Following a serious disclosure of vulnerability affecting casinos around the world, a leader of casino technology provider Atrient assaulted the security researcher who exposed the vulnerability at the ICE conference in London. This is the story of a vulnerability disclosure that went wrong, involving the FBI, a provider with a global casinos client base and a serious security vulnerability that has not been resolved for four months without have been correctly corrected.
Our story begins with two researchers in white hat safety, Dylan and Me9187, who were taking part in a Shodan safari in September when they noticed what looked like a reward server of casino players (without authentication) exposed to the public Internet. After a little more investigation by the researchers, it became clear that the server was taking charge of player rewards kiosks in different Las Vegas casinos.
These kiosks are manufactured by a vendor called Atrient who markets them as a "PowerKiosk Marketing Platform" and sells them to casinos around the world, which then use them to engage their customers in a loyalty program.
The kiosks provide loyal casino customers with a user interface with which they can record their purchases and expenses at the casino, receiving loyalty bonuses. Bonuses can include theater and show tickets, compiled hotel rooms, raffle entries, and anything the casino wants to use as part of its rewards program, including a cash discount. money on purchases made in some places.
The casinos that use these kiosks include Hard Rock and Caesars. Researchers have said that these kiosks are deployed in casinos all over the country.
These kiosks and the back-end server communicate the personal information of their users and send data such as driver license scans (used for registration), personal addresses and contact information, as well as details on the user's activity, not encrypted on a public access. When the researcher discovered that the unauthenticated rewards server was directly connected to the kiosks located in the casino, he realized that the API used was largely open and extremely vulnerable to criminal abuse.
The researchers said that each kiosk called the server in clear and that all data sent from the kiosks to the server was clearly visible on the network. Since there is no SSL protection and the API is largely open and vulnerable to abuse, it is possible to identify kiosks using their MAC address and use the insecure API to change the settings. details, track users, credit kiosque accounts on a virtual machine in order to have your own personal kiosk at home.
Atrient did not separate these kiosks into vlans, their FTP access was largely open and unencrypted, and all this was discovered with the help of the search engine Shodan. All this was publicly visible by anyone on the Internet who knew where to look.
Atrient is a market leader in the sale of these casino loyalty kiosks and because these kiosks have been sold to casinos throughout Las Vegas, USA and (through their partnership with Konami) at casinos around the world. . Whereas Jessie Gill, Director of Operations at Atrient, recently stated in the media that she "does not have a different version for different operators, we integrate all functions into one product" it is therefore very likely that this vulnerability is affecting all of their customers, including their white label partners, Konami, who have renamed Atrient's technology to sell to their own customers.
Security researchers who discovered this vulnerability, Dylan and Me9187, told me that vulnerability was only the tip of the iceberg when it came to sloppy security practices at Atrient. They saw the WiFi network password of the casino stored in plain text, the personal data of users stored in plain text and no attempt to secure.
They even discovered that third party contractors from Atrient (based in India) published Atrient's source code on Github and asked questions about the stack overflow, which made it clear to researchers that security was not taken seriously.
It was clear to security researchers that Atrient had outsourced their development to India, where much of their services was hosted, including their FTP services, kiosk management and development servers. It was clear to security researchers that contractors did not even take the most basic security measures to prevent discovery of this infrastructure on the Internet.
The security investigators acted in good faith, followed the best practices of responsible disclosure and tried to contact Atrient directly to report the vulnerability and raise awareness of the seriousness of the problem. For a company like Atrient, which has a global customer base and says a lot about the security of their systems, you can expect them to react immediately. Unfortunately, Atrient completely ignored repeated emails aimed at several leaders and members of the Atrient team.
The researchers even left messages containing their contact information on the FTP server so that administrators could see them, warning them of the vulnerability. They did everything to contact the vendor and disclose responsibly, but they were ignored.
Atrient completely ignored the researchers, but despite their follow-up on Linkedin and Twitter, they clearly had no interest in communicating with the researchers.
The researchers then contacted me, asked for help to contact Atrient and asked me to tweet about the vulnerability on Twitter, so I helped them out.
Enter the FBI
When I sent out the tweet reporting that I was working on an article about vulnerability, which concerned all Las Vegas casinos, the tweet was noticed by the FBI's Cyber Fusion unit, which m & # # # 39, contacted for a conversation.
