CanuteTheGreat's BLOG

Author: canutethegreat

  • Technical Analysis of Cheating in Video Games: Methods, Detection, and Countermeasures

    Technical Analysis of Cheating in Video Games: Methods, Detection, and Countermeasures

    Abstract

    Cheating in video games represents a significant technical and economic challenge to the gaming industry, with the cheating software market generating revenues estimated at $73.2 million annually. This paper examines the technical implementation of cheating methods, anti-cheat detection systems, and the ongoing technological arms race between cheat developers and game security teams. The analysis focuses on kernel-level architecture, memory manipulation techniques, hardware-based Direct Memory Access (DMA) cheating, and machine learning-based behavioral detection systems. Additionally, psychological factors influencing cheating behavior are examined through the lens of Self-Determination Theory and competitive motivation research.

    1. Introduction

    The proliferation of competitive online gaming has created a persistent security challenge: players using unauthorized software and hardware to gain unfair advantages. As of 2025, anti-cheat systems protect over 338 games using kernel-level drivers, with Easy Anti-Cheat deployed in 155 titles including major franchises such as Fortnite and Apex Legends. The technical sophistication of both cheating methods and countermeasures has escalated dramatically, moving from simple memory editing to kernel-mode drivers and hardware-based attacks that operate outside traditional software detection boundaries.

    2. Cheat Implementation: Technical Architecture

    2.1 Memory Manipulation Techniques

    Modern game cheats fundamentally operate by reading and modifying game process memory. The technical implementation varies based on the attack vector and required privilege level.

    Direct Memory Reading: Cheats read game memory to extract positional data, health values, and other game state information. This data extraction enables features such as Extra Sensory Perception (ESP) overlays that display enemy positions through walls. The cheat software identifies memory addresses through pattern scanning or static analysis of game binaries, then continuously reads these memory locations to obtain real-time game state information.

    Memory Writing: More invasive cheats modify game memory to alter player attributes, remove weapon recoil, or manipulate game physics. These modifications require write access to the game process memory space and are more easily detected by anti-cheat systems monitoring for unauthorized memory modifications.

    2.2 Common Cheat Categories

    Aimbots: Aimbots automatically adjust player crosshair position to track enemy targets. Technical implementation involves reading enemy position vectors from game memory, calculating the required mouse movement using vector mathematics, and either directly manipulating mouse input or modifying aim-related memory addresses. Advanced aimbots implement smoothing algorithms to mimic human movement patterns and configurable Field of View (FOV) restrictions to avoid suspicious snapping behavior. Implementation typically includes bone targeting systems that allow selection of specific hit locations (head, torso) and prediction algorithms for moving targets that calculate trajectory based on enemy velocity vectors.

    Wallhacks/ESP (Extra Sensory Perception): These cheats render visual information about hidden game objects. Technical approaches include modifying rendering pipelines to draw occluded objects, reading positional data from memory and creating overlay graphics, or manipulating depth buffer and occlusion culling systems. ESP implementations display player positions, health bars, distance measurements, and equipment information through overlay rendering systems that operate either as internal hooks into the game’s DirectX/Vulkan rendering pipeline or as external applications capturing screen output and injecting overlay graphics.

    Recoil Control/No-Spread: These modifications eliminate weapon recoil patterns and bullet spread mechanics. Implementation involves identifying and neutralizing the random number generation or pattern systems that control weapon inaccuracy. This can be accomplished through memory manipulation of recoil vectors, hooking and modifying game functions responsible for calculating bullet trajectory, or directly manipulating player view angles to counteract recoil patterns in real-time.

    2.3 Privilege Levels and Ring Architecture

    Modern x86 processors implement protection rings (Ring 0-3) that determine privilege levels for code execution. Understanding this architecture is crucial for both cheat development and detection.

    Ring 3 (User Mode): Standard applications, including games, execute at Ring 3 with restricted privileges. User-mode cheats operate at this level but are limited in their ability to hide from detection and access system resources. Ring 3 anti-cheat solutions similarly operate with restricted visibility into system operations.

