Las Vegas:
An IS Perspective on New Slot Machines
A recent trip to Las Vegas prompted an "aha moment". After I got over the initial shock of how much things have changed since the days when I used to frequently travel to Vegas (I was one of those thousands who used to regularly attend the COMDEX show), I ventured back onto the gaming floor. Aside from having a lot more poker tables than I remember from 8 years ago, the thing that struck me was that the slot machines changed. Where once the gaming floors were full of the "jing, jing, jing" of coins hitting the metal trays of the slot machines, there are now magnetic card readers, bar code scanners and separate machines that convert bills into "credits" and back again. Money gets converted to digital bits, printed on bar-coded cards that players plug into slot machines and "all payouts are by cash out slips only". The Gaming Industry has gone high tech and like all firms that have valuable information resources, they need to protect them. Imagine for a moment being able to "sniff" the traffic on the wire between the gaming floor and the casino's data center! As a matter of fact, I was so interested in the new style of slot machine that I devoted the better part of an afternoon to researching "Server Based Gaming".
It turns out that Server Based Gaming (SBG) is the newest trend in slot machines and isn't as new as I thought, having been around since 2006. If your mind is like mine, you are already thinking about the security implications of turning stand alone, totally autonomous slot machines into computer terminals. Of course the stand alone slots were not without problems but digitizing financial data and sending it zipping across a network has a unique set of concerns that any financial institution will attest to. Storing data on a centralized server is Security Best Practice 101 and few could argue against the wisdom of it. However, the issue becomes more complicated when we consider that a casino has hundreds, perhaps even a thousand, slot machines scattered across hundreds of thousands of square feet of floor space. Initial security concerns regard the data transmission: what type of cable is used (fiber is the most secure but also most expensive and requires special networking equipment); are the machines themselves even wired to accept fiber or are the connections Cat 5; is each machine "home runned" or are they consolidated at a switch located in one of those locked cabinets under the slot machines; if Cat 5 cable is used, what preventive measures are in place to prevent someone from "sniffing" the electronic data leakage from the wire; since players are issued a "cash out card" with a bar code on it, what encryption algorithms are used to prevent gamers from altering the data to increase their "payout"? The Gaming Industry has a long history of attracting very clever criminals (remember the students from MIT who won $10M?). I wonder how long before a similar group of intellectually gifted and monetarily motivated individuals focuses on SBG. In fact, a recent study sponsored by the National Indian Gaming Commission (NIGC) has identified several areas of concern for SBG .
The NIGC findings sound hauntingly familiar to all those security professionals charged with protecting enterprise data resources. Concerns about unauthorized access, intrusion detection, incident response, lack of security policies and a disaster recovery plan are common in all Information Security environments. What proactive measures are being taken to protect the network? Are internally sponsored Penetration Tests performed? The challenge of protecting hundreds or thousands of computer assets, insuring the Availability of the asset and guarding the Integrity of the data from these assets is likewise an everyday worry for CISO's. What makes the Gaming Industry different is that if any one of these assets is compromised, the financial loss could be in the millions of dollars, and the likelihood is that an attack will not target only one machine. And unlike any casino scam of the past, with data now being stored electronically, the attacker(s) does not have to physically be present. Casinos are now subject to the same risks as financial institutions.
Allow yourself to imagine an "Oceans 131/2" scenario. The progressive slot machine jackpot is at $14M. A disgruntled technician at the slot machine manufacturer maintains a "backdoor" to the SBG slots to save the drive time and the long walk through the casino to a particular machine. An accomplice is in place spinning the wheels and losing dollar after dollar at the progressive slot. At a specified moment, the technician pushes an unauthorized "software update" to the slot which alters the cash out ticket software. The accomplice now cashes out and receives an altered ticket which shows $10,000 not $10. The technician then replaces the original software and the scam moves to another slot, another casino, another city. With only about 6 slot machine manufacturers in the US, the possibility of "disgruntled employee" abuse is very high. While this scenario may seem farfetched, the notion of 6 college students beating Las Vegas casinos for $10M over a 10 year period also seemed too incredible to believe. Until it happened.
But more likely and much less "Hollywood-esque" would be the same type of security breach that happens at alarming levels in regular industry. A group of hackers finds an interesting IP address and begins exploring. Perhaps the IP address belongs to the slot machine manufacturer which allows them entry to the manufacturer's LAN. Or perhaps the IP address belongs to a slot machine itself. Or imagine if the IP belonged to the server which houses the information for all the SBG machines in the casino. Mother lode! In addition to a treasure trove of information contained within the gaming network segment, could the attackers connect to the hotel and food service segments of the casino's infrastructure? If so they would have access to reams of PII data as credit card data. As every fan of gaming knows, "whales" are the life blood of casinos and these multi-billionaires have credit cards with astronomically high spending limits (an American Express black card is truly wondrous to see). A data compromise of this scale would be a catastrophe for a gaming facility.
Defending such a unique infrastructure presents a daunting task. Corporate resources need to be allocated, policies need to be written and implemented in an area that previously did not require them, and employees need to be educated about the new threats. Perhaps most important is to maintain background checks on employees (both in the casino itself as well as for third parties) who have access to the servers and the SBG machines. And these risks are in addition to the "normal, everyday" risks of running a data center where millions of dollars routinely fly across network cables. The Information Security Professionals for Las Vegas casinos definitely have their hands full.
Chaz Sowers is a security consultant currently on assignment with Infotech Consulting. In addition to regular computer security duties, recent activities have included Incident Response at a major government defense contractor as well as work in the Gaming Industry. Security frameworks and security architecture continue to be areas of interest. Mr. Sowers holds the certifications of: CISSP, CISM and QSA.
