“Basically, it allows us to do more or less whatever we want.”
The house doesn’t always win.
Researchers at the security firm IOActive say they’ve discovered that a card shuffling machine called the Deckmate, widely used by casinos and long thought to be impervious, is actually vulnerable to hacking, Wired reports — an exploit that could give a skilled cheater omniscient knowledge of every player’s cards.
The investigation was spurred by a gambling scandal last year, when during a game of poker, a newcomer holding a terrible hand called the bluff of a veteran player — a call so baffling that the commentator thought that the live graphics were displaying the cards incorrectly.
Accusations of cheating followed, along with an official investigation by Hustler Live Casino, the host of the scandalous game. The casino’s report concluded there was no evidence of foul play, and averred that the Deckmate used at the game was “secure and cannot be compromised.”
Under the Table
That’s where the IOActive researchers begged to differ.
“At that point, it’s a challenge,” Joseph Tartaro, a researcher at the security firm, told Wired.
Presenting at a Las Vegas security conference, Tartaro and his team found that the latest version of the card shuffler, the Deckmate 2, can be hacked through its exposed USB port.
They theorize that a conniving player could pretend to drop something, go under the table where the Deckmate lies, and plug a device into the USB port. And if physically plugging in a hacking device lacks subtlety, the researchers claim that it could also be hacked remotely through the Deckmate’s internal modem.
From there, cheaters could access the shuffler’s internal camera that watches the cards, and relay that data over Bluetooth to a phone held by a partner nearby who could communicate with a trick like hand signals.
As a test, IOactive researchers made a hacking device out of a Raspberry Pi, exploiting, among several vulnerabilities, faulty firmware that let them tamper with the Deckmate’s encrypted code without detection. They paired this with a Bluetooth app that displayed the hands of other players based on the data.
“Basically, it allows us to do more or less whatever we want,” Tartaro said.
Although the Deckmate 1 lacks a camera and a USB port, it could still have its computer chip breached by an employee, and be forced to not shuffle after a hand, for example.
“A skilled player with that little bit of an edge would 100 percent clean up,” Tartaro said.
Light & Wonder, the company behind Deckmate, asserts that none of its card shufflers “has ever been compromised on a casino floor,” the company said in a statement to Wired.
“IOActive’s testing was performed in a laboratory setting, under conditions which cannot be replicated in a regulated and monitored casino environment,” it added.
Tartaro and his team admit they haven’t tested in a real casino. Still, if their hacking method is as undetectable as they claim, then how would the manufacturer know if it’s been breached or not?
More on hacking: Someone Has Apparently Hacked the University of Arizona’s Website