Cheating at poker James Bond Style – Defcon 24 (2016)


Well, good afternoon, how’s
everybody doing?
Good? Alright.
So, for those of you guys
that came in a little late,
perhaps you’re still expecting
a talk about airplanes.
Something that probably would have
been pretty controversial, right?
Well, the airplane talk is
not going to happen.
The speaker could not
be with us.
And so, luckily though,
we have something that is going to be
completely non-controversial given
where we all are. And that’s a talk
about cheating at Poker.
So, we want to give these guys |
a big hand because,
not only is this going to be an awesome
talk but they stepped in at,
obviously, the very last minute and they’re going
to put on a great show for you guys.
So, let’s give Elie and
Celine a big hand.
Bonjour. My name is Elie
and this is Celine
and today we’re going to tell yo
about our secret DEF CON talk.
For this reason we try to keep
it quiet before coming in.
You can imagine why.
So, this is on work we did with
our friend Jean Michel
during our spare time.
And so, try to imagine if James Bond
was cheating at Poker,
and I’m not saying he is, but
try to imagine for a second.
He will go to the lab
to Q and say,
“Hey, do you have one of those
insane crazy gadgets
and that I can cheat and
see all the cards?”
But well, that’s just
a movie, right?
And we only have, like,
lame cheating devices.
Well, a few years back
I was casually trolling
onto the black market for forums,
into the Chinese one, and
a post caught my attention. I don’t
speak very well Chinese,
it was about a weird device
and the guy lost all his money and
he was warning people
and it was super hi-tech.
I don’t quite understand it and then when
I tried to show it to one of my friends
who speaks better Chinese,
the post was gone and
I’m like, “Okay, I must
have hallucinated.”
It was, like 2am, probably
not going to happen.
And then, it’s sitting there in
the back of my mind
and a few months after I
come across this post
which basically says, I’m not
going to read it out loud.
Blah, blah, blah, yes,
those devices, it is real.
I don’t what “it” at that
point is but it is real
and people got ripped
out in Texas.
And a lot of people lost a lot
of money, about 100K,
and then a lot of people got ripped out
and then it killed all commercial gaming
for Poker in Texas.
And at that point I’m, like, well, if someone
has it in the United States
then I probably can find
it on the internet.
And sure enough I was
able to find the seller.
As soon as I knew what to look
for I was able to find the seller.
And the seller said, “Use this for bargain,
which is only 4,000 Euros,
about $5,000, with 40%
discount,” right?
He tried to make you a good price. This web
device and all you get is this picture.
And so, this is a
Romanian seller.
Of course, I knew this thing was from China
because I read earlier with the blog post,
the post on the forum,
so, we trace it back
to China and we were able to find
the guy who built the real thing,
who will hopefully sell it for
us for a cheaper price.
And so, we notify the guy,
got into a contact,
or a friend of ours got into contact with him
and tried to get him to get us the device.
And the guy’s, like, “Sure,
I give you a good deal,
I give you the device and
a bunch of gizmos.
Don’t worry, it’s
only $1,500.
Please wire me to
Western Union.”
Yeah, and we’re, like, “Okay, that
seems absolutely normal.
I’m going to go to Western Union
and just wire $1,500 to China.
What can go wrong?”
Well, we did it, and
then we waited.
A lot. And when we were
about to lose hope
a package arrived.
And, like yeah, we’re, “Oh, we
have a talk for DEF CON.”
We didn’t know if it was
working yet, but
we feel pretty confident
at that point.
And so, here’s a demo of
what it looked like.
I wish I could give you a better
demo but it’s super small.
But here’s what it looked like.
So, I’m going to shuffle
the cards.
And it’s the first shuffle, no
sleight of hand, I promise.
And so I’m going to deal two cards.
I’m going to put a card and…
[Electronic voice: Spade Ace,
Diamond Jack].
So…
wait what?
Yeah, what the hell is
going on, right?
Something is reading
the cards out loud?
So, has anyone of you
figured out what it is?
No? Okay, let’s try again.
As you see, the phone is gone,
so we’re going to try again.
So, I shuffle and…
[Electronic voice: Heart 2,
Diamond 5].
There, it works, it’s like,
it really works
and it’s really what you see and that’s what
a Poker player on the table would see.
[Electronic voice: Heart 4,
Diamond 8].