    Ring 0 (Kernel Mode): The operating system kernel and device drivers execute at Ring 0 with complete hardware access. Kernel-mode cheats load as drivers (legitimate or exploited) to gain unrestricted memory access and the ability to intercept system calls. As anti-cheat systems moved to kernel-mode detection, cheat developers responded by developing kernel-mode cheats that could hide their presence and evade detection.

    The escalation to Ring 0 warfare represents a critical inflection point in anti-cheat technology. A Ring 3 anti-cheat cannot effectively monitor or block Ring 0 cheats, as the kernel-level code can hook the very system calls that user-mode detection relies upon. This fundamental limitation forced anti-cheat developers to deploy kernel-mode drivers that load during system boot, before potential cheat drivers can establish hooks.

    2.4 Cheat Loading Mechanisms

    DLL Injection: The most common user-mode technique involves injecting a Dynamic Link Library (DLL) into the game process memory space. Methods include CreateRemoteThread, manual mapping that bypasses the Windows loader, and reflective DLL injection that loads code without creating files on disk.

    Driver Exploitation: Kernel-mode cheats exploit vulnerabilities in legitimate signed drivers to gain kernel access. Techniques include Bring Your Own Vulnerable Driver (BYOVD) attacks, Driver Signature Enforcement (DSE) bypass through bootloader exploits, and manual driver mapping using tools like KDMapper that parse PE files and load drivers directly into kernel memory without Windows verification.

    EFI Bootkits: The most sophisticated cheats operate at the UEFI firmware level, loading before the operating system kernel. These require physical access or extensive system compromise but are nearly impossible to detect from within the operating system.

    3. Anti-Cheat Technologies

    3.1 Client-Side Detection Systems

    Signature-Based Detection: Anti-cheat systems maintain databases of known cheat signatures—byte patterns, file hashes, and behavioral fingerprints. This approach quickly identifies known cheats but fails against custom or frequently updated cheat software.

    Heuristic Analysis: More advanced detection employs behavioral analysis to identify suspicious patterns: abnormal memory access patterns, hooking of graphics APIs, or injection of code into the game process. Heuristic systems examine process behavior to identify characteristics common to cheating software even without exact signature matches.

    Memory Integrity Verification: Anti-cheat drivers continuously scan game memory using checksum comparisons, code section validation, and detection of hooks or patches to game functions. Systems monitor for modifications to critical game code and data structures.

    3.2 Kernel-Level Anti-Cheat Architecture

    Modern anti-cheat systems deploy kernel-mode drivers that operate at Ring 0, providing comprehensive system visibility. Analysis of leading anti-cheat implementations reveals common architectural patterns:

    Riot Vanguard: Deployed in Valorant and League of Legends, Vanguard loads during system boot before any potential cheat drivers. The system implements live process memory validation using checksum-based comparisons, monitors IRP_MJ_CREATE and IRP_MJ_DEVICE_CONTROL for IOCTL abuse, and detects device access from Ring 3 malware. Vanguard’s persistent architecture includes self-healing mechanisms via reboot-triggered reinstalls. Critically, Vanguard dumps PCIe slot configuration data at game launch to detect hardware anomalies indicating DMA devices and analyzes chipset characteristics for evidence of firmware tampering.

    BattlEye: Utilized by PUBG, Rainbow Six Siege, and 45+ titles, BattlEye implements a lightweight hypervisor layer built on Intel VT-x or AMD-V virtualization technologies. This approach monitors page access and memory execution flows while capturing kernel call stacks and return addresses to identify rogue drivers. The hypervisor architecture provides visibility into memory access patterns that would be invisible to traditional kernel drivers.

    Easy Anti-Cheat (EAC): Developed by Epic Games and deployed in 155 games, EAC employs behavioral analysis, signature-based detection, and heuristic methods. The system provides real-time monitoring and detection capabilities but has faced criticism for delayed ban implementation that allows cheaters to disrupt gameplay before removal.

