Well, good afternoon, how’s everybody doing? Good? Alright. So, for those of you guys that came in a little late, perhaps you’re still expecting a talk about airplanes.
Something that probably would have been pretty controversial, right? Well, the airplane talk is not going to happen. The speaker could not be with us. And so, luckily though, we have something that is going to be completely non-controversial given where we all are.
And that’s a talk about cheating at Poker. So, we want to give these guys | a big hand because, not only is this going to be an awesome talk but they stepped in at, obviously, the very last minute and they’re going to put on a great show for you guys. So, let’s give Elie and Celine a big hand. Bonjour.
My name is Elie and this is Celine and today we’re going to tell yo about our secret DEF CON talk. For this reason we try to keep it quiet before coming in. You can imagine why. So, this is on work we did with our friend Jean Michel during our spare time. And so, try to imagine if James Bond was cheating playing blackjack online canada, and I’m not saying he is, but try to imagine for a second.
He will go to the lab to Q and say, “Hey, do you have one of those insane crazy gadgets and that I can cheat and see all the cards?” But well, that’s just a movie, right? And we only have, like, lame cheating devices. Well, a few years back I was casually trolling onto the black market for forums, into the Chinese one, and a post caught my attention. I don’t speak very well Chinese, it was about a weird device and the guy lost all his money and he was warning people and it was super hi-tech. I don’t quite understand it and then when I tried to show it to one of my friends who speaks better Chinese, the post was gone and I’m like, “Okay, I must have hallucinated.” It was, like 2am, probably not going to happen.
And then, it’s sitting there in the back of my mind and a few months after I come across this post which basically says, I’m not going to read it out loud. Blah, blah, blah, yes, those devices, it is real. I don’t what “it” at that point is but it is real and people got ripped out in Texas.
And a lot of people lost a lot of money, about 100K, and then a lot of people got ripped out and then it killed all commercial gaming for Poker in Canada. And at that point I’m, like, well, if someone has it in the United States then I probably can find it on the internet. And sure enough I was able to find the seller. As soon as I knew what to look for I was able to find the seller. And the seller said, “Use this for bargain, which is only 4,000 Euros, about $5,000, with 40% discount,” right? He tried to make you a good price.
This web device and all you get is this picture. And so, this is a Romanian seller. Of course, I knew this thing was from China because I read earlier with the blog post, the post on the forum, so, we trace it back to China and we were able to find the guy who built the real thing, who will hopefully sell it for us for a cheaper price. And so, we notify the guy, got into a contact, or a friend of ours got into contact with him and tried to get him to get us the device.
And the guy’s, like, “Sure, I give you a good deal, I give you the device and a bunch of gizmos. Don’t worry, it’s only $1,500. Please wire me to Western Union.” Yeah, and we’re, like, “Okay, that seems absolutely normal. I’m going to go to Western Union and just wire $1,500 to China. What can go wrong?” Well, we did it, and then we waited. A lot.
And when we were about to lose hope a package arrived. And, like yeah, we’re, “Oh, we have a talk for DEF CON.” We didn’t know if it was working yet, but we feel pretty confident at that point. And so, here’s a demo of what it looked like. I wish I could give you a better demo but it’s super small. But here’s what it looked like. So, I’m going to shuffle the cards.
And it’s the first shuffle, no sleight of hand, I promise. And so I’m going to deal two cards. I’m going to put a card and… [Electronic voice: Spade Ace, Diamond Jack]. So… wait what? Yeah, what the hell is going on, right?
Something is reading the cards out loud? So, has anyone of you figured out what it is? No? Okay, let’s try again. As you see, the phone is gone, so we’re going to try again.
So, I shuffle and… [Electronic voice: Heart 2, Diamond 5]. There, it works, it’s like, it really works and it’s really what you see and that’s what a Poker player on the table would see. [Electronic voice: Heart 4, Diamond 8].
It doesn’t miss, it doesn’t misread, it’s actually extremely accurate. So, that’s the story of this talk, we’re going to tell you what the hell is going on and we’re going to tell you what works about it. So, it’s a device, of course. And so, the device is this, it’s a phone, or it looks like a phone. It’s here, for those who can see it. It basically looks like a legitimate phone.
We believe it’s actually inspired by Samsung Core. If you compare the two back to back it’s almost the same thing. On the left side you can see the Galaxy core, on the right side you can see the modified device. So, they have a bunch of built in security features which make it hard to analyze. The first one is, they send you the activation code separately and there is no way to activate the device without it, so they’re extremely careful.
Which actually speaks a lot about how professional they are. They have removed ADB and debug mode, so you turn on Android but you cannot run ADB, you can’t have any debug mode. And they also prevent you from taking a screenshot by simply removing this ability to make sure you cannot extract a screenshot of the poker player or the poker video player analyzer as they call it. So, a few fun facts, looking at it, it’s a custom ROM, Chinese 4.2.2. It’s also used in Chrome devices from Samsung. The cheating hardware is completely hidden from the UI.