It doesn’t miss, it doesn’t misread,
it’s actually extremely accurate.
So, that’s the story of this talk, we’re going
to tell you what the hell is going on
and we’re going to tell
you what works about it.
So, it’s a device, of course.
And so, the device is
this, it’s a phone,
or it looks like a phone. It’s here,
for those who can see it.
It basically looks like a
legitimate phone.
We believe it’s actually inspired
by Samsung Core.
If you compare the two back to
back it’s almost the same thing.
On the left side you can
see the Galaxy core,
on the right side you can
see the modified device.
So, they have a bunch of built in security
features which make it hard to analyze.
The first one is, they send you
the activation code separately
and there is no way to activate the device
without it, so they’re extremely careful.
Which actually speaks a lot about
how professional they are.
They have removed ADB
and debug mode,
so you turn on Android but you cannot run
ADB, you can’t have any debug mode.
And they also prevent you from taking a
screenshot by simply removing this ability
to make sure you cannot extract
a screenshot of the poker player
or the poker video player
analyzer as they call it.
So, a few fun facts, looking at it,
it’s a custom ROM,
Chinese 4.2.2. It’s also used in
Chrome devices from Samsung.
The cheating hardware is completely
hidden from the UI.
It’s a completely distinct secret. You
can’t see it, you can’t probe it.
So, if you don’t know what you’re
looking for, it’s just a phone.
And so, it’s really, really resilient to, like,
someone is telling you you’re cheating,
you hand over your phone, there
is absolutely nothing to see.
It operates like a phone, it can make
phone calls, it hasmany apps you want.
Your Facebook, Snapchat,
all works perfectly,
so it’s really hard to
know it exists.
And the funny story is we
also found a lot of code
who actually phone
home to China.
Not sure why they
did that so
we lay on the side
of the back door.
So, how does it really work?
In James Bond movies it
would work like this.
Pierce Brosnan would just put his glasses
and it would just work magically.
I wish it would work
that well but, no,
that’s not how it works.
The way it works is, you have
a pack of cards and
they’re going to give you multiple
options to get any type of card,
including Bicycle for
United States,
also the one popular in China,
Macau, Hong Kong and so forth.
So, you choose the type of card you
want and they will mark them for you.
And the device itself has a bunch of interesting
electronics embedded into it.
The first thing they hav
e is infrared LEDs
which go into a black
and white camera.
So, the infrared LED will
shoot infrared light
through the side
of the device,
because the side of the device is actually
modified to allow infrared to go through.
The infrared will illuminate the
side of the poker player
and as a result what you will see is,
the ink is made to absorb the infrared
so you will see those black
dot markings and
that’s what the camera is capturing.
So, basically what they do is
they use infrared absorption
to mark the side of the deck.
That’s the basic, underlying principle.
Here is an exposed view.
So, as you can see here,
you probably don’t realize it but the device
is on and if you squint really hard
you can see three purpleish
dots on the top right
and these are the LEDs.
And if you turn off the light
you see the LED. Because we took it
with a camera with the IR filter off.
And you can see clearly the three
LED which are embedded
in the side of the poker player.
And if you can get an idea it’s
very, very small, this here.
Impossible to know if you
don’t know what it is.
So, again, it speaks about
the quality of the construction
and the professionalism
of those kinds of devices
which really clearly show this
is not a home-made.
It is probably very
professionally made
and they probably make
a lot of money out of those.
So, here’s an exposed view.
So, I tear it apart, opened,
and what you can imagine in here is,
you see probably an orange square.
This is custom hardware that’s
actually backed into the phone.
Here’s a better view. So, you have
the camera, as I mentioned,
which is here.
Then you have
a custom chip which
handle the AV,
both the audio and the video which is separate from
the phone and then bridged back to the phone.
And then here is from the top view.
You can see the three LEDs
that I mentioned earlier.
And you can see on the
right side there is two dots
which are basically the out
for RF and Bluetooth
and we see how they’re being
used in a few seconds.
And so, all of those are connected
to a simple antenna
which goes around the back of
the phone to have better reception.
So, now Celine is going to walk through
how the user experience
looks like and how you use the app that
they actually embed into the phone.
Hi, can you hear me?
Yes. So, I’m Celine
and so I’m going to show you how
the Poker Player Application works.