This division of the FBI worked to connect security researchers to providers when vulnerabilities were discovered, especially in cases where vulnerability is serious and researchers are unaware of the research.
The FBI asked me to initiate a phone call with researchers who, eager to act in good faith, agreed to join the call. They were scared, it was the FBI after all. In general, security researchers are wary of the federal government, but they have agreed to talk to them.
During this call, the researchers informed the FBI thoroughly about what they had discovered and attempts to contact Atrient. The FBI went into action and issued a call for the next day between Atrient and the security researchers so we could all phone together and make sure that Atrient understood the seriousness of the vulnerability and that everyone involved was focused on the repair.
Now that the FBI was involved, Atrient had to take the vulnerability disclosure seriously, which gave us hope that this vulnerability would be quickly corrected.
I am pleased to report that the FBI acted correctly, that their only interest was to resolve what they considered to be a serious vulnerability and that at no point did it blame the researchers or the accused for anything . There is a lot of mistrust of the FBI in infosec space, but this particular unit had the right attitude, knew their infoec and wanted to help the researchers.
** UPDATE Call Recording: https://dayafterexploit.com/Skype1.mp4
The above call recording of the FBI's initial conversation was added to this article on February 7, 2019 after it became available in this article from CBR Online.
The seller's call
The next day, I joined the vendor's call with the FBI and the security researchers. Atrient was represented by Jessie Gill, her operations manager and another staff member. When the call started and everyone had been introduced, the floor was left to security investigators. The researchers explained in simple terms that kiosks and support infrastructure were largely open, that player credit could be manipulated, that users' personal data (including driver's license scans) were exposed to the public internet and that you could participate in casino raffles. as many entries as you wanted to earn them, all without that Atrient or its developers and subcontractors do not notice it.
They clearly explained to Atrient that the risk of abuse was extremely high, as there was no way to differentiate legitimate calls from malicious API calls in Atrient's back-end system, leaving it largely open to malicious exploitation. by criminals.
Jessie Gill, COO of Atrient, asked what steps they could take to secure these services and the researchers informed them of the urgent steps to take to secure their infrastructure. In response, Jessie said, "The information you shared with us is fantastic, we are really impressed with what you have done here and we would like to have this information, how can we do it?" and invited the researchers to a private conversation to discuss with them.
At the end of the phone conversation, the FBI asked Atrient if it had properly informed its customers of this breach and the vulnerability of their systems, their chief of operations, Jessie, quickly replied, "Let's talk about that out line ", closing the question immediately.
** UPDATE call recording: https://dayafterexploit.com/Skype2.mp4
The above call record of the original provider conversation was added to this article on February 7, 2019 after it is available in this article from CBR Online.
The Bounty Bug appeal
I was not aware of this call, but the investigators told me that Jessie Gill had promised them a $ 60,000 bug bonus and had asked them to keep the incident on hold until their lawyers could write a NDA and a legal agreement that they could sign.
In terms of researchers, Atrient has addressed the issue in the right way: securing its services, rewarding researchers who have reported vulnerability with a premium and asking their legal team to write the necessary documents to cover the mission. Of course, the researchers were absolutely delighted, they are both young and their money is considerable.
Jessie Gill promised the researchers that the lawyers would be in touch and send them these agreements, a promise that he made again and again for months.
The race around
From that moment, Atrient led the search through the nose with the promise of money and gave them the floor. The researchers also tell me that Atrient has made no real effort to secure its services, but has hidden some servers at the sight of Shodan and put the Dev servers in India offline for a short while.
Over the last four months, it became apparent that no legal document or bug award was available and Atrient has not at any time asked the researchers to sign an NDA. The researchers also found that Atrient had not made any significant changes to their security policies or the security of their services during this period. The security researchers were put on trial for four months, during which a bug bonus was promised and the vulnerability would be solved.
ICE Conference Assault
Nearly four months after the initial disclosure to Atrient, security researchers learned that Atrient CEO Sam Attisha had big plans for the ICE conference in London, where security researchers are based. Sam Attisha had planned to speak at the conference on the new facial recognition feature of their kiosks, which would scan users' faces, upload biometric data to their servers, allowing casino customers to use their kiosks without pass their membership cards.
This alarmed researchers who rightly identified facial scans as a serious risk to the privacy of users, especially if the back-end infrastructure was not properly secured, which compounded the problems of security encountered by Atrient.
