When you browse through the relevant forums it becomes clear that next to looking for ways to cheat a game, unscrupulous players are spending a lot of time searching for ways to get unbanned.
As anti-cheat software continues to improve, detecting more exploits, and having more players banned, this represents some sort of victory in the fight against cheats.
However, the increasing availability and demand for Hardware Identity (HWID) Spoofers mean such a victory may be a hollow one, since spoofers enable cheats to avoid full hardware bans. So when they’re ‘caught’, they just buy another game account (as highlighted in our previous blog on Account Fraud) and are back playing and cheating in no time.
On the Intorqa platform we can see how the demand has increased over the last few months.
In this briefing we take a look at the extent of the problem and what publishers and their anti-cheat providers need to do to stop it.
What are HWID Spoofers?
First up, it’s worth reiterating these have nothing to do with the location spoofers that have plagued games like Pokemon Go over the years. When we talk about spoofers in this briefing we are talking Hardware Identity or HWID.
They are also not to be confused with Hardware Cheats like Cronus Zen and DMA’s - you can read about these in our previous briefing on DMA’s.
HWID Spoofers are in fact tools or software that can be used to proactively manipulate or actually change the hardware identifiers (HWID) of a device.
These identifiers can be built from several hardware components including the motherboard, CPU, network adapters, and hard drive serial numbers, and are used to uniquely recognize a specific hardware configuration, typically for the purpose of tracking, authentication, or enforcement of rules in various contexts.
Critically, when a player is caught cheating in a video game, Game Security teams can use HWIDs to enforce bans - i.e. banning that HWID, so the player can no longer use that set-up, even if they go off to their friendly account marketplace and buy a new game account.
As The Daily Blogger on Medium says:
When you play a game, the anti-cheat system for that game will examine your hardware identifier (or HWID) to ensure that you are not a known cheater. If you have previously been banned from the game, the anti-cheat system for that game will keep your HWID on file. If you attempt to play the game with the same HWID after being banned, you will get a second ban.
However, if a player uses an HWID spoofer they can evade such bans.
That’s because the spoofer changes or masks the HWID of a device by altering serial numbers, swapping device identifiers and even uploading false information into system files. Effectively they trick the game into thinking you're a different player.
Here’s The Daily Blogger again:
A spoofing program is a piece of software that modifies your computer’s HWID. It does this by altering the data that your computer provides to the game server, giving the impression that you are using a new computer when you are really just playing on the same one. You will be able to circumvent prohibitions and play games without any limitations if you do this.
Most do this on a temporary basis and the original HWID will be back once the computer is restarted, but some can do it permanently (often called HWID Changers) with the new identifiers remaining even after a system reboot. These are frequently described as being riskier in the relevant forums and it’s easy to find reports of motherboards being broken and blue screens from despairing cheats!
Why do they pose a threat?
When you consider that a hardware ban is generally the most severe action a game security team can take against a player that cheats, the risk is significant.
By definition they are being used by players who cheat a lot. They’re either hiding an original HWID that has already been banned and logged on the game server, or they are simply savvy enough to hide their HWID in the first place. Either way, they’re unlikely to be first timers.
Of course, it's important to point out that HWID spoofers are not only used by cheats, and vendors will often highlight some of the more legitimate use cases.
In a recent blog Infinite Soft provided a few examples:
1. Unjust Bans: Sometimes, players receive HWID bans in Game X for reasons beyond their control, such as false reports or technical glitches. In such cases, HWID spoofers can help you regain access to the game without waiting for support from the game’s developers.
2. Hardware Upgrades: When you make significant hardware upgrades to your computer, like replacing your motherboard or GPU, it can result in a HWID ban. A HWID spoofer can prevent this from happening by masking the changes and avoiding detection.
3. Privacy and Security: Some players use HWID spoofers to enhance their online privacy and security by preventing game servers from collecting data about their hardware. However, remember that this practice may still violate the game’s terms of service.
All very worthy and of course no mention of cheating! But in case you’re wondering who Infinite Soft are, they sell spoofers and cheats. Lots of them.
Vendors also talk about how they’re not illegal, but will include the caveat that they do break the game’s Terms of Service (so will get you banned if you're found to be using one).
Where do they buy them?
So, if you are worried about the second hand motherboard you picked up on eBay, live under surveillance in North Korea, or do in fact just want to cheat and not get banned, where would you find a spoofer?
Well, it’s not difficult. There are 100’s of sellers across the internet. From spoofer specialists to big cheat vendors offering it as just another upgrade to improve your gaming experience (and ruin everyone else's). Some are now bundling spoofers in with the cheat itself.
Price-wise they’re in a similar ballpark to the cheats that will be used once it’s installed, and like many cheats, subscriptions are offered alongside one-off lifetime prices.
In terms of which games are targeted, you won’t be surprised to learn it’s the usual suspects - large multiplayer FPS titles - and in particular those with decent anti-cheat software and especially those that carry out hardware bans.
What can be done?
The good news is HWID spoofers and those using them CAN be detected through a combination of software and behavioral analysis. You just need to make sure you stay ahead of those developing the spoofers. Not always easy as they constantly evolve
Anti-cheat and security software is certainly getting better at detecting spoofers. Techniques including driver analysis, consistency checks, behavioral analysis and manual reviews are making it harder for spoofers to remain undetected.
However, this silver lining has a cloud (and it’s not just the risk of false positives).
This is because even when they are detected, it is the spoofed ID and player account that gets banned - not the original HWID, so in effect the cheat just needs a new player account and a new HWID spoofer, to continue as before. It may cost them a bit, but not so much they’re likely to stop. So, while detections slow the cheats down, they're unlikely to stop them.
One option taken by some publishers is to enforce stricter security standards, such as the Windows 11 Trusted Platform Module (TPM 2.0) which can in effect be (a hard to manipulate) HWID. If anti-cheat software makes the running of TPM 2.0 a requirement for the game to be able to launch, the impact seems pretty clear.
Of course, there is some friction here. It also doesn't take much digging around to find devs in cheat communities claiming they can hook the TPM files or even just delete the drivers for them from Windows\system32.
Which is another reason why it's essential for publishers to take pre-emptive action and target the developers and sellers of the spoofers directly, rather than focusing on the end users.
Target their marketing with takedowns to stifle their reach. Less marketing should mean less new customers and less $$$.
Continually procure and test the most popular spoofers so your anti-cheat engineers can increase detections. More detections will damage their reputation for reliability and word will spread.
Identify the key actors so your legal teams can go after the lynch pins and disrupt the whole community. Some vendors only take notice when the cease and desists start rolling in.
Regular readers of our briefings won’t be surprised to know this relies on timely and actionable intel. Intel gained from infiltrating and monitoring cheat communities - both public and private - and analyzing and evaluating the products available and the threat actors providing them.
The better this intel, the more vendor marketing you’ll disrupt, and the more spoofers you’ll detect. Eventually, they’ll stop making enough money to make it worth their while, and will move onto another game. One whose security team doesn't have your intel.
Comments