So, this is a screen shot of the device where
you can see the Android App menu.
And can you spot in this screenshot which
app is used to control the device?
I can’t hear you.
No, so, the app used to control the
device is this one, the game app.
And so, what you do is you click
on the icon, start the app,
and the first screen you’ll
see is the login screen.
So, the username is outcoded and
there’s only one, it’s the Admin.
And so, as mentioned earlier by Elie,
the password was sent to us
separately from the device.
So, you type in your password,
click on the sign in
button and then you access
the main app screen.
But don’t worry if you forgot the password
or you don’t have the password,
there is a backdoor password
that we found out.
So, when you log in
the main app screen
contains six options slash screens.
So, the first one is
the Game Hall.
It contains a list of all the game
types bought by the device.
The second one is Purchased.
It contains all the game types
you already purchased,
so that’s the one
you can use.
The Upgrade screen is used
to buy more game types.
Common Game is the list of
game types you purchased
and with a small explanation about
how the app will behave,
depending on the game type.
System Info is not relevant, doesn’t
contain any useful information.
And the last one is Settings. It allows you
to configure how the device will work.
So, this is a screenshot
of the Game Hall.
So, as you can see, there’s
hundreds of game types
that covers a lot of use cases.
So, this is another indication that
people buying this device
are running a real lucrative and
professional business.
So, now if you want to use
the device to
cheat you go to the Purchased
screen.
On this screen, on top, you can
see that we have three credits,
and we used two of them
to buy two game types,
and we have one
remaining credit.
Notice that there’s poor
spelling in English.
This means that this device is mainly
targeting the Asian market
and they didn’t spend a lot of time
on the English translation.
So, in our demo we use
the second game type.
That’s the number two,
read the card directly,
so it’s going to read
the card directly.
So, you click on it and then the app is
going to show you the Settings screen.
You can configure the number
of players. You can configure
input and output methods.
So, Elie’s going to detail those
methods later in the talk.
You can also configure the device
to repeat continuously
the reading of the card
or just do it once.
So, if you want now to use the device you
just hit the Start button on the screen
and then you get the main
game screen.
So, what you can see on
the top of the screen
is a live capture of the hidden
infrared camera here.
And so when the cards are
face down on the table,
the back appears on the left
part of the screen
where the Up symbol is.
Below that you can see how
many players are playing.
You can see what is the game
type you used,
so, we used the 1016 which is
the Read Card Directly.
Just below you can see
if you are using
any haptic feedback devices
and what’s its status.
And finally, the important
information is
the result of the reading.
So, there’s two players.
The app is reading that the next two
cards on the top of the deck
will be six of Hearts and
eight of Diamonds.
So, now just a few fun
facts about the app.
So, we found out the
backdoor password.
So, this password, when you have it,
you can access any devices.
And by analyzing the game
app we found out that
the interesting part of the code that
controls the input and output devices
and does the card recognition
is not in the app.
It’s in a kernel module.
So, now Elie’s going to talk about how
the card markings are done.
Okay. So, Celine just showed you that
the app should read the marking
but the key question is, how does the marking
come onto the card in the first place?
Because, obviously if you were
to have a bad deck or
a deck that doesn’t feel legitimate in
the hand, people will be suspicious.
Again, this is for cheating.
So, what they do is, when you order the device
they ask you which type of card you want.
I ordered Bicycle because that’s the one
we most use in the United States
and that’s what you receive. As you
can observe, it’s wrapped up,
so if you were to actually hand
it over in a Poker game it
will look like a normal Poker deck
of cards that you would open.
The pip sign is still on.
So, how do they get the cards in? What happens
is they resealed it and put the cards…
they open the cards, obviously, for marking,
by opening the bottom of the deck.
But when you open the deck, if you
don’t remove the transparent sleeve
then you won’t see that.
So that’s very clever of them.
And then you have the cards.
If you manually inspect the cards
and if you want to look at them up close,
you’re welcome to after the talk to do that.
It’s really hard to even
feel it or see it.
It’s actually really, truly a regular
Bicycle card as they probably
are bought and then marked.
And so, as Celine mentioned,
the only difference is
under infrared light
you will see the markings. So the regular
cards up here like this
on the right side which is
basically just blank.
Whereas the marked card has this absorption
ink which will mark those dots.