They went to ICE as registered participants to try to meet Atrient's director of operations, Jessie Gill, whom they had been talking to for four months, and Atrient CEO Sam Attisha to raise these concerns and discuss them with them. examine in the eyes.
When one of the security researchers, Dylan Wheeler, went to the director of operations, Jessie Gill, and introduced herself as the researcher with whom Jessie had been dealing, Jessie suddenly thundered the searcher and violently grabbed him by his clothes before tearing his correspondent's badge. of him telling the researcher that he no longer needed it and that he would keep it.
Several people attended the incident, including Atrient CEO Sam Attisha, who said nothing during the incident. The researcher began filming the incident on his phone as soon as Jessie released him. You can see in the video below that Jessie threatened the researcher with Scotland Yard before denying that he knew him, so that he knew exactly who the security researcher was.
We have a partial video of the incident below and I asked the organizers of the ICE conference the CCTV video footage of the showroom. The security researcher has since reported the attack to the London Metropolitan Police, who is collaborating with the organizers of the conference on this incident. Dan Stone, marketing manager for the ICE conference, said: "We take the safety of all our visitors extremely seriously, and we have reported the problem to the security team there. on the incident and liaise with them the police as needed ".
A researcher in security (@degenerateDaE) has just been assaulted by a salesman (@atrient) for attempting to report after being engaged with the seller for three months after reporting a serious vulnerability they ignored. The police is involved, the complete story coming soon! pic.twitter.com/jK42iqcXV1
– Secjuice (@Secjuice) February 5, 2019
I contacted Atrient, personally calling the director of operations, Jessie Gill, to invite her to comment on the unresolved security vulnerabilities at Atrient, her assault on the security researcher, or anything else that she did. he would have liked to say, but he hung up on the phone.
I contact a number of Atrient customers (Caesars Entertainment and Hard Rock International) to find out if they have been notified of this security breach.
UPDATE – Possible Legal Threats
In response to the publication of this story, Jessie Gill sent me a strange e-mail. I pasted it below so you can see it. I'm not quite sure if they call me co-conspirator, it seems like it's CC and not really addressed to me.
The e-mail is not addressed to any security researchers and does not name them, the source of this text is not clear, but it seems to have been cut and pasted somewhere and the customary part 'Dear John & # 39; has been excluded.
An email from Jessie Gill
Now, this has been exposed to the harsh light of day, they seem to have had the knee thrown on a blustery legal threat. Rest assured, dear reader, your author was not at all technically speaking, I recorded the story as it happened and I told it with truth.
Security investigators tell me that they recorded each conversation and kept a precise timeline of events related to specific communications. You can keep your word if I tell you that there are no bad actors in Secjuice and that security researchers have acted in good faith over the last few months.
Neither Secjuice nor security researchers have received formal legal advice from anyone who looks like a legal representative of Atrient or a lawyer.
UPDATE – Atrient issued a statement and quickly removed it
After the fury on social media, Atrient tweeted a statement they've erased since new evidence was revealed contradicting their claims, journalist Dan Goodin, who asked them why they had erased their statement.
Tweet courtesy of Dan Goodin.
Their statement was online until this article from Ed Targett Online CBR's containing audio recordings of calls with the FBI and Atrient have been published, which is at odds with the statements of Atrient in their statement.
Below you will find a screenshot of their statement on Twitter.
Image reproduced with the kind permission of Eli Gray
Atrient removed the tweets after the CBR Online article and his recordings of conversations contradicted their claims in three ways. The first contention of Atrient to be contradicted was their initial assertion of a brute force attack on a demo server. Conversation recordings with the FBI and the researchers clearly show that this was wrong and that they were very aware of the magnitude of the security vulnerability. .
The second contention of Atrient to be contradicted was the claim that the FBI was aware, although I think it was perhaps deliberately misleading with their words rather than untruthful. The FBI is actually aware of this group, mainly because, as recorded conversations show, the FBI and the security investigators were engaged before Atrient spoke to them.
The third contention to contradict was their assertion that the police had not been able to verify the incident and confirmed that they had not received any report of the incident . This claim proved to be false when a spokesman for the Metropolitan Police said by email to journalist Ed Targett: "[We] can confirm that the police received a phone report of an altercation in Excel, Western Gateway, Newham, according to which a 23-year-old man was assaulted by a second man who had taken the security cordon of the victim. No injuries. No arrest. Police officers from Newham police are investigating. The investigations continue.