    Valve Anti-Cheat (VAC): Unlike its competitors, VAC operates exclusively in user-mode (Ring 3), limiting its detection capabilities against kernel-mode cheats. The system employs delayed ban mechanisms and signature-based detection but struggles with sophisticated cheating methods. VAC’s design philosophy prioritizes user privacy and minimal system intrusion over maximum detection capability, resulting in higher false negative rates compared to kernel-level solutions.

    3.3 Machine Learning-Based Detection

    Recent developments in anti-cheat technology leverage machine learning to identify cheating through behavioral analysis rather than software signatures.

    Behavioral Pattern Recognition: ML systems analyze gameplay telemetry including mouse movement patterns, aim adjustment timing, reaction speeds, and accuracy distributions. Research by Pinto et al. (2021) demonstrated convolutional neural networks achieving 99.2% accuracy in detecting triggerbots and 98.9% accuracy for aimbot detection by analyzing multivariate time series data from player-computer interactions.

    Transformer-Based Detection: The AntiCheatPT project introduced transformer architectures for cheat detection in Counter-Strike 2. Using a dataset of 795 matches generating 90,707 context windows, the AntiCheatPT_256 model achieved 89.17% accuracy and 93.36% AUC on test data. The model analyzes 256-tick sequences containing 44 data points per tick, including player positions, view angles, and action timing to identify statistically anomalous behavior patterns.

    Neural Network Implementations: AI-powered systems like Anybrain’s solution claim over 99% accuracy in cheat detection by creating digital fingerprints of player behavior. These systems can identify cheaters across multiple accounts through behavioral pattern matching. Machine learning approaches offer the advantage of detecting previously unknown cheats and adapting to evolving cheating methods through continuous training.

    3.4 Server-Side Validation

    Beyond client-side detection, server-side anti-cheat validates game state consistency and player actions:

    Hit Registration Validation: Servers verify that reported hit events are geometrically possible given player positions, view angles, and weapon characteristics. Impossible shots (e.g., hits without line-of-sight) trigger automated flags.

    Movement Analysis: Server-side systems detect physics violations including impossible movement speeds, teleportation, or noclip behavior by validating position updates against movement constraints.

    Statistical Anomaly Detection: Long-term analysis of player statistics identifies outliers whose performance exceeds human capability thresholds. Headshot percentages consistently above 80-90% or reaction times under 150ms trigger investigation.

    4. Hardware-Based Cheating: DMA Attacks

    4.1 DMA Architecture and Implementation

    Direct Memory Access (DMA) represents the current frontier in cheating technology. DMA cards bypass traditional software-based anti-cheat entirely by reading system memory through hardware interfaces.

    Technical Operation: DMA devices, typically FPGA-based cards from manufacturers like Squirrel DMA, LeetDMA, and PCILeech, connect via PCIe, Thunderbolt, or USB-C interfaces. These devices read system RAM directly through the memory bus without CPU involvement or operating system visibility. The DMA card connects to a secondary computer running cheat software that processes extracted memory data.

    Memory Reading Process: The DMA card maps physical memory addresses and reads game data directly from RAM. Pattern scanning techniques identify relevant game structures (player positions, health values, etc.) within the memory space. This extracted data transfers to the secondary computer for processing and visualization.

    Input Manipulation: Advanced DMA setups incorporate devices like KmBox that emulate mouse and keyboard input. The secondary computer calculates required aim adjustments or automated actions, then sends commands to the KmBox, which generates physical input signals indistinguishable from legitimate peripheral input to the gaming computer.

    4.2 Detection Challenges

    DMA-based cheating presents extraordinary detection challenges:

    Hardware-Level Operation: Because DMA operates through hardware interfaces rather than software, traditional anti-cheat cannot detect the memory reading process. No process runs on the gaming computer, no code executes in game memory space, and no API hooks exist to monitor.

    External Processing: All cheat logic executes on a separate computer. The gaming system remains “clean” with no detectable cheat software, making behavioral analysis the only viable detection method.

