What is 00153random02009d?

The usefulness of randomness is obvious. However, the probabilistic nature of computers limits their usefulness with the concept. Subsequently, you would reasonably assume that a body like the gambling industry would understand such limitations, but apparently not.

First Published 9th February 2017  |  Latest Refresh 12th May 2021

Is it time to toss the dice (in the bin)?

4 min read  |  Reflare Research Team

Background

In this research brief we will take a look at a number of casino hacks to address the different meanings of randomness.

As Wired has reported in the past, a number of international casinos have been targeted by an organized crime syndicate who had found a way to greatly increase their pay-out chances at slot machines. No alteration or manipulation of the machines themselves was taking place. The attackers merely seemed to know when exactly to press the stop button to lead to advantageous spin outcomes.

Statistically Random Vs. Cryptographically Random

Humans have a very rough definition of randomness. Any event that cannot be predicted by an individual is considered random.

From a technical perspective however, we have to distinguish between statistical randomness and cryptographic randomness.

Take a standard 6-sided dice for example. When rolling it, the outcome cannot be determined by a human as too many factors such as table friction, hand speed, dice weight, uneven surfaces and air resistance play a role. If a “random” dice is rolled 6,000 times, each side will come up more or less 1,000 times. So, if software were to simulate dice rolls and each of the 6 sides came up the same number of times over a large number of tests, the dice software would be considered “statistically random”.

However, the software may simulate dice rolls resulting in the following outcomes:

1 2 3 4 5 6 1 2 3 4 5 6 1 2 3 4 5 6 1 2 3 4 5 6 1 2 3 4 5 6 1 2 3 4 5 6 1 2 3 4 5 6 …

The outcome would still be statistically random. But to any human observer, it would be instantly obvious that the sequence is not in fact “random”. The next number can be easily predicted. A large part of cryptography deals with numbers that can’t be predicted or guessed by an attacker. The sequence above would thus be “statistically random” but not “cryptographically random”.

Increased complexity ≠ increased randomness.

Computers and Randomness

True randomness is incredibly hard for computers specifically because they are built to be deterministic. A computer can only act upon its programming and use data it possesses. The only way to allow computers to use truly random numbers is to attach a peripheral that measures random natural events such as the decay of a radioactive substance. This approach is indeed used in some extreme settings.

In more traditional computing (read: any server, desktop, laptop, embedded device or phone that people use daily) computers instead rely on so-called Pseudo Random Number Generators (PRNGs). 

PRNGs are not truly cryptographically random but merely create a sequence of numbers that is difficult to predict. The degree of this difficulty may range from simple PRNGs which merely aim to seem random to human observers to very complex PRNGs that aim to provide random numbers sufficient for cryptographic purposes.

Furthermore, PRNGs are usually seeded with bits of semi-random information, such as the current time (in microsecond resolution) or the temperature of the CPU.

However, they still only pretend to produce random output. If an observer knows both the algorithm used by the PRNG and the parameters it was seeded with, all future generated numbers can be predicted with perfect precision. Using complex mathematics, the original seed values can also often be deduced by observing a sufficiently long sequence of generated numbers.

Tying it all Together

This is precisely what happened in the incident we looked at above. The crime syndicate was able to acquire a used slot machine from a defunct casino. Its IT experts thereupon reverse engineered the machine’s code to determine what PRNG was used in and linked the slot wheel outcomes to the raw generated numbers.

From there they developed a mathematical model that allowed them to crack the PRNG using about 15 minutes of spin outcomes.

Operatives would go into casinos, record footage of the spinning wheels and send it back to the IT department which thereupon cracked the PRNG. They then calculated at what times the machine’s “stop” button would have to be pressed so that the game would result in a pay-out. The operatives’ phones would then “buzz” shortly before the perfect time to prompt them to press buttons.

While this is an extreme example, weak PRNGs are one of the most common vulnerabilities in modern software. Organizations are advised to verify that their developers understand the concept of a PRNG and associated security risks.

True randomness is when the information being responded to has not been predetermined and cannot be predicted easily. There are numerous ways to achieve true randomness on a computer by leveraging inputs from outside the computer itself (for example, sensors that measure such data as external noise or fractal light), however this topic requires its own research brief to fully unpack.

It is important to note that pseudo-randomness vulnerabilities are not the only exploits your developers need to address. Study the mistakes of others and learn how you can mitigate the risks of specific attacks by checking out our research briefs on other related topics.