How to hack casino card-shuffling machines

Security researchers have demonstrated how they were able to exploit a flaw which allowed them to hack the card-shuffling devices used in casinos and poker rooms.

The "Official Shuffler of the World Series of Poker", the DeckMate 2, came under the scrutiny of researchers from IOActive who wanted to find out if it contained vulnerabilities which could help somebody cheat in a game of cards.

To understand why the DeckMate 2 became the focus of attention, one has to know a little background on a recent controversy which flared up in the world of livestreamed poker on 29 September 2022.

As Brobible describes, a high-stakes poker game saw a shock win of a seemingly poor hand by Robbi Jade Lew over Garrett Adelstein - raising accusations of cheating.

A subsequent investigation failed to find any credible evidence of wrongdoing.

But one of the investigation's conclusions made the researchers at IOActive raise an eyebrow:

"The Deckmate shuffling machine is secure and cannot be compromised"

A claim like that heard by a vulnerability researcher is like a red flag to a bull, and this week IOActive's experts presented their the results of a months-long investigation into the security of the automated shuffling machine used in casinos worldwide.

The most recent version of the DeckMate, the DeckMate 2 released in 2012, has a number of impressive features.  Not only can it shuffle a deck of cards in just 22 seconds, but it also boasts a built-in camera which can ensure that every card is present in deck of cards before the deck is played.

New DeckMate 2 devices cost more than $20,000 and are not supposed to be available for purchase without a gaming license.  However, the researchers were able to get their hands on a second-hand DeckMate 2 and discovered it had an exposed USB port.

As the researchers described to Wired, and in a presentation at the BlackHat conference in Las Vegas, plugging a small device into the USB port could interfere with the DeckMate 2's operation.

Specifically, they found they could alter the firmware on the card-shuffling machine, gaining access to its internal camera in order to learn the order of the entire deck in real-time and transmit it via Bluetooth to a nearby phone.

It's easy to imagine how information about the order of the cards that were being dealt could be transmitted to a member of the audience, who could then send coded signals to the cheating player.

Although IOActive's research did not find a technique that would force the DeckMate to sort cards into a particular order, the researchers felt that would be possible if they had had more time to look into it.

Joseph Totaro, one the research team, told Wired that the technique would be particularly powerful if someone wanted to cheat at Texas Hold'em poker - the variant of poker being played in the controversial hand by Robbi Jade Lew over Garrett Adelstein. However, there is no suggestion that the DeckMate was compromised on that occasion.

And, of course, you would need nerves of steel to pull off a hack like this in a real casino, surrounded by hundreds of people and thousands of security cameras, rather than in a test laboratory.