    Physical Input Emulation: KmBox devices generate authentic USB HID input signals. To the operating system and anti-cheat software, these appear identical to legitimate mouse and keyboard input, making input-based detection extremely difficult.

    4.3 Anti-DMA Countermeasures

    Despite significant challenges, anti-cheat developers have implemented partial countermeasures:

    PCIe Device Enumeration: Riot’s Vanguard dumps PCIe configuration space data at game launch, reading device identifiers from all connected PCIe devices. Stock DMA devices have known identifiers that can be blacklisted. However, sophisticated users flash custom firmware that spoofs legitimate device identifiers, mimicking network adapters or other common PCIe peripherals.

    Firmware Fingerprinting: Anti-cheat systems analyze PCIe device firmware characteristics, examining response patterns and configuration data for anomalies. Custom firmware that perfectly emulates legitimate devices (1:1 emulation) can defeat this detection, though developing such firmware requires significant reverse engineering effort.

    Behavioral Detection: Since DMA cheats still manifest in gameplay as superhuman accuracy or impossible information usage, behavioral ML systems remain the most effective countermeasure. Statistical analysis of aim patterns, pre-fire timing, and information usage can identify players using information they shouldn’t possess.

    IOMMU Restrictions: Some anti-cheat proposals suggest leveraging Input-Output Memory Management Unit (IOMMU) technology to restrict DMA access, though implementation complexities and potential system instability have limited adoption.

    5. Machine Learning in Cheat Detection

    5.1 Statistical Approaches

    Research by Alayed et al. (2013) pioneered behavioral cheat detection using Support Vector Machines (SVM) to identify aimbots based on server-side gameplay logs. Their server-side approach analyzes only gameplay data without requiring client-side software or privacy-invasive monitoring, achieving high accuracy rates in controlled testing.

    5.2 Deep Learning Architectures

    Convolutional Neural Networks: Pinto et al. (2021) demonstrated that CNNs analyzing multivariate time series of player interactions (mouse movements, keyboard input timing, game state changes) can classify legitimate versus cheating gameplay with 99.2% accuracy for triggerbots and 98.9% for aimbots. This approach requires no game-specific feature engineering, enabling deployment across multiple games without modification.

    Long Short-Term Memory Networks: Research into LSTM architectures for cheat detection in online exams demonstrated 90% detection accuracy for various forms of academic dishonesty. Similar approaches adapted for gaming contexts analyze temporal patterns in player behavior sequences to identify anomalous patterns characteristic of automated assistance.

    Transformer Models: The AntiCheatPT architecture processes 256-tick context windows with 44 features per tick (positions, velocities, view angles, actions) through transformer layers. Data augmentation via Gaussian noise addition to coordinate data prevents overfitting on specific map locations while preserving relative positioning. The model achieved 89.17% accuracy detecting hardware-level cheats through behavioral patterns alone, demonstrating that even DMA-based cheating manifests detectable statistical signatures.

    5.3 Implementation Challenges

    Data Requirements: Effective ML models require massive labeled datasets of both legitimate and cheating gameplay. Obtaining reliable ground truth labels presents significant challenges, as determining definitively whether a player cheated in historical data is difficult.

    False Positive Rates: SARD Anti-Cheat advertises a false positive rate under 0.001%, but even this low rate becomes problematic at scale. In a game with 1 million players, 0.001% false positives would incorrectly ban 10 players—an unacceptable user experience impact.

    Adaptability: Cheat developers actively develop countermeasures to ML detection, including “humanization” features that add randomness to aimbot movements and timing variations to automated actions. This creates an ongoing adaptation race between detection algorithms and evasion techniques.

    Computational Cost: Real-time behavioral analysis of millions of concurrent players requires substantial computational infrastructure. Balancing detection accuracy against system resource consumption presents engineering challenges for anti-cheat deployment at scale.

