Security researchers demonstrate how a nefarious gambler could alter a shuffling machine to gain an edge at the poker table using a small hack.
A controversial poker game at a Los Angeles Casino led to accusations of cheating, but the players involved claimed that there was no foul play. Now, a Security researcher and his colleagues have demonstrated that a hacking device inserted into the machine’s USB port could have altered its code and manipulated shuffling, proving that the Deckmate shuffling machine could be compromised.
In the aforementioned Los Angeles poker game, a player was accused of using a device to view the cards in the deck. The other players believed that the person in question used a hacked Deckmate shuffling machine to learn the order of the deck. While the casino claimed that their Deckmate shuffling machines were unalterable, the IOActive team investigated the matter.
Led by security researcher Joseph Tartaro, the IOActive team investigated the Deckmate shuffling machines used in the casino. Their goal was to prove that the device could be compromised by a knowledgeable player.
“The scenario is as follows: an attacker has physical access to a Deckmate 2 shuffling machine, inserts a specially crafted device into a USB port of the device, and uses that device to alter the machine’s code and manipulate shuffling,” Tartaro explains.
The hacking device used in the demonstration was a Raspberry Pi Zero, a $5 computer. By inserting the Raspberry Pi Zero into the Deckmate’s external USB port, the researchers could alter the machine’s code and change the order of the cards.
Tartaro and his team also investigated the Deckmate 2, the newest version of the machine. The researchers discovered that the newer model has an exposed USB port, unlike its predecessor. In addition, the Deckmate 2 has a built-in camera, which could be used to learn the entire order of the deck in real time.
The researchers suggest that the camera feed could be accessed by another device, such as a smartphone, to aid cheating. They also note that visual data could be sent via Bluetooth to a nearby smartphone, allowing the player to see the cards via their mobile device.
“Using a device such as a smartphone, the attacker could send a video stream of the camera to aid their cheating,” Tartaro explains. “Of course, the attacker would have to conceal the fact that they are recording the video output of the machine for their own use.”
The IOActive team also suggests that Deckmate’s security could be improved by removing the external USB port or making software/firmware modifications.
In a statement to The Security Ledger, Light & Wonder, makers of the Deckmate series, dismissed the warnings from IOActive.
“The allegations made by IOActive are not applicable to the Deckmate 2 shuffling machines in operation today,” the company says.