IN SEPTEMBER LAST year, a scandal blew up the world of high-stakes, livestreamed poker: In a hand at Las Vegas’ Hustler Live Casino, which broadcast its games on YouTube, a relative novice holding nothing but a jack of clubs and a four of hearts successfully called the bluff of a veteran player. No one could possibly think that poor hand might be good enough to call a bluff, thousands of outraged poker players argued, unless the person holding it had some extra knowledge that her opponent's hand was even worse—in other words, she must have been cheating.
Three months later, Hustler Live Casino published a postmortem of its investigation into the incident, finding “no credible evidence” of foul play. It also noted that if there were cheating, it was most likely some sort of secret communication between the player and a staff member in the production booth who could see the players' hands in real time. But when Joseph Tartaro, a researcher and consultant with security firm IOActive, read that report, he zeroed in on one claim in particular—a statement ruling out any possibility that the automated card-shuffling machine used at the table, a device known as the Deckmate, could have been hacked. “The Deckmate shuffling machine is secure and cannot be compromised,” the report read.
To Tartaro, regardless of what happened in the Hustler Live hand, that assertion of the shuffler's perfect security was an irresistible invitation to prove otherwise. “At that point, it's a challenge,” Tartaro says. “Let's look at one of these things and see how realistic it really is to cheat.”
In sum, their shuffler hacking technique gives a cheater “100 percent full control,” says Tartaro, who demonstrates IOActive’s findings in the video below. “Basically, it allows us to do more or less whatever we want … We can, for example, just read the constant data from the camera so we can know the deck order, and when that deck goes out into play, we know exactly the hand that everyone is going to have.”
For now, the IOActive researchers say they haven't yet had time to engineer a technique that would cause the Deckmate to put the deck in the exact order of their choosing—although they're certain that too would be possible. Regardless, they argue, merely knowing the full card order, rather than changing it, offers an even more practical cheating strategy, one that's far harder to detect.
Tartaro says the technique could be used to cheat in any number of card games, but that it would be particularly powerful in Texas Hold'em, the popular version of poker played in most casinos, including in the notorious Hustler Live Casino hand. That's because in Texas Hold'em, knowing the order of a deck would allow someone to predict the exact makeup of everyone's hand, independent of any decisions they make in the game. Even if a dealer cuts the deck before dealing, as most do in high-stakes casino games, Tartaro says the cheating player would still be able to immediately figure out the order of the cards on the top of the deck and in every player's hands as soon as the three “flop” cards are exposed—the public-facing, shared cards dealt out at the beginning of a Hold'em hand.
The IOActive team also looked at the earlier model of the Deckmate, known as the Deckmate 1, which has no external USB port and no internal camera. The researchers say that the earlier model, which was the one actually used in the Hustler Live Casino game, could nonetheless still be hacked to cheat in a game if a rogue casino staffer or maintenance person had an opportunity to open the shuffler's case and access a particular chip that stores its code. In that case, despite the lack of an internal camera, the cheater could still hack the shuffler to reorder cards—or they could simply prevent the Deckmate from shuffling the deck when a dealer picks up everyone's cards after a hand, giving the cheater information about the location of those previously played cards. "A skilled player with that little bit of an edge would 100 percent clean up," says Tartaro.
IOActive's hacking technique exploited glaring security vulnerabilities they found in the shufflers, the researchers say: They bought their own Deckmates for testing from second-hand sellers, one of whom told them a password used for maintenance or repair. They found that this password and others they extracted from the Deckmates' code were configured in the shuffler with no easy way to change them, suggesting they likely work on almost any Deckmate in the wild. They also found that the most powerful “root" password to control the shuffler—which, like all the Deckmate's passwords, they declined to publicly reveal—was relatively weak.
Perhaps most crucially, the researchers' hacking technique took advantage of another vulnerability in how Deckmate shufflers are designed to prevent their code from being altered: The machine's firmware is designed to take a "hash" of its code on startup, a mathematical function that converts the code into a unique string of characters and then checks whether that string is different from the known hash value of the unaltered code. But IOActive's researchers found that they could simply change that hash value, too, so that the hash of the altered code matches it and no change to the code is detected.
State-level regulators in the US also use that hashing function to perform checks on machines' integrity as a means to prevent cheating and to ensure that casinos don't reprogram gaming machines to give themselves an edge. But the IOActive researchers say they could easily alter the Deckmate to pass that check even while it runs their cheating code. “You're basically asking a compromised device if it's compromised,” Tartaro says.
