An incident occurred in which vendor officials attacked researchers who reported vulnerabilities in casino systems
A security researcher who found a vulnerability in the casino system at the event venue of ICE London , which is a conference about the casino and gambling market, caught the chest of the casino system vendor COO (chief operating officer) did. About the background of the incident is written by Guise Bule , editor-in - chief of information security - related media Secjuice .
Security Researcher Assaulted Following Vulnerability Disclosure
In September 2018, security researchers Dylan ( @ degenerateDaE) and Me (@ Me 9187) noticed the vulnerability in the system of kiosk terminals provided by Atrient , a technology vendor of casino systems. Kiosk terminals are those used for the "reward system" that casinos offer to customers. Many casinos have adopted the "reward system" which gives tickets of lottery tickets as a bonus according to the amount spent by the customers and freeing the accommodation fee of neighboring hotels, and by using Atrient's kiosk terminal, customers It was a mechanism that was able to get the reward.
Kiosk terminals are sold not only to Las Vegas but to casinos around the world. According to Dylan and Me, kiosk terminals exchange personal information of users with backend servers, personal information such as driver's license scan, address, user's behavior, etc. are not encrypted, anyone It seems that it was being transmitted using the Internet which can be accessed.
Atrient's kiosk terminal sends user information to the server in plaintext , and all data can be easily read on the network. Because it is not protected by SSL, the API of the kiosk terminal is very vulnerable to external attacks, and it seems that data can be easily found using Shodan of IoT device search engine.
by Ed Gregory
Mr. Dylan and Mr. Me said the vulnerability is only a tip of Atrient's sloppy information management system. According to the two, Atrient's third party in India who is requesting system development posted source code of Atrient system to GitHub and there were even cases where questions about stack overflow were made.
Mr. Bule said Mr. Dylan acted faithfully and attempted to contact Atrient directly before disclosing the vulnerability. For companies with global customers like Atrient, the vulnerability discovered this time is very dangerous, but Atrient employees seem to have completely ignored the mail sent repeatedly by two people.
So they asked Mr. Bule for consultation, "Can somehow get in touch with Atrient?" Mr. Bule says on Twitter that "We are investigating the vulnerability on Las Vegas casino", FBI's Cyber Integration Unit is contacting me. Bule says that this FBI department plays a part in helping each other collaborate if vendors refuse to contact with researchers despite security researchers discovering vulnerabilities.
With FBI intervention Atrient and Dylan Mr. could have a meeting place and a telephone conference was held in groups including FBI and Bule. Atrient is accompanied by COO Jessie Gill, Dylan and Me said that the kiosk terminal was vulnerable to external attacks, explaining that the risks and impacts of the criminal are great .
Asking researchers about what Gill can do to improve security, at a time when the conference appeared to be progressing, FBI, who was in the conference call, asked Atrient about the explanation to the customer . Mr. Gill said "I'd like to talk offline from now on," and two people and Atrient seem to have made a private conversation about remuneration for vulnerability discovery and confidentiality agreement (NDA) .
Mr. Bule was not invited to this discussion, but the researchers said two people were presented with a reward of $ 60,000 (about 6.6 million yen) and it seems silent about vulnerabilities until NDA documents are made He said that he was asked. For researchers, $ 60,000 is very pleased because it is a lot of money and Mr. Gill promised to send NDA's consent form from a lawyer, Mr. Bule said.
However, Atrient never pays two people forever and the vulnerability of the system was not fixed either. Soon after four months from the discussions of both sides, it became clear that Atrient had not initiated the process of paying rewards to the two from the beginning nor asked NDA to send a consent form.
by Hichem Deghmoum
Such a fold, Mr. Dylan got the information that Atrient CEO Sam Attisha announces a new system at ICE London which is a conference about casinos and gambling. Attisha scans the face of the casino user and said he was planning to speak at ICE London on a system where users can use kiosk terminals without swiping their membership cards.
If your system is secure, there may be no problem with this system. However, face scanning is a serious privacy risk in systems where security is not adequately protected like Atrient. So Mr. Dylan and Mr. Me participated in the conference and decided to meet and talk with Mr. Gill who had talked many times.
And at the venue of ICE London, Mr. Dylan approached Mr. Gill and introduced himself, Mr. Gill suddenly began to rush toward Mr. Dylan, grabbing the breasts and grabbing the badges of the conference participants. Mr. Gill said to the researcher, "I do not need this anymore," he said he tried not to leave the badge. This incident has been witnessed by several people, including Atrient's CEO Attisha, and Mr. Bule claims that ICE organizers are requesting recorded videos from the exhibition hall. Dylan also contacted the police on Mr. Gill's conduct.
After being released from Mr. Gill, Mr. Dylan is filming Mr. Gill's appearance with a smartphone, but Mr. Gill in the movie Mr. Gill told Mr. Dylan that he should have met many times "I do not know about you" I can tell you what I'm talking about.
A security researcher ( @ degenerateDaE ) was just assaulted by a vendor ( @ atrient ) for trying to introduce himself after being engaged with the vendor for three months after reporting a serious vulnerability that they have ignored. Police is involved, full story coming shortly! pic.twitter.com/jK42iqcXV1- Secjuice (@ Secuiice) February 5, 2019
Also, when Mr. Bule made this fact public on Secjuice, Atrient sent me an email saying that he would appeal to the law to those involved, including Dylan and Me. According to the e-mail, security researchers are supposed to hack to Atrient and intimidate them, but Mr. Bule posts the e-mail text on the site as content of this mail is not totally true. Mr. Dylan also released a similar e-mail on Twitter, "I am recording all the interactions and we are not making any financial demands."
UPDATE: The company (my attacker specifically) has now emailed myself and @ Me 9187 , with the stance that we 'hacked' them and 'threatened' them.- Dylan ???? (@degenerateDaE) February 5, 2019
I will make it it perfectly clear publically that all calls where recorded, and emails where also archived, we made no attempt to (1/2) pic.twitter.com/h8tt2E2xA4