Gambling is big business, and a casino’s revenue will make the highest of high-stakes bets on the floor look like peanuts. Therefore, casinos implement rigorous procedures and processes, to make sure there is no cheating by customers. However, compared with computers, some security researchers reckon gambling regulations and security technologies are “a bit out of date.” and this leads to interested parties fabricating its own proof of concept tools, using the Raspberry Pi Zero.
Last September there was a particularly controversial Los Angeles Hustler Live Casino game streamed on YouTube. To cut a long story short, a relative novice bluffed a veteran, and Wired reports that “thousands of outraged poker players,” cried foul play, implying the novice had cheated in some way.
“Shuffle Up and Deal: Analyzing the Security of Automated Card Shufflers,” a Black Hat 2023 demonstration by IOActive’s Joseph Tartaro, Enrique Nissim, and Ethan Shackelford, is featured in WIRED.#BlackHat2023 https://t.co/eHOHi7Q9LeAugust 10, 2023
A subsequent months-long casino investigation concluded there was no foul play. However, the conclusion grated with Joseph Tartaro, a computer researcher and consultant with security firm IOActive. What particularly inflamed Tartaro’s spider senses was that the Deckmate shuffling machine (which some had suspected as being compromised) was totally beyond suspicion. “The Deckmate shuffling machine is secure and cannot be compromised,” stated the investigation conclusion, rather too confidently.
This statement was like showing a red rag to a security bull. It was even more interesting as a topic for further investigation, as the Deckmate is the most widely used automated shuffling machine in casinos.
Thus, a months-long investigation into Deckmate technology, by Tartaro and IOActive colleagues, began. The results were presented at the Black Hat security conference in Las Vegas on Tuesday.
IOActive acquired a few Deckmate machines and talked with experienced operators and engineers. Interestingly, the newest version is the Deckmate 2, often sits under a table next to players’ knees, and the device has an exposed USB port. If hackers have access to the device, then all bets are off.
The security researchers found that a hacking device inserted into the Deckmate 2’s USB port could “alter the shuffler’s code to fully hijack the machine and invisibly tamper with its shuffling.” Most people with a little knowledge of cards and gambling (or even movies featuring gambling) know that knowledge is power in these card games. In other words, someone who could garner any extra knowledge of the cards dealt could have a small to massive advantage.
The hacking device used by IOActive for its proof-of-concept casino cheating demonstration, plugging into the Deckmate 2 USB interface, was based around a Raspberry Pi Zero. IOActive say that a determined cheater could probably fashion a purpose-built device with the same functionality in a form factor as small as a typical USB dongle. With bags of money at stake, a cheater might be tempted to invest.
Moreover, you don’t even to be a card-playing genius to make sense of the Deckmate 2’s data, it even has a built-in camera, for deck verification purposes. IOActive found that the camera feed could be accessed to learn the entire order of the deck in real time. An obvious cheating method which could stem from this is that visual data could be sent to a nearby smartphone via Bluetooth, which the IOActive team also tested. The second person could work in cahoots with the player at the table, to signal a decision or strategy.
Tartaro said of the rather extensive sounding Deckmate 2 hack: “Basically, it allows us to do more or less whatever we want … We can, for example, just read the constant data from the camera so we can know the deck order, and when that deck goes out into play, we know exactly the hand that everyone is going to have.”
There were some other interesting research findings shared by IOActive. The team noted that the original Deckmate has no USB port, but could be tampered with in other ways, especially if there was a willing casino insider. Also some Deckmates were said to include a cellular modem for the manufacturer to monitor them. This opens it up more attack surfaces for man-in-the-middle attacks, or cellular signal spoofing.
Looking at quotes in the Wired report, the makers of the Deckmate series Light & Wonder, seemed to exhibit a head-in-the-sand approach to the warnings from IOActive. The firm stated that there is no known evidence of one of their devices being hacked on the Casino floor. However, an exec from the International Gaming Standards Association which sets standards in casinos, talked constructively about assembling a technical committee to look into IOActive’s findings. Ideas for better security were already suggested like removing the external USB port or some software / firmware modifications. We think it is probably a good idea to view IOActive’s work as constructive criticism, rather than dismiss it out of hand.