Each card name and number will
have a different distinct pattern
which repeat multiple time
over the card for redundancy
and because they don’t know
how well is the angleexactly,
right, they want to be angle
proof as much as possible.
We even found devices which are more
expensive and we ran out of money.
We have two cameras, one which
tries to actually increase
the angle of vision to make
it more robust.
And then you have short black, long black
and that’s basically zero and one,
and that’s how they
mark the card.
And then they have a bunch
of functions.
Here’s one where basically the upper
digit is the number for the color,
and then the lower digit
is for the number.
This is why they will always
say Diamond or Heart Six,
Club Four, because they
first read the suit
and then they read
the value of the card.
But, sure, I mean,
no gentlemen’s device will be complete if it doesn’t
have a bunch of bells and whistles, right?
So, let’s look at how you actually
interact with the thing, right?
Because even if you have it,
it’s really hard to use by itself.
So, they bring you a few things.
So first thing they have is a remote
and the remote will do
two things for you.
A, it will allow you to change dynamicall
and silently the number of players
at the table because people
can come and go.
Or they see people leaving the room,
bye bye. And then the other one is,
we have the sound on and off.
So, as you mean is that people are talking
to you, you don’t want to get caught,
you can turn off
the Poker Player.
We looked into it with Jean Michel and it’s
basically a standard 2-FSK modulation,
series three common, one
for the sound on/off,
one for incrementing the player,
one for decrementing.
It’s on the 800-megahertz frequency
so standard RF,
really easy to jam. Really easy to also
impersonate so you can probably
change the volume at will if you
know there is one in the room.
And then in the app configuration
you can obviously choose
between the speaker
and the headset.
So, the headset is composed
of two parts.
The first part is this thing
which is a remote.
And so, the remote has a volume button which is
to increase or decrease the sound of the ear piece,
and an on and off button.
Can any one of you guess
what is the lanyard for?
Come on, be creative.
No, it’s just to hang on
to your neck. Sorry.
So yeah, that’s the necklace.
And so what it does actually is,
this is connected to the phone
in Bluetooth
but the earpiece you have
in your ear is
so tiny they couldn’t fit
the Bluetooth transmitter
so this thing will basically be a bridge
which will do Bluetooth
to the phone up and
transfer it into RF
so you have analogue RF
into your ear.
So again, very easy to eavesdrop
with any SDR
if you know what to look for. And it’s very,
very tiny. It has a tiny battery.
When you have it on you
it’s very impossible to tell.
They also have another very cool
device which is a haptic feedback.
So, the idea here is, again,
a Bluetooth P4.
They call it a P4 1 and you saw
on the screen before that it’s
disconnected or connected.
And what it does is,
it has a bunch of vibrators that you
would put either on your arm or
or on your leg and each
of them will vibrate
to tell you who is going to win,
who is the second one,
who is the third one,
and so forth.
So, it will ring in sequence and so you
can have this haptic feedback
if you don’t like to have an earpiece.
Hey, I think they will have customers, you know,
they try to operate everyone’s needs.
For those who don’t really look like,
they even have the sneaky display idea
where, so basically what happens when you read
the card it switched the minutes and the seconds
to the first winner and
second winner,
so you can just look at the time on your
phone and like, “Oh, yeah. All in.”
The most funny part of the device
was the wireless camera.
And so, you can activate the wireless
camera, again, from the UI
and it comes packaged as
a car key, there are many,
many other options for you.
They’re also for watches, belt,
shirt and a bunch of other.
We got the car key one because
it was easier to tear apart.
And so, the car key
looks like this.
It looks almost like
a real key.
Again, here’s an exposed
view on how it works.
So now that you know how it works
on the exposed view,
and when you use
the car key,
you put the deck in front, and
then you can see on the app
[Phone voice: Diamond 5,
Diamond Queen].
So you see it and you see the deck going back
and forth on this Queen on the phone.
And so, you can do it again.
And interesting quirk that we found is,
as you can see, here. [Phone voice:
Plum 6, Diamond King].
They call ‘Club’ ‘Plum’.
Because that’s a literal
translation in English
so we bet they just translating with
any bad translation software
and just like, well, it’s Plum.
It’s actually Club, but oh well.
That’s one of the funny quirks about it.
And so the key, again,
have the same principles.
They have LEDs
behind the plastic which will
let the infrared go through.