    6. Psychological Factors in Cheating Behavior

    6.1 Self-Determination Theory Analysis

    Research applying Self-Determination Theory to gaming contexts reveals psychological mechanisms underlying cheating behavior. A study by Lee et al. (2023) with 322 competitive gaming community members found opposite associations between intrinsic and extrinsic motivation types and cheating propensity.

    Intrinsic Motivation: Players motivated by enjoyment, interest in mastery, and inherent satisfaction from gameplay demonstrate negative associations with cheating behavior. Autonomy and relatedness needs positively influence intrinsic motivation, which in turn reduces cheating through enhanced engagement with legitimate gameplay challenges.

    Extrinsic Motivation: Players motivated by external rewards (ranking, monetary prizes, social status) show positive associations with cheating likelihood. When the perceived value of rewards exceeds the psychological cost of dishonest behavior, players demonstrate increased willingness to cheat. This effect amplifies in environments emphasizing competitive ranking and visible achievement markers.

    Competence and Achievement: Interestingly, the competence psychological need showed no significant direct effect on either motivation type in gaming contexts, contrasting with findings in sports and education domains. This suggests gaming environments may engage competence needs through different mechanisms than traditional achievement contexts.

    6.2 Competitive Motivation and Aggression

    Research by Sung et al. (2021) analyzing 329 League of Legends players identified three primary psychological factors associated with cheating:

    Competitive Motivation: Players exhibiting high competitive motivation for advancement and winning demonstrated significantly higher cheating propensity. In environments where game ranks serve as social currency and can translate to monetary rewards through esports participation, external pressure to achieve high performance intensifies.

    Self-Esteem: The relationship between self-esteem and cheating proved complex. Self-esteem positively correlated with competitive motivation, creating an indirect pathway to cheating behavior. However, self-esteem alone did not directly predict cheating, suggesting its influence operates through mediating factors.

    Aggression: Aggression emerged as a significant predictor of cheating behavior. Players scoring higher on aggression measures demonstrated lower psychological barriers to rule-breaking and antisocial behaviors. Aggression also correlated with misperceptions that inappropriate behaviors are socially acceptable within gaming communities.

    6.3 Moral Disengagement

    Competitive gaming environments can induce moral disengagement where players apply different ethical standards to virtual competition than to real-world situations. Research indicates that competitive pressure and environmental factors (prevalent cheating in a game, lack of visible enforcement) reduce moral reasoning levels, making cheating psychologically easier to rationalize.

    Environmental Factors: Games with visible cheating problems create normative perceptions that cheating is acceptable or necessary to remain competitive. This social proof effect reduces individual players’ psychological resistance to cheating.

    Anonymity and Reduced Accountability: Online gaming pseudonymity reduces perceived consequences of unethical behavior, lowering inhibitions against rule violations. The psychological distance between online personas and real-world identity facilitates moral disengagement.

    7. Economic Impact and Industry Response

    7.1 Market Economics

    The cheating software industry generates substantial revenue. Analysis suggests the market produces between $60-73.2 million annually, with premium DMA setups costing $10,000+ and subscription-based software cheats ranging from $20-200 monthly. This economic incentive drives continuous cheat development and sophisticated evasion techniques.

    7.2 Developer Investment

    Major publishers invest heavily in anti-cheat infrastructure. Riot Games offered $100,000 bounties for security researchers identifying Vanguard vulnerabilities. Activision’s Ricochet development represents multi-year, multi-million dollar investments. The ongoing arms race requires continuous engineering resources, diverting development capacity from feature development to security maintenance.

    7.3 Player Experience Impact

    Survey data indicates over 50% of gamers admitted to using cheats in some form as of 2022. This prevalence severely impacts legitimate player experience, with cheating consistently ranked among the top complaints in competitive gaming communities. Player retention and game longevity directly correlate with perceived fairness and effective anti-cheat implementation.

