New Wired article about hacking slot RNG's

Quote: Skeptic

https://www.wired.com/story/meet-alex-the-russian-casino-hacker-who-makes-millions-targeting-slot-machines/

What an interesting read.

Alex, the hacker in the story, claims he has reverse-engineered programmable random-number generators (PRNGs), allowing him to identify when a slot machine will generate a big win. And, according to the story, Aristocrat admits he was perhaps successful on some of its older slot machines (many of which are still in use at many American and international casinos). Alex claims to have worked as a cryptologist for FSB (the Russian equivalent of the CIA/NSA). If Alex is correct, then all of us should probably be worried about a lot more than just jiggered slot machines.

As computer technology increasingly imbeds itself into every aspect of our lives, we become more at risk of people like Alex (and government agencies with whom they may work) attacking more than slot machines. Every level of government finds it next to impossible to protect their critical computer systems amidst today's rapid technological advances. These vulnerabilities put at risk systems such as electric distribution networks, for example. Might system weaknesses allow an "Alex" (individual or government entity) the ability to infect the computer controlling a city's traffic lights, shutting them down (or, worse, turning all lights green)? I think we've already seen where FAA computers have experienced problems (whether or not actually "hacked").

And, our government apparently requires technology companies to provide "back doors" it can use to access otherwise "secure" data. This puts everyone at risk if others identify how to compromise security critical to American infrastructure, all implemented so often now with out-of-date technology designed with "back-door" security flaws.

The ramifications are far-reaching. All encryption depends on the PRNG of the device doing the encrypting. If the RNG is predictable, or a purposefully flawed RNG is introduced in the system (think Android, iOS, Windows, Linux, etc) by state-sponsored intel agency then whatever encryption is based on that RNG is useless.

I got the impression he might have been bluffing about already exploiting the vulnerability of newer machines as he tried to extort the executive. Not to say, he didn't exploit earlier versions.

I'm skeptical Alex has anything on Aristrocrat. A junky slot maker like Novomatic, plausible, but Aristocrat I just don't believe. Modern machines like Aristrocrat change the outcome of a game thousands, many millions, of times per second. A human being is not going to be a able to press a button with such pinpoint accuracy. Even if they could, I would still be skeptical. The big boys like Aristrocrat, I think, seed their RNG's with white noise, which is not a repeating cycle.

Do you know if they code their own RNG or do they use whatever is built into the kernel of whatever flavor Linux they've modified to run their machines?

There are plenty of vulnerable RNG's out there.

Wiz -

He targets older machines. New machines, presumably, have better RNGs.



Note:

That article is getting a lot of traction. It was featured in today's CDC Gaming Reports email news brief. And I saw it on the 360 Vegas twitter.

Quote: DJTeddyBear

Wiz -

He targets older machines. New machines, presumably, have better RNGs.

The article mentioned 50 Dragons, which I believe is a fairly modern game.

Quote:

That article is getting a lot of traction. It was featured in today's CDC Gaming Reports email news brief. And I saw it on the 360 Vegas twitter.

Yes, it was an entertaining read but I'm still skeptical of the claims. Furthermore, I think Aristocrat would pay up if it believed the claims to be valid.

The Aristocrats ten years back or more, many people would be uncomfortable playing too fast because they had thought they went straight into nothing mode. It was a very popular belief amongst slot players that really isn't believed on newer machines. It makes sense if these guys waited patiently to gamble.

The article says it looks like the targeted slots are using a PRNG algorithm lifted from Knuth Vol 2. Using a 50 year old algorithm used to teach Comp Science majors isn't a good idea IMHO.

Quote: Wizard

I'm skeptical Alex has anything on Aristrocrat. A junky slot maker like Novomatic, plausible, but Aristocrat I just don't believe. Modern machines like Aristrocrat change the outcome of a game thousands, many millions, of times per second. A human being is not going to be a able to press a button with such pinpoint accuracy. Even if they could, I would still be skeptical. The big boys like Aristrocrat, I think, seed their RNG's with white noise, which is not a repeating cycle.

I can tell you for a fact this is true for several old Aristocrat cabinets. It's been going on for years before people figured out what they were doing.

Fun fact: I independently theorized the Russian teams knew the RNG algorithm a year ago before any of these stories broke.

Quote: lightningbolts

I can tell you for a fact this is true for several old Aristocrat cabinets. It's been going on for years before people figured out what they were doing.

Fun fact: I independently theorized the Russian teams knew the RNG algorithm a year ago before any of these stories broke.

Sounds like you know a thing or two about this. I don't deny that some old Aristrocrat games may have been vulnerable. Maybe some of these games are still floating around eastern Europe and South America. I am basing my opinions on the fact that today Aristocrat is huge and can afford to hire somebody who knows the latest technology on random numbers. Are they too cheap to do so? I doubt it, but I've been wrong before.

The problem is not the game, but the cabinet the game runs on. These cabinets are still in the US, but it's not entirely clear what machines still have this vulnerability. So blame Aristocrat for either not knowing or not disclosing and casinos for not knowing or not wanting to spend money to buy new cabinets (which I can't really fault them if they don't know which ones to replace).