Here’s an exposed view. This
time you have two LEDs
and the camera is just next to it.
So, here’s when I tear it apart.
What you see is the hidden
camera on the left side.
The battery, they give you two.
This thing sucks
so much power, that
I was really surprised when I looked at
the device there was a ton of batteries.
Seriously, I’m like, “What the hell is that?”
It’s got MKT Hit.
I’m like, “What the hell…,” sorry, Emmett.
“What the hell is that?”
And then I look it up and basically
they have a kernel module
who checks the temperature of the phone
and will shut it down before it explodes.
So, you know, they just
don’t want you to die.
But this thing basically
is so power angry
that they had to put
the system in place.
And if something happened to the key,
the key got really hot,
and a battery which is an 800 milliampere
unit will last you probably 30 minutes,
so you have another one, so you go
to the bathroom, open the key,
plug the battery in, you go back right
to the Poker game, every 35 minutes.
That’s basically what you have to do.
Here’s the exposed view.
You see again the camera,
the two LEDs
and they’re all attached.
You have a small antenna and you have
an MCU 8051 which controls it.
We were able to find it online, except
there is no data sheet,
so we had to basically do guesswork when
we were looking at the transmission.
And so, we were using a software
defined radio to actually try to
understand how the thing was transmitting
images and the idea of,
can we jam it, can we replace it?
The answer is, yes, to both.
Actually, it was very hard for us because
we realized this is not digital.
It is literally an image and so
we were looking at that
so it emits to the 2,400-gigahertz
band, like Wi-Fi,
and we think it’s PAL or NTSC
but we really battled it.
I mean, Jean Michel and me are really
accustomed to deal with analogue,
we’re more like digital kids so it was
really a surprise, very hard for us
to figure out how to
do it. But yes,
with normal SDR you are
able to jam the thing
and to replay images at will, so
you can clearly defend yourself
against this thing if you play
Poker cheating
by just jamming
their Poker player.
If you don’t like Volkswagen they actually
offer you a nice option to customize.
Attention to detail again.
So, that leaves us with a few open questions
that we don’t have a good answer.
The first thing is,
this is the most sophisticated
cheating device we’ve ever seen
and ever heard of.
And it begs the question
of how they created it.
And it’s a lot of work that you
have to rehouse a normal phone,
a lot of electronics, do
a lot of programming.
I mean, they have
a kernel module
who do immeasurable conditions
And we don’t know if it’s either a tech
which has been used before by casinos.
We heard, if you look it up, some casinos
had this technique in the 1980s, 1990s,
of having some sort of camera to
catch people who were counting.
So, maybe that comes from there.
Or they actually built it
and in that case there is a large underground
market that I don’t know of.
But it’s really interesting to know
who might be of such a device.
The second thing is, we don’t believe
it’s actually used in casinos because
casinos have professional dealers so
it’s really hard to use that kind of deck.
We believe it’s more for background
playing or among friends.
So, it begs the question of, who is buying
it and who is basically ripping who?
And finally, interestingly enough,
you can’t really go buy at
Office Depo infrared ink.
You’re like, “Oh, can I get some
infrared absorption ink?”
And they will look at
you very funny.
There’s only very few place
who actually sell those
so how they get their hands on it and
how they create the marking process
is something we haven’t
much answer about.
So, a few takeaways. Yes,
James Bond devices exist.
It’s really hard to find but actually
you can get lucky and get one.
It’s pretty expensive but
you can get one.
Crimeware can be super
sophisticated.
You know, we have heard at DEF CON
again and again about the NSA playset,
but apparently the Mob Boss
have, well, the equivalent
and it’s just, we haven’t
looked at it just yet.
And finally, it did require a lot of skillset to be able
to actually prepare this presentation
and we had to go from hardware analysis
to software analysis to RF analysis.
So, we want to basically acknowledge
and thank our co-conspirators
who only just want to be
named by their surname.
Pixel helped us with the
hardware analysis and
Vivi was the person who was
able to get it out of China.
So, a big thanks to them.
So, thank you very
much for attending.
I know that was not the talk that
you expected but, thank you.
We’re really happy to take
questions if you have any
and if you want to know more, we
are going to put the slides online.
Just follow us on Twitter and we’ll
make them available. Thank you.

Add a Comment

Your email address will not be published. Required fields are marked *