The fourth and final contention of the court to be contradicted is that it examined the CCTV images and found that they did not corroborate the allegations. I have written to the ICE team for clarification on these CCTV images, as it is not known if these images exist and if they actually provided these images to Atrient.
Other journalists told me that ICE told them that there was no CCTV video of the part of the showroom where the Atrient booth was located. In order to confirm that this is true, I have asked a few people to come to the conference and explore the field of vision of CCTV in this area and will report on it. There is no doubt that the images of the incident are extremely important for this story. The original video footage recorded by Dylan Wheeler does not begin after the alleged attack. It would therefore be useful to disseminate them by ICE to establish the truth.
I asked security researcher Dylan Wheeler to comment on Atrient's claims in their now-deleted tweets and he replied, "I can not comment on their deleted statement posted on Twitter right now because we are openly in touch with our legal team regarding this incident. " The security researchers involved in this incident are working with lawyers on potentially defamatory allegations that Atrient has formulated and suppressed.
It should be noted that, despite the strange legal notice that Jessie sent to Secjuice and the researchers via email (which was not addressed specifically to anyone), nor to the strange claims made by Atrient in their statement on Twitter, neither Secjuice nor the researchers saw any official legal document. communication from the legal team of Atrient.
UPDATE – Original Call Recordings
You will find below the original call recordings taken from this first call article that security researchers had with the FBI and the second call that the FBI set up the next day so that researchers could talk to Atrient.
Call 1: https://dayafterexploit.com/Skype1.mp4
Call 2: https://dayafterexploit.com/Skype2.mp4
Originally, I did not publish these call records to protect the privacy of the people involved in the conversations, but when it became apparent that Atrient was doubling its efforts to condemn the researchers and that CBR has published them first, this has become a topic of discussion have included here in the article for your convenience.
I am pleased to announce that the information security community has rallied to the support of security researchers. Renowned information security professionals from across the industry commented on this incident in order to support the researchers and condemn the actions of Atrient. I have not included any of the healthiest comments on this incident, but you can find them on Twitter.
Hi @atrient ,
Assaults, threats and bullying are not part of the ISO 29147 vulnerability disclosure.
CVD does not represent violent cold disclosure.
Ignorance is not an excuse.
The violence never goes.
According to the story, law enforcement should look at you, not at these security researchers. https://t.co/AZ7gEqShMi
– Katie Moussouris (@ k8em0) February 6, 2019
Tweet courtesy of Kate Moussouris.
Hey @atrient This is really unacceptable behavior against people acting in good faith. https://t.co/azygNucAVT
– Stefano Zanero (@raistolo) February 6, 2019
Tweet courtesy of Stefano Zanero.
Lame @atrient makes the casino client software with 0 days uncorrected in its security. They beat up a hacker revealing loopholes, an article "Lighting a Kiosk on a Virtual Machine to Have Your Own Personal Kiosk at Home", and my favorite quote "Discovery on Shodan".
– Fantastic pirate (@hackerfantastic) February 5, 2019
Tweet courtesy of Fantastic pirate.
Real colors being shown by @atrient – Let's suppose it gets worse from here, wait for the script for kids and hacktivists to find this one .. I see public revelations on the horizon .. horrible way to treat someone who has not asked for anything in return .. https: // t.co/P5cGcaAeAW
– ozzie_offsec (@OOffsec) February 6, 2019
Tweet courtesy of Ozzie Offsec.
Assuming that the technical claims contained in this article are, in essence, remote, almost accurate, if I advised a regulated casino (or any other business, really), I would ask them to remove each product from the ground. and start screaming. Loud.https: //t.co/kDzVb1R81H
– Marc Whipple – Legal Inspiration! (@Legalinspire) February 5, 2019
Tweet courtesy of Marc Whipple.
I can not believe I must even say that. If a security researcher reveals a vulnerability in your product, do not attack them. https://t.co/JrlEgzM0eM
– Eva (@evacide) February 5, 2019
Tweet courtesy of Eva.
I will keep you informed of the evolution of this story.
The image used in this article is called "Dao Lottery" and was created by Maria Soloveva.