5

Russian hackers made up to $250,000 per weekend by using an app to tell them when to pull a trigger.

[...] custom app on the operative’s phone; those markers cause the handset to vibrate roughly 0.25 seconds before the operative should press the spin button.

“The normal reaction time for a human is about a quarter of a second, which is why they do that,” says Allison, who is also the founder of the annual World Game Protection Conference.

Sources:

Is this really possible, for a person to be that accurate by hand, because the timers (of the random generators, of the slot machines) will probably be accurate to the millisecond, or even more. Which should make it really impossible, to hit exactly on time ("roughly 0.25 seconds"). And how could they have possibly synchronized their app with a machine.

Update

In the comments was asked for a source of the assumption, that they will probably be accurate to the millisecond.

The assumption is based on some googling where I found this book amongst other things "Vorticity, Statistical Mechanics, and Monte Carlo Simulation" by Chjan C. Lim and Joseph Nebus

Quote from the book

Rodrigo de Azevedo
  • 350
  • 3
  • 16
Frezzley
  • 253
  • 1
  • 8
  • 1
    They don't have to hit it every time, as long as they improve their average odds of winning pass the house advantage they are good to go. – ventsyv Feb 08 '17 at 13:11
  • @SVilcans (*)`modern slot machines`... article says they are raking cash for years. So they might target a specific model or generation of more vulnerable machines. – Mindwin Remember Monica Feb 08 '17 at 15:54
  • 1
    The story is almost identical to an old story from the book "the art of intrusion" https://www.ethicalhacker.net/features/book-reviews/mitnick-the-art-of-intrusion-ch-1-hacking-the-casinos-for-a-million-bucks just with the addition of phone apps rather than something less obvious. – Murphy Feb 08 '17 at 17:54
  • @ventsyv And the house advantage on slot machines is less than 1% over the long run. So cheating a slot machine would be very easy if there was any way to actually do it, compared to a table game. –  Feb 08 '17 at 19:09
  • I thought the house edge on slots was very high, particularly at low betting levels. – ventsyv Feb 08 '17 at 19:32
  • @SVilcans Actually, precisely due to that they might be *more* exploitable. If those machines use a non-cryptographically strong PRNG, you could keep track of a few tens/hundreds of trials (depending on the type of PRNG used) and then predict all future results. – Bakuriu Feb 08 '17 at 20:06
  • @Bakuriu Should not be possible. See http://skeptics.stackexchange.com/questions/8873/are-slot-machines-purely-random-or-do-they-pre-calculate-every-spin – liftarn Feb 09 '17 at 07:46
  • " will probably be accurate to the millisecond, or even more" Source needed. Relevancy needed. – NPSF3000 Feb 10 '17 at 00:20
  • @NPSF3000 I added the source to the original question. The relevancy is the human factor. I beleve that a human can not be that accurate with a response to a vibrating cellphone. – Frezzley Feb 10 '17 at 08:01
  • *with an app* is not exactly the case. The app was only used to communicate with a computer that did the actual calculations (and receive the vibration trigger). –  Feb 10 '17 at 10:55
  • 1
    @Frezzley "I beleve that a human can not be that accurate with a response to a vibrating cellphone." You haven't proven that a human *needs* to be that accurate. The article makes no such claim, it's just your bad hypothesis that suggests such a thing is necessary, – NPSF3000 Feb 10 '17 at 16:09
  • http://www.abc.net.au/news/science/2017-06-13/dr-karl-how-russian-cheats-beat-the-pokies/8607598 was an article about this, pretty cringe worthy description of a pseudo random number generator, and also of how the house gets it cut. – daniel Jun 19 '17 at 17:11

1 Answers1

12

You question, as currently worded, is more of a physiological question. Can human respond to a stimuli in a quarter of a second?

Yes. From this journal article is appears that the mean is around 230ms (controlling for equipment latency) for young, healthy adults. This online poll(?) gives 268ms, which may or may not control for latency.

These individuals probably practice reacting to their stimuli so it becomes second nature.

We will probably not ever know exactly how they did it but make educated guesses as to how they did it from known techniques and prior examples. This question cannot have a definitive yes or no given restricted knowledge about this particular case. but its is very much a plausible reality that Russian hackers used phone apps and reaction times cheat using a particular brand and model of slot machine.

There is probably going to be a decent amount of assumptions on how this process works given the sensitive and confidential nature of the casino business and that the courts sealed the record, probably because of the sensitive nature of the subject.

A solid IT rule is once a hacker has physical access to your machine, it is game over. No amount of security is going to keep your process or machine safe. The Russian crime ring (probably, though not confirmed) bought at least one machine from a bankrupt casino, specifically the Aristocrat Mark VI Electronic Gaming Device, to practice their technique.

The machines are described having pseudo-number generators (PRNG) to create their randomness. But PRNGs are inherently deterministic or flawed (more), hence the pseudo. Some PRNGs are good but some are broken.

