Has the one-armed bandit met its match in the sophisticated cyber-thief?
Consider the case of a mysterious Russian math whiz and cyber-gang leader known only as “Alex” who reportedly figured out how slot machines manufactured by Australian gaming company Aristocrat Leisure generate the pseudo-ransom numbers that determine when a machine’s odds shift in favour of the player. After sending accomplices into casinos worldwide to win big money using this knowledge, he later attempted to extort Aristocrat for even more money, threatening to leak his exploit to the company’s competitors.
From marking cards to loading dice to hiding cameras in your sleeve, cheating the house is a tradition as old as casinos themselves. But electronic gambling games like slots come with their own highly unique risks, which sophisticated cyber-criminals are more than happy to exploit.
If poker is the casino’s foremost game of strategy and skill, then slots is its mindless antithesis: Place your bet, press the button, repeat. Heck, these days you don’t even have to pull the giant lever anymore, or catch all the coins spilling out of the machine in a big plastic cup when you hit triple cherries.
Blaine Graboyes is well aware of the risks. A digital entrepreneur and executive producer with a background in social gaming and eSports, Graboyes now serves as CEO of GameCo, Inc., a manufacturer of video game gambling machines (VGMs) – a new concept that combines skill-based games with the luck elements of slots.
But Graboyes is not about to rely on luck when it comes to keeping his machines secure, especially as the gaming industry continues to assess the popularity and long-term viability of VGMs. Graboyes recently talked us about the precautions his company has taken to ensure that its machines are not tampered with or hacked:
PCTA: As the CEO of your company, how involved and invested are you in your gambling machines’ security?
Blaine Graboyes: Security is definitely not in my title as CEO. However, we are in a licensed and regulated business. I’m what’s called the key licence holder for GameCo. I am investigated, regulated, and approved by gaming regulators and ultimately, I am the one most responsible for all aspects of the products’ compliance, which would absolutely include security. So I would say it’s an area that I take a great deal of interest and concern in… Coming from online social and physical games, it was something that I spent a lot of time learning about in the first few years, so that I had a good understanding of the product that we were building at GameCo.
PCTA: Tell us more about the regulations and security compliance standards your machines are required to meet.
BG: “Our product is built under a standard called GLI-11, and that standard is created by a company called Gaming Laboratories International. And so first and foremost was familiarising myself and my team familiarising themselves with the GLI standards, which do cover a number of areas of security, starting with physical security. These [machines] are very robust, physical metal cabinets that are placed onto the casino floor, with locks and other security controls to gain access. Then you have the betting and ‘patron fairness’ aspects of the game, that [ensure] the games are paying out what they’re supposed to, that patrons understand how the games work. And then you also have jurisdictional requirements: States or jurisdictions like New Jersey, Nevada, Macau or tribal jurisdictions… have some of their own requirements. And then you also have casinos’ specific requirements. So it’s not uncommon that our products are first tested and approved under the GLI standard for a particular jurisdiction, then tested by a jurisdictional lab for regulatory approval under their requirements, and then thirdly tested by the actual operators themselves, both for security, patron fairness, and accounting and economic.”
Well before we were developing our product, I was interacting with regulators and compliance labs, needing to understand their process and requirements, and ultimately I found them to be incredibly collaborative. They have their responsibility to their jurisdictions and their patrons and their stakeholders, but ultimately they want to work with you to get new, innovative products on the floor…
PCTA: From an attack surface/vector standpoint, what are some of your biggest areas of risk?
BG: “The supply chain is one. That is mitigated by working with top-tier suppliers that are completely focused on the gaming industry. I would say the potential [supply chain issues] that could arise the most would be in our CPUs. We buy our CPUs from a company called Quixant. They only work with gaming manufacturers like ourselves. This is their entire business. They manage that supply chain incredibly tightly, so we’re able to have a very high degree of confidence in the product that they’re delivering to us.
On top of that is our OS. We use a custom build of Windows Embedded 7. We engage with two external security firms in building out our specific deployment of Windows Embedded 7. One of those security firms builds missile systems and other high-tech products. We created a very tight set of requirements… And then we worked with another security firm that’s run by former Israeli military. They also work with very high-end clients… on the security side of things, and ultimately that firm worked with our internal engineering department to ensure that the requirements set by that first security provider were met and in some cases even exceeded.
PCTA: What about the developers who program the games?
