An overview of cheating at LAN events

If you follow Counter-Strike: Global Offensive, you've probably seen variousredditthreads claiming that people can cheat at LAN events. Whether this threat is real or preceived, there's a lot of misinformation out there about what is and isn't possible and how easily this can be prevented. As someone who has created both cheats (not multiplayer!) and anti-cheats, I thought I'd make a blog to help clarify the situation.

Overview

First, a quick and very simplified overview on how cheats actually work. There are generally two types of software cheats - active and passive. Active cheats will alter the game or OS code into doing things it shouldn't do - for example, a cheat program could overwrite the code used when a game is rendering enemy players and disable depth tests, so the models are always drawn (a very simple wallhack). Passive cheats don't alter anything, but instead take data that a player wouldn't normally be able to see or use and do something with it - for example, a passive cheat might read the game memory to determine where other players are and draw a radar map in a separate window, or read pixels on the screen and simulate a mouse click when an enemy is in the crosshair.

Active cheats are very easy to detect, as the game and anti-cheat systems can check the integrity of the code and important system files as they exist in memory. If a modification is found, the player can be kicked or if the modification is known to be caused by a specific cheat, a ban issued. Unfortunately due to performance concerns, it isn't feasible to continuously scan all of the memory, so some cheats can still remain hidden and look innocent enough where they won't be banned (eg how does an anti-cheat detect the difference between a radar overlay and a FPS / temperature overlay). Private hacks in particular have this advantage as without knowing exactly what modified the code, you can't safely issue a ban as it may be some legitimate 3rd party software causing it.

Passive cheats exist outside of the game's process, and require a more invasive anti-cheat that not only scans the current game, but the rest of the running programs on your system, much like anti-virus software. Such anti-cheats have typically run into privacy concerns, but cryptographic hashing can safely report the existence or not of specific programs without revealing personal information. Again, this requires public cheats in order to know what to look for - private passive cheats are among the hardest to detect.

Both active and passive cheats still need a way to be loaded. This is usually in the form of a .exe file which is run before or during the game. Active cheats will typically inject themselves into the game and the .exe file will exit, so the cheat only exists in the memory of the game. Passive cheats will generally remain running in some way - more advanced ones will hijack a legitimate program like Explorer or Notepad and run their code inside that process.

I've seen some reports of programs that "inject" cheats into the server and such. This is not possible unless you are also in control of the server. Most likely these rumors came around due to modified community servers that provided cheats to the server admins or similar. Additionally, "hiding" cheats inside a physical device like a keyboard or mouse is mostly hyperbole - unless the device contains USB storage functionality, this isn't possible. This myth is probably based on keyboards / mice that have on-board memory for remembering settings / macros / etc. Several people have also mentioned that the "BadUSB" exploit could be used to hide cheats, however this only lets the USB device report itself differently to the OS - eg a USB thumb drive could claim to be a keyboard and then start "typing" for you. It still doesn't allow a way for the USB device to immediately load software.

Cheating at LAN is actually very simple if there are no precautions in place. You could hide cheat programs on a USB stick and load them when no one is watching, you could set up a website that looks like a driver download site and pretend to be installing drivers, you can have a friend in the audience text your phone when certain things are happening, hide cheat files inside images, etc. Fortunately most of these are easily preventable.

Preventing physical cheating

This usually involves a cell phone or other communications device concealed on a player. An audience member can trigger the device to vibrate eg when a team is going for a particular strategy or a secret objective is being taken. This type of cheating can be prevented by searching players before official matches and removing any devices which have communications functionality. Keep in mind modern electronics can be surprisingly small and easily concealed. An audience member could also wave or shout in order to reveal information to a player. This is a bit harder to prevent as most tournaments want the audience to have a clear view of the players, but physical barriers, sound-cancelling booths or headphones, one-way glass or having staff watch for suspicious audience actions are possible countermeasures.

Prevent loading of cheat software

Players may bring a variety of equipment with them that has the possibility of containing USB storage, and most players will expect full internet access in order to use social media, music players, etc. Therefore you should assume that players are able to get any file onto the tournament PC and defend from there. The most simple way to prevent loading of cheats is to use the executable whitelist policy built into Windows called AppLocker. Using this, you can set up the tournament PCs beforehand with all necessary drivers, communications software, games, etc and then block everything else from ever running. AppLocker, while being time consuming to initally set up, can completely lock down the PC so that only authorized applications can be loaded. In addition, proper event logging can develop an audit trail so that you can check for attempts to load unauthorized software.

It's extremely important that players are never allowed to play on Administrator level accounts. All modern games will run fine without admin permissions. Games should be fully patched and up to date beforehand and players should never need to install drivers or other software - consult with players / teams prior to the LAN to determine what needs to be pre-loaded onto the tournament machines. AppLocker can be disabled by admins and most other protections can similarly be defeated. The administrator account should have a strong password that is never shared with players. Should a referee need administrator access to fix an issue, players must not be allowed to see them enter the password.

With AppLocker properly configured, you don't have to worry about whether anti-cheat software is reliable or not. Cheats simply have no way to be loaded in the first place. Be aware that setting up AppLocker is a complicated process that requires blocking several Windows programs and locking down file system permissions with NTFS ACLs in order to properly secure the PC.

Re-image between users

If multiple different teams or players may use the same PC during the tournament and time allows, the PCs should be re-imaged between users. On a gigabit network and depending on the games installed, this can be done in just 15 minutes. This prevents players from accidentally or intentionally changing difficult-to-find settings that may affect future users of the PC, for example changing game or driver settings that might lower FPS or increase input lag, changing accessibility settings to cause annoyances, etc.

Use a firewall and proxy

A lot of private cheats don't provide the cheats directly to the user in the form of a .exe file - to protect against leaking, the .exe is a small stub that downloads the cheat code from a remote server so it never gets written to disk. This download may be over HTTP / HTTPS or through custom ports. Use a firewall to block all non-essential traffic as an extra layer of defense and consider using a TLS-intercepting proxy for further auditing. You can also set Windows firewall policies so that only authorized applications are allowed to make network connections.

Prevent bypassing of protections

You should set a BIOS boot order so that the OS only loads from the hard drive and players cannot boot using USB. Set a strong BIOS password so players cannot alter these settings. If a player is able to boot their own device, its trivial to remove any protections set on the OS drive. You can also block USB storage to prevent unauthorized storage devices being used.

Record everything!

When it's not possible to have referees watching the players constantly, consider using a HDMI splitter or similar so that the screens of all PCs are recorded for offline review should any suspicious actions occur.

Watch for the stream

In team games, it's possible players who are dead or otherwise not active could alt+tab out to watch the event stream, or even look at monitors or screens in the arena. Streams should be delayed enough not to reveal important information, and players should be positioned such that they are unable to see any live feeds (watch out for reflections too!).