By Jane Melia, Ph.D., Vice President Strategic Business Solutions, QuintessenceLabs
Casino owners place a high premium on tight security. After all, the house always wins and it wants to keep on doing that. A recent Wired article, however, explains how a team of Russian hackers managed to beat a surprising number of casinos worldwide. They did so by exploiting inherent flaws in some of the pseudo-random number generators (PRNG) used in certain slot machines to generate supposedly unpredictable outputs. Even if you don’t care about wealthy casino bosses losing money, you still need to be concerned about the drawbacks to using PRNGs because slots aren’t the only things that can be vulnerable. Most of the keys used for encryption are also based on pseudo-random numbers that can be impacted by these flaws.
What’s in a Name?
Before going into detail about how the heists were carried out, let’s talk about PRNGs and why pseudo can make slot machines and other supposedly secure devices vulnerable to attacks. As the prefix “pseudo” indicates, the numbers generated by a PRNG are not truly random. PRNGs are programs that start with a base number known as a seed. The seed gets tumbled together with other inputs such as another algorithm and a random-ish physical component such as the timing of the strokes on a user’s keyboard. Both humans and computers are really bad at random so if someone is able to measure the pattern of your keystrokes and/or break one of the algorithms used, they can reverse engineer the other inputs and predict the next numbers in the “random” sequence. Find the pattern, break the code and the jackpot (or encrypted data) is yours.
One- and Two-Armed Bandits
In the case of the Russian casino swindlers, they were given a head start by Vladimir Putin who had gambling outlawed in that country in 2009. This meant a lot of slot machines were available on the cheap. Take apart a few machines, figure out how the PRNGs work and you’re nearly there. In this case, since the inputs for some of the slot machine PRNGs changed based on the time of day, the hackers had to do more generic avodart work on-site at the casinos. The leg man would set himself up in front of a machine and video a dozen or more spins using his smartphone. The video would be streamed live to his colleagues in St. Petersburg who would analyze the video and use what they knew about the machine’s innards to predict its pattern. Then they would send a list of timing markers that caused the phone to vibrate a split-second before a winning combination comes up, signaling casino guy to hit the spin button. It didn’t work every time but it was a whole lot more effective than chance – somewhere around $250K per week more effective.
To make things worse, not only did the engineered cheat allow a shadowy St. Petersburg group to snatch millions of dollars, the problem they exploited is a fundamental part of the PRNGs of some popular slot machines, making casinos still vulnerable to this kind of fraud. That brings us back to cybersecurity issues. Any devices that use weak seeds (such as time of day, keystrokes) for their random number generators, or devices whose random number generators do not use strong enough algorithms to expand those inputs, can be vulnerable to hacking in the same way as those slot machines are. This issue will only get worse as the processing power of attackers continues to increase, resulting ultimately in the use of quantum computers in times ranging from 5-10 years.
The Future is Yesterday
The only way to generate true random numbers, i.e. random numbers that are really unpredictable, is by using a naturally random phenomenon. Quantum cyber-security companies, for instance, use the fully entropic (or completely random) nature of the quantum world to generate true random numbers that are the basis for the strongest possible encryption keys. Quantum key generation addresses the weaknesses of PRNG exposed by these casino hackers and will stand the test of the coming quantum computing storm, allowing us to rest assured that our medical records, tax returns, classified government documents, corporate secrets are that much safer. Bet on it.