By Jane Melia, Vice President of Strategic Business Development , QuintessenceLabs and Co-chair, CSA Quantum-safe Security Working Group
No kinds of organizations have tighter security than the average casino. After all, the house always wins, and it wants to keep those winnings. A recent Wired article, however, explains how a team of Russian hackers managed to beat a lot of casinos worldwide. They did so by exploiting inherent flaws in the pseudo-random number generators (PRNG) that are integral parts of randomizing every spin of a slot machine. Even if you don’t care about wealthy casino bosses losing money, you still need to be concerned about the drawbacks to using PRNGs because slots aren’t the only things that are vulnerable. Most of the world’s encryption is also based on pseudo-random numbers.
What’s in a Name?
Before going into detail about how the heists were carried out, let’s talk about PRNGs and why pseudo should be a no-no for slot machines and, more importantly, cybersecurity. As the prefix “pseudo” indicates, the numbers generated are not truly random. PRNGs are programs that start with a base number known as a seed. The seed gets tumbled together with other inputs such as another algorithm and a random-ish physical component such as the timing of the strokes on a user’s keyboard. Both humans and computers are really bad at random so if someone is able to measure the pattern of your keystrokes and/or break one of the algorithms used, they can reverse engineer the other inputs and predict the next numbers in the “random” sequence. Find the pattern, break the code and the jackpot (or encrypted data) is yours.
One- and Two-Armed Bandits
In the case of the Russian casino swindlers, they were given a head start by Vladamir Putin who had gambling outlawed in 2009. This meant a lot of slot machines were available on the cheap. Take apart a few machines, figure out how the PRNGs work and you’re nearly there. Since the inputs for slot machine PRNGs change based on the time of day, the hackers, in this case, had to do more work on-site at the casinos. The leg man would set himself up in front of a machine and video a dozen or more spins using his smartphone. The video would be streamed live to his compatriots in St. Petersburg who would analyze the video and use what they knew about the machine’s innards to predict its pattern. Then they would send a list of timing markers that caused the phone to vibrate a split-second before a winning combination comes up, signaling casino guy to hit the spin button. It didn’t work every time but it was a whole lot more effective than chance – somewhere around $250K per week more effective.
To make things worse, not only did the engineered cheat allow a shadowy St. Petersburg group to snatch millions of dollars, the problem they exploited is a fundamental part of PRNGs so casinos are still vulnerable to this kind of fraud. That brings us back to cybersecurity issues. As shown in the casino example, it takes a lot of work to figure out the patterns produced by a PRNG. Most hackers don’t have two dozen guys with a supercomputer in St. Petersburg to help. Soon, however, they will all have something better – at least if your goal is to defeat the PRNGs and break an encryption.
The Future is Yesterday
Any data that needs to be kept secret and safe over time is already at risk of being breached. Quantum computers exponentially more powerful than those we use today are already being developed. Current predictions are that quantum computers will be fully realized in the next five to ten years, but it could be even less than that. No PRNG will be able to stand up to the brute force of quantum computers. All too soon, only a true random number generator (RNG) will do.
The only way to generate true random numbers is by using the natural world (i.e. something not made by humans). Quantum encryption, for instance, uses the fully entropic (or completely random) nature of the quantum world to generate true random numbers that are the basis for the strongest possible encryption keys. Quantum key generation is designed to take on the coming quantum computing storm and keep medical records, tax returns, classified government documents, corporate secrets (and anything else that needs to stay under wraps after 2020 safe). Bet on it.