TL;DR: We discovered a critical flaw in a variety of motherboards that can be exploited for injecting code unnoticed. If your system is affected, Vanguard will prompt you with our VAN:Restriction service to update your motherboard’s firmware.

Greetings, ladder demons.

My name is Mohamed, and some of you may know me as ItsGamerDoc on X. This is my first official article at Riot. The Anti-Cheat Kitchen has been hard at work serving ladle after ladle of hearty ban chowder to cheaters, but today I don't want to focus on the delicious bans being served. Instead, I want to focus on what's been cooking in the back: a recipe for security enforcement that leaves DMA cheats… well… cooked.

Alright, enough with the cooking metaphors. In the very near future, Vanguard will begin enforcing stricter checks on system boot security for certain players.

Why, you ask? Well, earlier this year we discovered a critical flaw affecting a variety of modern motherboards. This issue allowed hardware cheats to potentially inject code unnoticed, even when security settings on the host appeared to be enabled.

Here's the lowdown on why this is happening and, more importantly, what to do if you're affected.

The "Who Loads First?" Problem

To understand this enforcement change, we need to talk about how your computer normally boots. At the very moment your PC powers on, it’s in its most privileged state: it has full, unrestricted access to the entire system and all connected hardware. The system begins by loading and executing its initial firmware (usually UEFI), which then starts a chain of hardware, software, and security initialization. Only after all of this does control finally pass to the operating system, which is what we typically think of as “the computer.”

The problem this creates is that components that load earlier in this chain are usually more privileged, and can manipulate components that load later. Cheat developers understand this extremely well. Unfortunately, the operating system your game runs on loads near the end of the process. This means cheats can load early, gain higher privilege, and hide effectively within the system before the OS or anything running on it has a chance to defend itself.

Thankfully, security features like Secure Boot, VBS, and IOMMU already exist to help provide security. And for the most part, they are effective at preventing this attack vector, assuming they are on and working correctly.

Vanguard’s strategy is simple: create a perimeter around the Windows kernel to ensure the system hasn't been compromised as early as we can. If a cheat loads before we do, it has a better chance of hiding where we can’t find it. This creates an opportunity for cheats to try and remain undetected, wreaking havoc in your games for longer than we are ok with.

The Discovery: A Sleeping Bouncer

Remember moments ago when we talked about existing security features that do a fine job, assuming they work? Let’s talk about one of them, IOMMU.

For years, the most effective (and expensive) form of cheating has involved the use of DMA (Direct Memory Access) devices.

DMA cards are hardware devices that plug into your PC and touch memory directly, bypassing the CPU and Windows. To stop them, we rely on a hardware feature called IOMMU (Input-Output Memory Management Unit). Think of the IOMMU as a bouncer for your RAM; it checks the ID of every device trying to access memory and kicks out the ones not on the guest list.

"Pre-Boot DMA Protection" is a security feature present in the bios/firmware of many devices that leverages the systems IOMMU to prevent rogue DMA access to a systems memory early on in the boot sequence. This gives the loaded operating system some confidence that the system it’s on was initialized with some predictable integrity. Which is awesome, in theory... But that also means the operating system has to trust the security feature itself.

And that is precisely what the Vanguard team’s research uncovered. In some cases, hardware manufacturer firmwares incorrectly signaled to the operating system that this feature was fully active, when it was actually failing to initialize the IOMMU correctly during early boot.

This meant that while "Pre-Boot DMA Protection" settings appeared to be enabled in the BIOS, the underlying hardware implementation wasn't fully initializing the IOMMU during the earliest seconds of the boot process. In essence, the system's “bouncer” appeared to be on duty, but was actually asleep in the chair. So by the time the system is fully loaded, it can’t be 100% confident that 0 integrity breaking code was injected via DMA.

This brief window is all a sophisticated hardware cheat needs to sneak in, inject code, and hide itself before Vanguard wakes up.

The Solution: A Unified Update

Earlier this year, we shared our findings with our hardware partners, and they have been excellent collaborators in this process, validating the issue and producing comprehensive BIOS updates to close this gap. 

Don't take our word for it - here's a look at security advisories from major hardware manufacturers: 

These updates will ensure that when you enable security features, they're active from the very first millisecond of power-on.

What to do if I Receive a Restriction?

Our VAN:Restriction system is Vanguard’s way of telling you we cannot guarantee system integrity due to the outlined disabled security features. This will prevent you from launching VALORANT, and you’ll see a pop up box stating what is required to enable so you continue playing. These restrictions are applied on the account or HWID level when we detect suspicious hardware behavior or statistical anomalies. These anomalies can occur due to various factors including disabled security features, or in this case, the newly discovered pre-boot loophole that invalidates IOMMU. Getting one of these warnings doesn't necessarily mean we suspect you of cheating–it means that your current system configuration is too similar to cheaters who get around security features in order to become undetectable to Vanguard. 

This minimum security baseline is essential for countering cheaters. If restricted, you are prompted to either enable said features or update your motherboard firmware by following your manufacturer's official guidance before you can play. You can learn more about restrictions in this support page. 

Additionally, we're investigating rolling this requirement out to all players at the highest level of play (Ascendant and above) to ensure a trusted baseline of security for the top of the ladder.

The Goal

BIOS updates aren't exactly as exciting as looking at ban numbers, but this is a necessary step in our arms race against hardware cheats. By closing this pre-boot loophole, we are neutralizing an entire class of previously untouchable cheats and significantly raising the cost of unfair play.

This entire ordeal is a significant achievement, not just for our anti-cheat but for the entire gaming industry, extending beyond Riot Games. Had this issue gone unnoticed, it would have completely nullified all existing DMA detection and prevention tech currently on the market–including that of other gaming companies–due to the nature of this class of cheats running in a privileged area that anti-cheats typically do not run.

If you want to get ahead of this and have an uninterrupted grind, you can proactively update your motherboard to the latest firmware by visiting the manufacturers' websites. Raising the gaming industry's overall security posture has been a core focus for us since 2021. The adoption of these stringent measures is now evident across the industry, as highlighted by articles like Xbox's "Building a Trusted Gaming Future: How Security Powers Fair Play." These security fundamentals are non-negotiable in the fight against cheating. We're proud to have pioneered these security advances and are committed to maintaining a fair and trusted competitive environment for everyone.

We appreciate the effort it takes to keep your system up to date. Thanks for helping keep games fair and secure for everyone. Feel free to reach out to Riot Support if you have any issues, and we can provide general guidance or point you to official manufacturer resources.