts and the impact their release to the public would have on your main titles, Valorant and League of Legends. In light of this, we are making a small trade request for $10,000,000,” reads the ransom note obtained by Motherboard.