BG: One thing that’s very interesting about our company is the fact that we make the platform, and not the game. So we make the platform that handles the user interaction, the betting, the peripherals, the communication with the casino. We do not make the games. [For that,] we work with third-party developers. Those developers implement our API through a game development or software development kit. And so inside of our software development kit API, we’ve built in a number of security levels to ensure that the game developers cannot compromise the games with a ‘Konami code’-style hack. You know: press up, down, up, down, left, right, left, right, A, B, A, B, to get some outcome there…
Our API handles all of the betting and interaction with the games… Each game has a maximum potential win, the most amount of money or points you can collect in a given game. Our API then passes that information to the game. If, for whatever reason, the game replies with a result that is greater than what our platform told it and is expecting, the game will automatically tilt and alert a technician…
And everything that happens in our game is logged… We do an amazing amount of logging that actually exceeds the level of logging required by the GLI standard or by most of the jurisdictional labs or slot labs… Typically a jurisdiction might ask you to log the last 10, 20, 50, 100 games. We log the last thousand games. We log that in non-volatile, read-only ROM… so that we can come back from an audit perspective and show that the games are having the outcome that we’ve said that they are.
PCTA: What about insider threats within your own workforce?
BG: One of the areas that’s very important to us is our own employees. Because we are a licensed gaming regulator, we do a high level of diligence and background checks on all of our employees.
PCTA: You’ve covered the manufacturing, programming, and game development process. But how do you protect your machines once they’re on the casino floor?
BG: First, it starts with the casino itself… Anyone who can get near a machine is licensed and regulated, as well as [subject to] background checks. They’re incredibly well-managed by the casinos themselves.
There are a number of physical and software protections on the floor. First is the security of the machine itself. Very few people have the key to even open it. As soon as the machine boots, it is immediately locked out and secured. Depending on the jurisdiction, the machines use a secure boot technology with an incredibly high level of encryption.
There’s a thing in most casino games call GAT – Game Authentication Terminal. So when we send the game to a compliance lab, they pull a cache of all the… software, showing the version numbers of every major component in our game. That list of serial numbers and version numbers is stored in our approval letter by the regulator. When the game is then deployed on the floor, regulators then come out to the floor and use software though this GAT protocol to confirm that the version of software that is on the hardware is the same version of software that was approved. At that point, everything is locked, every port is taped with special security tape by the regulators, and any act after that point would require the regulator returning to the floor, pulling the tape, overseeing the process and then re-verifying the game versions after the fact.
PCTA: Are you familiar with the reports of the Russian hacker known as “Alex” who essentially learnedhow to cheat Aristocrat slot machines? What is your reaction to threats such as this one?
BG: “I was definitely aware. I would say everyone in our industry became very quickly aware of what happened there…
I would say our evaluation of that hack was that we are in a very good position to weather something like that. First of all, you have to play the game, so you have to be skilled at playing the game and getting the highest possible score there. But in addition to that, our machine itself would recognise any win higher than the win that’s expected in that game session. But I thought it was very, very interesting what happened there, and definitely something that we evaluated and considered in our product.
PCTA: Based on your previous experience with video games and eSports, what so you see as some of the more prominent threats facing social, mobile, and console games?
BG: For me, the things that I was always thought of are risks around payments and economic, and then risks around personal information and the accessing of user data… Thankfully most of the major platforms now do some great work on their own, whether it’s Facebook or the app store stream Xbox or PlayStation… And then the other big one is personally identifiable information. I would say the easiest way to deal with that is to never store it, and that was always my approach in making products…
We do the same thing at GameCo. We never know anyone’s personal data, and we have no personal interest in that. And then if for whatever reason your game or company requires that, I would say that really ups the ante in terms of how you’re managing the storage of that. And we’ve definitely seen over the last few years that even some of the biggest companies… have had database hacks resulting in the release of personal information about their customers. So I would say the easiest solution is to never get that data in the first place.
PCTA: What is your take on cyber extortion attempts against content providers -gaming and entertainment companies, such as when an attacker steals a company’s digital assets and threatens to leak them to the public?
BG: This is something I’m very interested in. I’m also a board member at the Producer’s Guild of America and actually have sat in on and participated in working groups on these subjects… First and foremost, entertainment companies need to recognise that they are a technology company, and they need to have a security chain from end to end that they are responsible for. And in particular, that means they’re service providers as well. It’s highly incumbent on editorial companies, post-production companies, and technology companies serving in the entertainment industry to have the absolutely highest degree of security protocols and standards that anybody else in the business would have.