The Week in Security: Researchers hack ‘unbreakable’ card-shuffling hardware, shut after breach


Welcome to the latest edition of The Week in Security, which brings you the newest headlines from both the world and our team across the full stack of security. This week: Researchers kick it Ocean’s Eleven style with an attack on card shuffling machines. Also: A software vulnerability could be behind a breach that shut down Discord’s invite system.

AWS Builder Community Hub

This Week’s Top Story

Hackers Rig Casino Card-Shuffling Machines for ‘Full Control’ Cheating 

History has shown us that there are few better ways of getting a piece of technology hacked than to declare it secure and “un-hackable.” The latest case in point: the Deckmate 2, an automated card shuffling machine used in casinos around the world. After an investigation into an alleged incident of cheating in a high stakes poker tournament prompted an official investigation that declared the Deckmate shuffling machine one that “is secure and cannot be compromised,” three IOActive researchers took up the implicit challenge. Spoiler alert: the Deckmate was, in fact, hackable. 

At a presentation at DEF CON, researchers Joseph Tartaro, Enrique Nissim and Ethan Shackelford of IOActive presented the results of a months-long investigation into the Deckmate. As reported by Wired, the three found attackers could employ a simple USB-enabled minicomputer to gain total control over the machine, potentially allowing a poker player to know exactly what cards the dealer and other players hold and, thus, become unstoppable at the table.

Tartaro and his fellow researchers were able to alter the shuffler’s code to hijack the machine, and tamper the shuffling process. They also were able to access an internal camera on the Deckmate, giving them the ability to know exactly which cards were being dealt and to whom. However, as of yet the IOActive researchers have not been able to engineer a technique that allows for them to choose the exact order of cards via this remote access. Light & Wonder, the makers of Deckmate, said in emails to the researchers that they are in the process of patching the issues discovered by the researchers. The company denies the compromises have been used against machines deployed on a casino floor. So if…