When WIRED wrote to Light & Wonder, the gaming device company that sells the Deckmate, it responded to IOActive's findings in a statement: "Neither the DeckMate 2 nor any other L&W automatic card shuffler has ever been compromised on a casino floor. Furthermore, IOActive’s testing did not identify any defects or design flaws in the DeckMate 2 card shuffler; and IOActive’s testing was performed in a laboratory setting, under conditions which cannot be replicated in a regulated and monitored casino environment."
In response, IOActive's researchers point out that it would be almost impossible for Light & Wonder to know with any certainty that none of its shufflers have ever been compromised in a casino. Countering the company's claim that IOActive found no flaws in the Deckmate 2, the researchers allowed WIRED to review emails between IOActive and Light & Wonder's engineering team in which the gaming company thanked IOActive for sharing its findings, noting that it was aware of some of the issues and was already planning to fix them, while others were unknown to the company and would be fixed as part of its future product roadmap.
As for whether their hacking method could be carried out in an actual casino, the IOActive researchers admit they haven't tried. But they argue it would be doable with the right operational stealth. In their proof-of-concept demonstration, the IOActive researchers used a Raspberry Pi minicomputer, smaller than an adult's palm, plugged into the Deckmate 2's exposed USB port. But they say a determined cheater could build their attack into a far smaller device, no bigger than a USB dongle. Because the Deckmate typically sits underneath a poker table, a cheater could pretend to have dropped something and quickly plug in the device. Or they could plant it on a shuffler at a table where no one is playing so that it's ready whenever that table is put into action. And it may be easiest to compromise the shuffler in transit, as part of its maintenance process, or before it's installed, rather than when it's on a live casino floor.
In some cases, the researchers say, it might even be possible to hack a shuffler without connecting a device to it, instead using its cellular connection. Some Deckmates, which are rented on a per-use basis from Light & Wonder, have a cellular modem that communicates with the manufacturer to allow the company to monitor its use. In that case, a cheater might be able to plant a fake cellular base station nearby, trick the shuffler into connecting to that device rather than a real cellular tower, and then use that initial point of remote access to carry out the same tricks without ever touching the shuffler.
To make any Deckmate run their altered code, IOActive's hacking technique would have to restart the device, taking the shuffler offline for about a minute. But the researchers say that restart could be performed in the middle of a hand, since the dealer only uses the shuffler intermittently, and it often sits idle for minutes at a time. The only clue that the shuffler was being restarted would be a green LED status light on its top face briefly turning off. But even that could probably be prevented, the IOActive researchers believe, if they spent long enough reverse-engineering the shuffler's code to find that status light function.
IOActive's researchers argue that the Deckmate's vulnerabilities point to a larger problem of outdated standards in the requirements for casino equipment set by the state-level boards that regulate it in the US. The Deckmate, for instance, meets the Nevada Gaming Control Board’s requirement for a hash-based check of the device's code on restart. But in fact, Tartaro says, that standard should have required a much stronger measure like “codesigning”—that the code be cryptographically “signed” with a key that only the manufacturer possesses, which would have made the shufflers far harder to hack. “We noticed with some of the gaming standards that they're a bit out of date with terminology and approach,” says Tartaro. “They didn't really seem to be up to snuff for modern security.”
The Nevada Gaming Control Board didn't respond to WIRED's request for comment. But Mark Pace, the vice president of the International Gaming Standards Association, which creates standards for interoperability but doesn't enforce security requirements, says that the IGSA will be closely examining IOActive's findings and might convene a technical committee to look into them. “The short-term fix might just be eliminating the entry point,” Pace says, “or there may be a more sophisticated software solution.”
Pace also notes that IOActive's work shows how some state-level regulators might have misjudged the seriousness of shufflers' security, even as they enforce stricter standards like code-signing on traditional gaming devices. “Shufflers may be considered critical components, but they may not be thought of as being equally critical as, for example, a slot machine or an electronic table game like automated roulette,” Pace says. “So some regulators may say you have to have signed software going into a gaming device, but you don't necessarily have to have signed software in a shuffler.”
Tartaro notes that even if state-level gaming regulators' standards are updated or Light & Wonder does issue a fix for the Deckmate—whether that's an enclosure to block its vulnerable USB port or a software patch—there will no doubt be some small casinos or private, backroom games that continue to use vulnerable versions. And the next time there's a cheating scandal over a game where one player seems to have a little too much knowledge of her opponents' hands, he hopes investigators will take a hard look at the shuffler under the table, too.