But not only do you need a good algorithm but you need a good implementation of the algorithm. The algorithm needs a good source of entropy to make the output more secure. Using a static value as your entropy, for example say your birthday, the output from the PRNG will show a pattern, it becomes deterministic.

Warning Conjecture

Having physical access to the machine, the hackers probably took the machine apart, examined the code looking for weaknesses. They evidently found a weakness in the Aristocrat Mark VI, hence why they specifically targeted the machine when using their technique. The creators of the slot machine could have used a static value for entropy, or the entropy is only gathered when the machine in turned on, or only gathers new entropy and reseeds every hour. There are numerous ways their algorithm could be weak, having the machine at your complete disposal allows you to find that weakness.

They additionally may have created a database of possible outcomes by the PRNG for given entropy; similar to rainbow tables. Now for any particular outcome, they could reference their database, determine the entropy used to seed the PRNG, and therefore predict the outcome for any subsequent outcomes (because PRNG are deterministic once the seed/entropy is known).

So the process probably went down like this:

while furtively holding his iPhone close to the screen

The hacker approached the machine and spent a few dollars rolling the slot machine sending the video of the outcomes to his partners. Once enough samples had been recorded he walked away for several minutes.

...then return a bit later to give the game a second chance.

During this time his partners where plugging the outcomes from consecutive rolls into their database. The rolls are analysed and the probable entropy or seed values are returned. The partners feed back the value to the hacker at the casino.

That’s when he’d get lucky.

Using a custom-built app, probably reverse engineered from the slot machine's own code, the seed is inputted and ran. The app signals the hacker to pull the handle and gives a signal when to pull push the button a quarter second before the winning values arrive by the roll.

The above process is more or less consistent with the articles description of what was happening.

They upload that footage to a technical staff in St. Petersburg, who analyze the video and calculate the machine’s pattern based on what they know about the model’s pseudorandom number generator. Finally, the St. Petersburg team transmits a list of timing markers to a custom app on the operative’s phone; those markers cause the handset to vibrate roughly 0.25 seconds before the operative should press the spin button.

Neither the hacker nor the app have to be accurate 100% of the time but just enough that the odds tilt in their favour. Even if they tilt the odds by 1% in their favour, over the course of thousands of pulls by four men over a week, that 1% adds up.

Again the case was sealed, so much of the evidence is not available. (Offical search here; login required)

RomaH
  • 805
  • 6
  • 11
  • 9
    "A solid IT rule is once a hacker has physical access to your machine, it is game over." It is game over for *that device* but it isn't the case that all devices in the class are lost, which is what you are assuming here.. – Oddthinking Feb 09 '17 at 12:51
  • 4
    "Even if they tilt the odds by 1% in their favour, over the course of thousands of pulls by four men over a week, that 1% adds up." [citation-needed] The house edge of slot machines vary, but less than 1% is very, very low. – Oddthinking Feb 09 '17 at 12:54
  • EGM in some countries is legally mandated to have a payout ratio of at least in the region of 80% credit bet, with further limits on the distribution of outcomes and actual payouts. They're also often legally restricted to having a payout ratio **below** somewhere in the mid-90% (to prevent possible circumvention and fraud). 1% edge on EGM would be ludicrously inefficient as a moneymaking enterprise, the casino operator knows that and has every reason to lower the payout ratio below 90%, so without the requirements to be as high, they have been known to drop as far as the 30-40% ratio. – Nij Feb 10 '17 at 07:13
  • 4
    Your links for “Some PRNGs are good but some are broken” are backwards. A Mersenne twister would be awful for a slot machine: if you see a few hundred consecutive outputs then subsequent outputs are predictable. This corresponds to the hackers' MO, BTW: observe outputs, give some time for the server to calculate the possible RNG states, come back observe a few to re-sync, then profit. Dual_EC_DRBG would be fine for a slot machine: there may be a secret key that NSA knows that allows them to break it, but nobody knows how to break it without knowing that secret key. – Gilles 'SO- stop being evil' Feb 10 '17 at 17:47
  • 1
    @Oddthinking If the devices use the same software and hardware with the same out-of-box exploitable weakness, which seems to be the case, then yes - it is game over for every single device of that type. A good analogy would be padlocks with the same secret. Once you got the key to open one of them, all of them are already defeated. This happens way more frequently that we at IT would like to admit... – T. Sar Jun 19 '17 at 14:09
  • 4
    @Tsar: No, this is taking a "solid IT rule" which is about a particular device, and incorrectly applying it to the class. If a hacker gets physical access to your Linux server, you can expect that they will be able to access the data on there... but not on every Linux server in existence. You give a very specific conditional, which makes it no longer a solid rule. – Oddthinking Jun 19 '17 at 21:46
  • The attacker doesn’t need super fast reaction time of 250ms. For example if they practice until they can pull the trigger reliably 480-520 ms after the signal, you just adjust the signal. – gnasher729 Jul 27 '20 at 14:43