Security Researchers at IOActive Demonstrate Deckmate 2 Card Shuffler Vulnerabilities

No electronic system is ever completely impervious to attack, and security research firm IOActive has demonstrated that card shufflers commonly used in retail casinos and poker rooms are no exception. Inspired by the investigation into the Robbi Jade Lew cheating allegations, consultants Joseph Tartaro, Enrique Nissim, and Ethan Shackelfordattempted to compromise a Deckmate card-shuffling system. He presented his findings at the Black Hat security conference in Las Vegas, where Wired picked up the story.

Bonus covered the Robbi Jade Lew story at length when it broke. The short version is that she made a hard-to-justify call which turned out to be correct, and her explanations of her thinking changed over time. Based on that, her opponent, Garrett Adelstein, suspected that she had some way of knowing his hand.

Hustler Casino, where the game took place, hired cybersecurity firm Bulletproof to conduct an investigation. Predictably, it found nothing conclusive, and the poker world’s attention has largely moved on to other scandals. However, Bulletproof’s claim that the Deckmate card shuffler “cannot be compromised” caught Tartaro’s attention. He set out to prove the competition wrong.

Tartaro claims that the team succeeded in using an exposed USB port on a Deckmate 2 to alter the device’s code undetectably and gain access to its camera. That would allow the hacker to know the order of the shuffled cards and thus determine every player’s holdings. He says it’s also theoretically possible to reprogram the device to put the cards in a specific order, though the IOActive team has not yet had time to do so.

Light & Wonder, which makes the devices, told Wired that IOActive compromised the device “in a laboratory setting” and that no such attack has ever been executed on a casino floor.

Common Vulnerabilities, Known Solutions

The team’s findings about the Deckmate 2 will seem familiar to those with some knowledge of cybersecurity.

  • The device has an exposed USB port allowing direct access to its onboard computer.
  • Its maintenance passwords are set by the manufacturer and can’t easily be changed.
  • It uses only a hash comparison to check for modifications to the code.

So, anyone with physical access to the device – such as by reaching under the poker table – can plug a miniature computer into the USB port and begin interacting with it. If they’ve convinced someone to share the maintenance passwords with them, they can then modify the code.

The last point is more technical. Hashes are a bit like digital fingerprints. To check for tampering, the Deckmate compares its code’s “fingerprint” to one it keeps on file. However, that reference hash is also stored on the device. So, a hacker with full access can change the reference to be the same as the new code, thereby covering their tracks.

These problems are common with many digital devices. Fortunately, the fixes are also well-known and likely to be applied to future shufflers now that IOActive has called attention to them:

  • Use physical security like a locking USB port cover.
  • Have stronger and more varied maintenance passwords with multiple levels of access.
  • Use the more modern cryptographic codesigning technique rather than hash comparison for integrity-checking.

Should Poker Players Worry About Card Shufflers?

Although poker players are likely to find the news alarming, the chance of encountering a rigged shuffling machine in the wild is very low.

Wired is correct in pointing out that Light & Wonder can’t possibly know for sure that no one has ever hacked one of its devices, only that they haven’t been caught.

But poker cheaters, like all scammers, are lazy by nature. If they weren’t, they’d work to beat the games legitimately. Because of that, deterrence is often enough.

We all know the joke about the two hikers running from a bear: One asks the other if he thinks he can really outrun the bear. The other replies: “I don’t have to outrun the bear, only you.”

Cheaters are not going to target high-security games when lower-security ones are available. Even there, they won’t choose a high-tech method of attack if a simple one is going to work.

Consider the Mike Postle story, probably the least-disputed cheating accusation in recent poker memory. Postle didn’t use any technology more sophisticated than a smartphone. Those who believe he cheated think he simply made a deal with someone on the production team of the Stones Live show, who would watch the stream in real-time and text opponents’ cards to Postle’s phone.

So, while security vulnerabilities are a concern for device manufacturers, most players don’t need to worry. If you’re playing at a regulated casino, would-be cheaters probably have easier targets. On the other hand, if you’re playing in an underground game, you’re at risk… but you’re more likely to be cheated by old-school collusion or deck manipulation than by a sophisticated hacking scheme.

About the Author

Alex Weldon

Alex Weldon

Alex Weldon is an online gambling industry analyst with nearly ten years of experience. He currently serves as Casino News Managing Editor for, part of the Catena Media Network. Other gambling news sites he has contributed to include PlayUSA and Online Poker Report, and his writing has been cited in The Atlantic.
Back To Top

Get connected with us on Social Media