Gaming and casino operators require top-notch IT security due to the sensitive nature of their operations, high revenue generated, storage of personally identifiable information, and regulatory compliance requirements. The most profitable area in a casino is the electronic gaming machines as they account for over 80% of gaming revenue according to research by the UNLV Center for Gaming Research Studies.
This case study showcases how JANUS Associates uncovered a critical vulnerability during a full vulnerability assessment and penetration test for a leading on-site casino and gaming operation. During testing of the gaming machine network, JANUS senior security engineers discovered a flaw in the code that enabled them to execute multiple commands. This case study highlights the negative impact this vulnerability could have had on the operations and overall profitability of the casino and how the electronic gaming machine manufacturer reacted after being informed about it.
The casino's electronic gaming machines were triggered into a continuous reboot loop. Once the vulnerability was identified, JANUS subject matter experts manually attempted to exploit the vulnerability to confirm it was not a false positive.
A number of other vulnerabilities were identified, with some proving to be false positives, while others were rated low to medium severity. One particular vulnerability that was exploited proved to be critical in nature and JANUS immediately paused all activities and notified casino IT security personnel of their findings.
Any machine in the series–regardless of whether it was in play or not–was subject to this flaw, causing the machines to initiate a reboot process that included: shutting down, powering back up, flashing the screens, activating the lighting and audio devices in the machines, and repeating the process in a continuous loop.
The SolutionJANUS security engineers fully documented the vulnerability and successfully executed it in the casino's sandbox environment without affecting production systems. Upon notifying the manufacturer about the flaw, they denied its existence, prompting JANUS and casino IT security personnel to fly to Las Vegas for a private demonstration. In a secure location with a sandbox environment set up, JANUS engineers ran the script against the test environment, causing all machines to shut down, reboot multiple times, flash their screens, and activate internal sounding devices before being shut down by JANUS personnel. The manufacturer took ownership of the issue and issued a patch for the specific machine series containing faulty code worldwide within 48 hours of being informed.
While the test was launched against a limited number of machines in a sandbox environment, one can only begin to imagine the chaos that would have erupted on the casino floor had 25, 50, or even 100 machines been affected. Such an attack would have forced the shutdown of all the electronic gaming machines on the floor and possibly caused a shutdown of all electronic gaming machines within the casino for an indeterminate period.
An attack of this nature would have certainly resulted in angry patrons demanding compensation for lost winnings, and ongoing financial losses while the issue was investigated and the machines were offline. Additional problems that could have arisen include reputational damage to the casino, adverse media coverage, possible class action lawsuits, and investigations by the state gaming commission.
Since 1988, JANUS has helped hundreds of government agencies, commercial entities, educational institutions, and not-for-profits protect their infrastructures, data, clients, and employees, and we have the references and testimonials to prove these claims. Our decade-long experience has allowed us to achieve deep expertise in every sector and specialty that exists, including yours.
Contact us directly to learn more about how a team of affordable professionals can help you secure your organization.