Security researchers revealed a severe vulnerability in a widely-used third-party software product that exposed the identities and personal information of an unknown number of casino loyalty program members across Las Vegas and possibly other international locations. The problem was reported to the vendor, the FBI got involved, and still the information exposed on the open Internet was available for anyone to see four months after the company was made aware of the serious security breach. Later, at the 2019 ICE London conference, when one of the researchers introduced himself to a company representative in person, he was assaulted and threatened with arrest on the convention floor.
On February 5, 2019, information technology security site Secjuice.com began reporting on this story and the details of the incidents that follow. One day later, the story was also picked up by the Computer Business Review, who contacted the vendor and the security researchers involved to gather more information.
Because of the parties involved in these happenings, this incident should be of particular interest to both gamblers and gambling industry insiders. The full scope of the exposed information and who might have seen or had access to it is, as of yet, unknown. At the time of writing, the vulnerabilities described below have still not been corrected, leaving both casinos and players in a high-risk situation.
Discovery Of Exposed Casino Patrons’ Personal Information
Two security researchers, who go by the names Dylan (Wheeler) and Me9187 first discovered an unsecured server back in September 2018 while taking part in what has become known as a Shodan Safari. Shodan is a specialized Internet search engine that crawls and indexes possibly unsecured computers and devices connected to the Internet.
The interest of the two researchers was piqued when they saw what looked like a casino’s player rewards server open to the Internet with no authentication necessary. After a bit of deeper investigation, it became clear that the server did not belong to just one casino but that it was being used to support automated player reward systems for different casinos all over Las Vegas.
It turns out that the server was part of the “PowerKiosk Marketing Platform” made by Atrient, who provides them to casinos all over the world. The kiosks make it possible for casino patrons to register their purchases and spending with the casino through an easy-to-use interface in exchange for loyalty program rewards. If you frequent land-based casinos, especially in Las Vegas, you may well have used one of these kiosks yourself.
While speaking to Secjuice, the researchers indicated that they found evidence that these kiosks were in use at such big-name casinos as the Hard Rock, MGM, and Caesars, and that they were, at the least, deployed at casinos all across the United States.
Making things even worse, they found that these kiosks and the back end servers communicate with each other, transmitting users personal details, across the Internet in plain text. Normally, the transmission of this type of information between any two devices is first encrypted so that it can not be intercepted while in transit across the Internet. Some of the information sent back and forth by the kiosks and the server(s) include things like users’ home addresses, scans of drivers licenses used for program enrollment, contact details, and details about users’ activity.
Of course, with data being transmitted without any kind of encryption, and the back end server being completely open to public access, the entire system was open to any type of criminal abuse. The researchers stated that the entire system was, in fact, so far from being secure that anyone with some basic computer networking knowledge would be able to identify specific kiosks and then use the unsecure back end to change details, track users, add or remove credit from accounts, and even install their own virtual kiosk on their home computer.
Shoddy Security Practices Seem To Be Common At Atrient
What makes this particular case of data exposure scary is a combination of practically nonexistent security practices, distribution of systems built with integrated insecure functionality, and widespread use of the service at casinos around the world. Any open access point to this system would apparently grant access to all of the information it stores for any of Atrient’s clients — and the systems are basically one giant open access point.
Atrient is considered to be a market leader in this type of technology. Their loyalty program kiosks have been distributed to casinos throughout Las Vegas and the United States and made available to casinos all over the world through a partnership with Konami.
This is just one system that happened to be discovered, but Jessie Gill, Atrient’s COO, recently stated in the media that they “don’t have a different version for different operators. We integrate all functions in a single product.” If this is true, then it would only make sense that there are other systems out there that are, at the very least, broadcasting sensitive user information from kiosks to servers across the Internet in plain text for anyone to see. It also stands to reason that the company’s white label partner, Konami, has distributed systems with the same vulnerabilities to their own customers.
Speaking to Secjuice.com, Dylan and Me9187 said that this vulnerability was only the beginning of what could be a much bigger problem. While looking through data contained on the server, the two discovered casino WiFi passwords and personal data stored in plain text, with no attempt whatsoever to secure or obscure any of the information. Obviously, this type of information could allow bad actors to infiltrate casino networks to gain even more data as well as provide opportunities for all kinds of fraud and identity theft.
Researchers also found that India-based third-party contractors hired by Atrient were posting the source code to their software on Github (a publicly accessible open-source software repository and development collaboration tool) and asking questions about the code on stackoverflow.com, a large public question and answer forum.
It should go without saying that the Indian contractors were not following even the most basic common sense security practices. Not only was sensitive data being exposed to the Internet, the programming and infrastructure that showed how that data was stored and transported was also exposed.
Attempts To Report The Vulnerability Go Ignored
Acting in good faith and following standard best practices for responsibly disclosing this type of security vulnerability, the two researchers tried to contact Atrient directly and make them aware of both what they had found and how serious the problem appeared to be. Emails were sent to multiple Atrient executives as well as other members of the Atrient team but all communications were apparently ignored.
