Quote:
Originally Posted by smoothcriminal99
I think you guys are missing the point. I can attach a usb and alter the deck trackers code to cause certain events to always happen and then remove the usb. Keeping the usb plugged in isn’t necessary unless you want to constantly alter the code remotely which is not necessary to cheat.
Any software needs software updates. The fact is there will always be vulnerabilities for cheaters. The way this is designed does seem very susceptible for cheating though to be honest. The easiest way to tell if they’re incredibly vulnerable is to see if they’re ever used on the casino floor. If a casino is using it with their own money probably reasonably secure. If they’re using other products probably a reason (lack of security being the most likely).
My bad... I guess I misunderstood the article, and IOActive's technique. In the video, they attached that little Raspberry Pi device to the USB. But indeed, the Wired article says:
Quote:
In some cases, the researchers say, it might even be possible to hack a shuffler without connecting a device to it, instead using its cellular connection. Some Deckmates, which are rented on a per-use basis from Light & Wonder, have a cellular modem that communicates with the manufacturer to allow the company to monitor its use. In that case, a cheater might be able to plant a fake cellular base station nearby, trick the shuffler into connecting to that device rather than a real cellular tower, and then use that initial point of remote access to carry out the same tricks without ever touching the shuffler.
So maybe a better fix would be to not allow it to connect to anything wirelessly? Just require all updates – software, firmware, deck libraries – to be installed through some physical connection. When it comes to monitoring usage numbers, a technician would have to come over and pull that info on certain intervals. This is already done with devices like copy machines, even ones that are constantly online. Just do the same for a casino shuffler. Slightly less convenient? Yes. Far more secure? Also yes.
Alternatively, could there be a happy medium in which the dealer pulls a deck from the device, then for good measure, gives it one more quick shuffle? Then even if someone HAD compromised the system and knows the order of the cards, that single step negates the info sent from the DM2 to a cheater's phone. Even a quick overhand shuffle would do the job. I know in my home games, I sort of absent-mindedly do this when people are posting their blinds, etc. Sure, this adds a little more time, but the combo of a shuffling machine and one human shuffle is still much, much faster than a human doing all seven riffle shuffles. So it's still a net gain.
Anyway, curious to see the response from Deckmate's manufacturers. Apparently, the engineering team is "already planning to fix them," so I look forward to seeing what measures are put in place.