    8. Future Directions

    8.1 AI-Generated Gameplay

    Emerging threats include AI-generated gameplay that mimics human behavior patterns while providing assistance. Kanervisto et al. (2022) demonstrated GAN-Aimbot, a proof-of-concept using generative adversarial networks to create aimbot assistance that remains hidden from both automated detection and manual review. These techniques generate artificial gameplay indistinguishable from skilled human players, representing a potential future evasion method.

    8.2 Computer Vision Cheats

    Advanced cheating systems employ computer vision models trained to detect enemies from screen captures, combined with physical input injection devices. These “external” cheats analyze game output through capture cards, process enemy detection via neural networks on separate hardware, and inject aim corrections through physical input emulators. Detection requires identifying subtle patterns in aim adjustment timing or movement characteristics, as no software presence exists on the gaming system.

    8.3 Quantum-Resistant Verification

    Future anti-cheat systems may leverage trusted execution environments (TEE), attestation protocols, and cryptographic verification of game state integrity. Hardware-based attestation using TPM modules or secure enclaves could verify system integrity and prevent unauthorized code execution, though implementation complexity and compatibility challenges remain significant barriers.

    9. Conclusion

    The technical landscape of video game cheating represents a continuous escalation cycle between increasingly sophisticated attack methods and detection systems. From simple memory editing to kernel-mode drivers and hardware-based DMA attacks, cheat technology has evolved to exploit fundamental architectural characteristics of modern computing systems.

    Anti-cheat technology has responded through kernel-level detection, machine learning behavioral analysis, and hardware monitoring, but detection remains imperfect. DMA-based cheating in particular presents extraordinary challenges due to its hardware-level operation outside traditional software monitoring boundaries. The most promising detection approaches combine multiple techniques: kernel-level visibility, hardware enumeration, server-side validation, and ML-powered behavioral analysis.

    Psychological research reveals that cheating behavior stems from multiple interacting factors including extrinsic motivation driven by rewards and status, competitive pressure, and environmental normalization of cheating. Addressing the cheating problem requires both technical and psychological interventions: robust detection systems combined with game design that emphasizes intrinsic motivation and community norms against dishonest behavior.

    As gaming technology advances, the arms race will continue. Emerging challenges including AI-generated gameplay and computer vision systems suggest that perfect cheat prevention may be impossible. The focus must shift toward rapid detection, behavioral analysis, and fostering gaming communities and competitive structures that intrinsically discourage cheating through design rather than purely technical enforcement.

    References

    Alayed, H., Frangoudes, F., & Neuman, C. (2013). Behavioral-based cheating detection in online first person shooters using machine learning techniques. 2013 IEEE Conference on Computational Intelligence in Games (CIG), 1-8.

    AntiCheatPT (2025). A Transformer-Based Approach to Cheat Detection in Competitive Computer Games. arXiv:2508.06348v1.

    Collins, S., Poulopoulos, A., Muench, M., & Chothia, T. (2024). Anti-Cheat: Attacks and the Effectiveness of Client-Side Defences. Proceedings of the 2024 Workshop on Research on Offensive and Defensive Techniques.

    ESEA (2018). ESEA Hardware Cheats – Update. ESEA Blog, October 23, 2018.

    Lee, S.J., Jeong, E.J., Kim, D.J., & Kong, J. (2023). The influence of psychological needs and motivation on game cheating: insights from self-determination theory. Frontiers in Psychology, 14:1278738.

    Pinto, J.P., Pimenta, A., & Novais, P. (2021). Deep learning and multivariate time series for cheat detection in video games. Machine Learning, 110, 2637-2660.

    Riot Games (2020). /dev/null: Anti-Cheat Kernel Driver. League of Legends Developer Update.

    Sung, J.E., Jeong, E.J., Lee, D.Y., & Kim, G.M. (2021). Why Do Some Users Become Enticed to Cheating in Competitive Online Games? An Empirical Study of Cheating Focused on Competitive Motivation, Self-Esteem, and Aggression. Frontiers in Psychology, 12:768825.

    University of Birmingham (2024). Study of Anti-Cheat System Effectiveness in Video Games.

