A vulnerability in gaming hardware allows fraudsters to know exactly which cards are in each player's hands.
Cybersecurity researchers gained access to the internal camera of the Deckmate 2 shuffle machine (a device for shuffling playing cards) to accurately find out the order of the deck and cards in the hands of each player at the poker table.
By connecting a small malicious device to the USB port of a shuffle machine, which is often located under a poker table without any external protection, IOActive specialists showed the public that they can easily carry out fraud in popular card games.
In September of last year, the world of high-stakes live poker broke out in a scandal: in one of the games at the Hustler Live casino in Las Vegas, a relative novice, with only a jack of clubs and a four of hearts, successfully forced an experienced player to discard the cards. Thousands of outraged poker players have argued that having such a weak move makes it impossible to force an opponent to save unless you have additional information that the opponent's situation is even worse than yours.
According to the researchers, using the discovered method of hacking the shuffle machine, you can get "one hundred percent complete control" over the cards on the table and in the hands of other players. Although experts have not yet managed to develop a hacking technique for laying out the deck in the order that the attacker needs, just knowing the full order of the cards gives a powerful advantage for fraud.
Knowing the order of cards can be particularly effective in Texas Hold'em, a popular form of casino poker. Since knowing the order of the deck, you can predict the exact composition of cards in the hands of all players, regardless of their actions. Even if the dealer shuffles the deck before dealing, as is usually done in high-stakes games, the cheater will be able to instantly understand the order of the top cards and calculate the cards of all players as soon as the first community cards are laid out.
Thus, vulnerabilities in shuffle machines pose a serious cybersecurity problem in the gambling industry. Although the manufacturer of Deckmate devices claims that none of their shuffling machines have ever been hacked in a casino, IOActive experts say that their method can still be applied in real conditions, taking care of proper secrecy.
According to experts, the main problem is that the requirements for the safety of gaming equipment are outdated and do not correspond to modern realities. For example, in the state of Nevada, regulators use an outdated approach of checking the integrity of code using hashing. Although in practice, more modern security methods are needed, such as cryptographic code signing.
In addition to the vulnerability described above, a number of other security flaws were found in Deckmate shuffle machines. In particular, passwords are weak by default and usually don't change. And the device's built-in software does not have a sufficient level of protection, allowing hackers to inject malicious code and bypass integrity checks.
As a result, this allowed you to get almost unlimited access and opportunities for fraud. The manufacturer of Deckmate will have to seriously review the security measures of its devices, and the US gambling regulators will have to tighten security requirements. Otherwise, incidents of cheating in poker based on hacking agitators will only multiply.
Cybersecurity researchers gained access to the internal camera of the Deckmate 2 shuffle machine (a device for shuffling playing cards) to accurately find out the order of the deck and cards in the hands of each player at the poker table.
By connecting a small malicious device to the USB port of a shuffle machine, which is often located under a poker table without any external protection, IOActive specialists showed the public that they can easily carry out fraud in popular card games.
In September of last year, the world of high-stakes live poker broke out in a scandal: in one of the games at the Hustler Live casino in Las Vegas, a relative novice, with only a jack of clubs and a four of hearts, successfully forced an experienced player to discard the cards. Thousands of outraged poker players have argued that having such a weak move makes it impossible to force an opponent to save unless you have additional information that the opponent's situation is even worse than yours.
According to the researchers, using the discovered method of hacking the shuffle machine, you can get "one hundred percent complete control" over the cards on the table and in the hands of other players. Although experts have not yet managed to develop a hacking technique for laying out the deck in the order that the attacker needs, just knowing the full order of the cards gives a powerful advantage for fraud.
Knowing the order of cards can be particularly effective in Texas Hold'em, a popular form of casino poker. Since knowing the order of the deck, you can predict the exact composition of cards in the hands of all players, regardless of their actions. Even if the dealer shuffles the deck before dealing, as is usually done in high-stakes games, the cheater will be able to instantly understand the order of the top cards and calculate the cards of all players as soon as the first community cards are laid out.
Thus, vulnerabilities in shuffle machines pose a serious cybersecurity problem in the gambling industry. Although the manufacturer of Deckmate devices claims that none of their shuffling machines have ever been hacked in a casino, IOActive experts say that their method can still be applied in real conditions, taking care of proper secrecy.
According to experts, the main problem is that the requirements for the safety of gaming equipment are outdated and do not correspond to modern realities. For example, in the state of Nevada, regulators use an outdated approach of checking the integrity of code using hashing. Although in practice, more modern security methods are needed, such as cryptographic code signing.
In addition to the vulnerability described above, a number of other security flaws were found in Deckmate shuffle machines. In particular, passwords are weak by default and usually don't change. And the device's built-in software does not have a sufficient level of protection, allowing hackers to inject malicious code and bypass integrity checks.
As a result, this allowed you to get almost unlimited access and opportunities for fraud. The manufacturer of Deckmate will have to seriously review the security measures of its devices, and the US gambling regulators will have to tighten security requirements. Otherwise, incidents of cheating in poker based on hacking agitators will only multiply.