The researchers even went so far as to leave messages containing their contact details directly on the exposed server for the administrators to see — which demonstrated that the server was exposed and that someone had indeed been able to access it and alter data on it. This should have set off emergency alarms for any experienced server administrator. Again, they received no response.
At this point, Dylan and Me9187 contacted Secjuice and asked for help. The idea was that Secjuice would be able to make a bit more noise about the incident and finally get some attention from Atrient. Secjuice’s editor, Guise Bule, agreed to help and sent out a tweet stating that he was in contact with the two researchers and working on an article about their discoveries.
Attention From The FBI Cyber Fusion Unit
Gaining more attention than was expected, the Secjuice tweet was noticed by the FBI Cyber Fusion Unit. One of the things this FBI unit does is try to help connect security researchers and vendors when a significant security problem has been found and the vendor is unaware of or unresponsive to the possible threat.
The FBI asked Mr Bule if he could arrange a call between themselves and the two security researchers. According to Bule, the researchers were somewhat hesitant at first, but he was able to make the call happen. On November 11, 2018, Dylan Wheeler and his partner spoke with the FBI for the first time.
During the call, the two researchers recounted to the FBI what they had found and the various attempts they had made to contact Atrient about their findings. As you might expect a computer security professional to do, one of the researchers recorded the initial conversation with the FBI. In the recording Wheeler explains to three FBI agents over Skype what he and his partner discovered.
“It’s an unsecured server in the open. We stumbled across that, which led us to an unsecured API server. You can look up player data, change settings in the configuration capacity. It’s sending plain text; completely vulnerable to injections. You can basically print money or commercial credits if you were to exploit that. Every single kiosk is calling home to the vendor,” he says.
One of the FBI agents then responds, “That’s a problem.”
After hearing what they had to say, the FBI went on to set up a call for the next day between the researchers and Atrient to make sure that the company was aware of their security problem and understood how serious it was.
The Hackers, The FBI, And Atrient
The following day a conference call was put together between the security researchers, Guise Bule of Secjuice, FBI agents, and Jessie Gill, Atrient’s COO. Everyone on the call was introduced and then the two researchers went on to explain, again, what they had found and just how serious they believed the situation to be.
They explained patiently that the entire infrastructure of the system was wide open to fraud and abuse. Credits could be manipulated. Players’ personal data was exposed to the public Internet. Anyone could generate unlimited entries to casino cash drawings and, worst of all, there was no system in place to even detect if this type of fraud had occurred.
The researchers explained in clear terms what was possible, even giving examples. “The kiosks allow for promotional credits to be redeemed. Which is a big risk in that you could pretty easily inflate your account to be a ‘high roller’; redeem some rewards. Your programmers need a better security policy.”
Mr Gill eventually asked what steps could be taken to secure the server and the related services and the researchers offered their advice. Gill then said, “The information you have shared with us is fantastic, we’re really impressed by what you have done here and we would like to actually own this information. How do we make that happen?” He then asked Dylan and Me9187 if they’d care to discuss it further in a private conversation.
At the end of the call, one of the FBI agents asked Jessie Gill if Atrient had notified their customers about the discovery of the vulnerabilities and the possibility of a data breach. Gill quickly responded, “Let’s talk about this offline,” clearly indicating that he didn’t want anyone outside the company to know how the incident was being handled internally.
From Allies To Enemies
Initially, Atrient offered to pay and work with the two security experts under the condition that they sign a non-disclosure agreement. The two said they would be willing to share all details of what they had found as well as help to properly secure the system at a rate of $400 per hour ($200 or about £150 each) for 140 hours of work. That works out to $56,000 in total. Of course, Atrient also had the option of hiring any other security auditing professional or company they liked if they so desired.
Jessie Gill promised both researchers that Atrient’s lawyer(s) would draw up the NDA and contact them when they were ready to proceed. The contact from Atrient’s legal representation never happened, however. Wheeler and his partner say they were given the same promise of payment and presentation of an NDA multiple times over a four month period.
During this time, the two researchers continued to check on Atrient’s systems to see if anything had been done about the security problems. They found that some servers had been reconfigured to hide from the view of the Shodan search engine, but the root problems still existed. Some of the development servers in India were also apparently taken offline for a short time, but eventually appeared again.
It became clear to both researchers that something had changed and that Atrient was not going to follow through with either their promise of working together or fixing the security problems with their kiosk system.
Meeting At The 2019 ICE London Conference
Roughly four months after making their discovery, Dylan Wheeler and his partner learned that Atrient CEO, Sam Attisha, was planning to speak at the 2019 ICE London conference — a casino industry convention and trade show. Atrient’s presence at the conference was intended to highlight a new facial recognition system and artificial intelligence component that would allow their kiosks to recognize players without the need to swipe cards or manually enter any information.