    Vanguard Technical Analysis (2024). How Anti-Cheats are vulnerable to basic direct memory access cards. Medium, September 3, 2024.

  • Always Tired?

    Always Tired?

    I started a new job back in July and it is a job that I enjoy. I get to wear several hats. My official job titles are Principal DevSecOps Engineer and Head of Cybersecurity. That’s my bruce wayne job. Also back in July I was recruited to work for a gov contractor. This is my batman job. I’m the only non-military, non-intelligence guy on the team. It’s kind of funny to listen to them talk during meetings. Heavy military and intel lingo at times. For various reasons I can’t share the name of the company, but I’ve come to refer to them as the Secret Squirrel Society and I work on the Secret Squirrel Project. I’m sure some of them would be pissed if they knew that, but I think it’s funny and mean it in a fun-spirited way, not in a negative way. anyway.. I can’t say what the project is or involves. I went from junior team member assisting the lead dev as a favor to one of the founders to being the led dev in about 2 months. I’ve rewritten the backend api from scratch and I wrote a custom ui (actually I’ve written 4 completely separate ui’s from scratch – the other 3 are abandoned now in favor of my current one.) Now I have a tiny glimpse into understanding why bruce wayne stopped being batman after working two full-time jobs – not to mention all the damage he did to his body being a superhero!

    *cough*unrelated*cough* go watch the movies eagle eye (2008) and dark knight (2008) if you haven’t seen them already. Some pretty cool things in those movies involving cameras and AI. Just say’n…

  • The Mystery of The Dying Wi-Fi

    The Mystery of The Dying Wi-Fi

    I recently migrated from a 802.11b/g/n mesh network with a base and two satellites to two standalone 802.11a/b/g/n/ac/ax access points. The reason for going from mesh to a two separate standalone APs was due in part to housing downsize and separating IoT, guests, and questionable devices from my personal, trusted, devices.

    Shortly after making the migration I started noticing frequent, but random disconnects on the 2.4GHz network on the IoT AP for about half a dozen devices. There are approximately 50 devices connected on this AP in total, so having 6 of them disconnect randomly seemed a bit odd. To make things even more interesting, these 6 devices would not automatically reconnect after they disconnect. Seems like a mystery is brewing, and I love a good mystery!

    I started digging into the mystery by making sure the AP had the latest firmware (it did) and confirmed the configuration settings were correct (they were.) Then I tried to identify anything in common between the 6 devices (they were all TP-Link Kasa smart devices.) I thought maybe one of the Kasa devices were malfunctioning and started taking them offline one at a time. No dice! The problem persisted!

    I continued my investigation trying various other things such as reducing the Wi-Fi protocol to only older ones and a bunch of other things. None of this really made much difference outside of slowing down the disconnect rate of the 6 devices.

    Eventually I decided something else must be going on so I set up logging on the AP and had the logs shipped to a machine on my network that runs rsyslog. I went through the logs and discovered something that was not visible in the APs interface nor in the normal event logs: there was a unknown device attempting to connect about once per second but failing to complete the connection. Looking up the MAC address revealed that is was manufactured by “Tuya Smart Inc.”

    Knowing the manufacturer didn’t really help that much other than tell me it was some sort of “smart” device. The next step was a process of elemination where I went throughout the house unplugging every smart device for a few minutes at a time by either unplugging them, which did not reveal the mystery device, or by turning the breakers off in the electrical box. I eventually narrowed things down to one room.

    Once I began looking at what was present and plugged in, I realized there was a “smart” thermometer on the wall in this room. As it turns out, this thing has Wi-Fi, and was not connecting correctly. After removing the power (AC and batteries) the constant connection attempts on the AP completely stopped. The reason this went unnoticed for months was because I do not use the app associated with this “smart” thermometer, but my spouse occasionally does. Apparently she hadn’t used it for a few months to notice it wasn’t working any longer…

    I ended up doing a factory reset on the “smart” thermometer, reconfigured it, and it has been behaving fine since (a few years now).

    Mystery solved!