This discovery alarmed the two researchers because not only were Atrient’s still open to intrusion, but now the company was actually planning to add even more data to the system that could increase the risk to players if it were abused.
Coincidentally, both men live and work in London, so when they saw that Atrient was going to be at the conference, they decided to register as attendees and try to talk to someone face to face. This was where things really became bizarre.
According to Wheeler, the pair located Atrient’s booth and he approached Jessie Gill to introduce himself as the information security researcher who he had been speaking with for the last few months. At this point, Gill allegedly lunged at Wheeler, violently grabbing him by his clothes and tearing off his attendee badge, saying that Wheeler didn’t need it anymore and that he would keep it. The incident was reportedly witnessed by several people.
As soon as Gill released him, Wheeler began recording with his own cell phone. At the beginning of the clip below you can hear Gill saying, “wondering if I should have Scotland Yard.” He then stops abruptly and says that he doesn’t know who Mr Wheeler is when he realises that he is being recorded.
[Embed tweet from https://twitter.com/Secjuice/status/1092822184245059584]
Threats, Denials, Accusations, And Reversals
Speaking later to Computer Business Review (CBR), Wheeler explained what happened when he arrived at the Atrient booth where both COO Jessie Gill and CEO Sam Attisha were present.
“I went to shake their CEO’s hand and managed to introduce myself… they understood who I was straight away,” he said.
“Their CEO just kind of sat there. Then their COO, Jessie Gill, stood up saying ‘we’re talking to the FBI and talking to Scotland Yard!’
“They said: ‘You think you can have your buddies harass us!’ I said – and I don’t – have any idea what you’re talking about. Then he grabbed at my chest and pulled me into him saying he should get the FBI and Scotland Yard to get us. He grabbed my badge and said I’m going to keep this. So I grabbed it back. Then he started forcibly pulling at it to get it off the lanyard and put it on the table.”
After the incident, Guise Bule of Secjuice.com said that he tried to reach Jessie Gill by telephone to get some kind of response or comment about the allegations, but Mr Gill simply hung up the phone on him.
Having better luck, when CBR journalist Ed Targett contacted Jessie Gill he got the following response:
“There was no assault. There’s an indictment against this guy… his mother went to jail. There is no vulnerability… these guys have no idea what they did and didn’t do. How do I explain it? I’m not going to chase something that doesn’t exist just because you think you have something. If you look at these people trying to do this… they’ve taken information that’s publicly available and twisted it into an extortion scheme. I’m not interested in the messaging they’ve put out there. There is no police report. We went to the police not them. There is CCTV evidence that there was no assault.”
Metropolitan Police confirmed that there was a report of an altercation at the ExCel Convention Center but there were no injuries and no arrests made.
News of the incident at the ICE conference spread quickly over Twitter where the offical Atrient Twitter account was quick to post a denial of just about everything including the security problems with their software. Shortly after these tweets were posted, the CBR article on the matter was published which contained the first release of the recorded conversations with the FBI (linked above), which proved many of Atrient’s claims to be false. At this point, the chain of tweets from Atrient were suddenly deleted. A screenshot of the deleted tweets is below:
Image Source: Eli Grey
It is obvious that in these tweets Atrient intentionally lied about what had happened both with their kiosk product system and the incident at the ICE conference.
The first claim that there was an attack on a demo server which contained no real information is proven false by the call which included Jessie Gill and the FBI. The two researchers explain very clearly what they’ve found and Mr Gill acknowledges that he understands what is happening and how severe the problem is.
The tweets then seem to try to distort the truth by saying that the FBI is “aware of the group”, implying that Atrient has been somehow working with the FBI to capture a group trying to extort money from them. The truth, obviously, is that the FBI is indeed aware of everyone involved. The FBI spoke with the security researchers before they contacted Atrient, not the other way around.
Finally, the tweets go on to state that they were given a “crime reference number” that could not be verified with the police, proving that the incident never occurred. The tweet even goes so far as to say that the police say they have received no report of the incident. The CBR article disproves this, as the author reports that he received verification by email from a Metropolitan Police spokesman which stated, in part, “[We] can confirm that police received a telephone report of an altercation at Excel, Western Gateway, Newham, where a 23-year-old male was allegedly assaulted by a second male who took the victim’s event lanyard.”
Fixes Have Yet To Be Implemented
As bizarre as all of this story is, and what it says about Atrient and their business practices, the most frightening part of it all is that nothing has been fixed. When speaking with CBR, Dylan Wheeler stated that the kiosk system is still vulnerable and apparently open to the public.
It’s impossible to know exactly how many people have their information stored in any of Atrient’s servers or kiosks that may be exposed and transmitting unprotected data. One thing is certain, however.
Atrient’s handling of the situation has done nothing but make things worse. A story that very few people would have heard has now blown up into a major incident that is gaining the attention of information security researchers, casino industry executive, and, most dangerously, hackers who would love to find and exploit the information that they now know is out there waiting to be taken. We can only hope that these security problems are corrected before someone does exactly that.