It’s a completely distinct secret. You can’t see it, you can’t probe it. So, if you don’t know what you’re looking for, it’s just a phone. And so, it’s really, really resilient to, like, someone is telling you you’re cheating, you hand over your phone, there is absolutely nothing to see. It operates like a phone, it can make phone calls, it hasmany apps you want. Your Facebook, Snapchat, all works perfectly, so it’s really hard to know it exists.
And the funny story is we also found a lot of code who actually phone home to China. Not sure why they did that so we lay on the side of the back door. So, how does it really work? In James Bond movies it would work like this.
Pierce Brosnan would just put his glasses and it would just work magically. I wish it would work that well but, no, that’s not how it works. The way it works is, you have a pack of cards and they’re going to give you multiple options to get any type of card, including Bicycle for United States, also the one popular in China, Macau, Hong Kong and so forth. So, you choose the type of card you want and they will mark them for you. And the device itself has a bunch of interesting electronics embedded into it.
The first thing they hav e is infrared LEDs which go into a black and white camera. So, the infrared LED will shoot infrared light through the side of the device, because the side of the device is actually modified to allow infrared to go through. The infrared will illuminate the side of the poker player and as a result what you will see is, the ink is made to absorb the infrared so you will see those black dot markings and that’s what the camera is capturing. So, basically what they do is they use infrared absorption to mark the side of the deck. That’s the basic, underlying principle.
Here is an exposed view. So, as you can see here, you probably don’t realize it but the device is on and if you squint really hard you can see three purpleish dots on the top right and these are the LEDs. And if you turn off the light you see the LED. Because we took it with a camera with the IR filter off.
And you can see clearly the three LED which are embedded in the side of the poker player. And if you can get an idea it’s very, very small, this here. Impossible to know if you don’t know what it is. So, again, it speaks about the quality of the construction and the professionalism of those kinds of devices which really clearly show this is not a home-made.
It is probably very professionally made and they probably make a lot of money out of those. So, here’s an exposed view. So, I tear it apart, opened, and what you can imagine in here is, you see probably an orange square.
This is custom hardware that’s actually backed into the phone. Here’s a better view. So, you have the camera, as I mentioned, which is here. Then you have a custom chip which handle the AV, both the audio and the video which is separate from the phone and then bridged back to the phone. And then here is from the top view. You can see the three LEDs that I mentioned earlier.
And you can see on the right side there is two dots which are basically the out for RF and Bluetooth and we see how they’re being used in a few seconds. And so, all of those are connected to a simple antenna which goes around the back of the phone to have better reception. So, now Celine is going to walk through how the user experience looks like and how you use the app that they actually embed into the phone.
Hi, can you hear me? Yes. So, I’m Celine and so I’m going to show you how the Poker Player Application works. So, this is a screen shot of the device where you can see the Android App menu.
And can you spot in this screenshot which app is used to control the device? I can’t hear you. No, so, the app used to control the device is this one, the game app. And so, what you do is you click on the icon, start the app, and the first screen you’ll see is the login screen. So, the username is outcoded and there’s only one, it’s the Admin. And so, as mentioned earlier by Elie, the password was sent to us separately from the device.
So, you type in your password, click on the sign in button and then you access the main app screen. But don’t worry if you forgot the password or you don’t have the password, there is a backdoor password that we found out. So, when you log in the main app screen contains six options slash screens. So, the first one is the Game Hall. It contains a list of all the game types bought by the device. The second one is Purchased.
It contains all the game types you already purchased, so that’s the one you can use. The Upgrade screen is used to buy more game types. Common Game is the list of game types you purchased and with a small explanation about how the app will behave, depending on the game type. System Info is not relevant, doesn’t contain any useful information.
And the last one is Settings. It allows you to configure how the device will work. So, this is a screenshot of the Game Hall. So, as you can see, there’s hundreds of game types that covers a lot of use cases. So, this is another indication that people buying this device are running a real lucrative and professional business. So, now if you want to use the device to cheat you go to the Purchased screen.
On this screen, on top, you can see that we have three credits, and we used two of them to buy two game types, and we have one remaining credit. Notice that there’s poor spelling in English. This means that this device is mainly targeting the Asian market and they didn’t spend a lot of time on the English translation. So, in our demo we use the second game type. That’s the number two, read the card directly, so it’s going to read the card directly. So, you click on it and then the app is going to show you the Settings screen.
You can configure the number of players. You can configure input and output methods. So, Elie’s going to detail those methods later in the talk. You can also configure the device to repeat continuously the reading of the card or just do it once. So, if you want now to use the device you just hit the Start button on the screen and then you get the main game screen. So, what you can see on the top of the screen is a live capture of the hidden infrared camera here.
And so when the cards are face down on the table, the back appears on the left part of the screen where the Up symbol is. Below that you can see how many players are playing. You can see what is the game type you used, so, we used the 1016 which is the Read Card Directly. Just below you can see if you are using any haptic feedback devices and what’s its status.
And finally, the important information is the result of the reading. So, there’s two players. The app is reading that the next two cards on the top of the deck will be six of Hearts and eight of Diamonds. So, now just a few fun facts about the app. So, we found out the backdoor password. So, this password, when you have it, you can access any devices.
And by analyzing the game app we found out that the interesting part of the code that controls the input and output devices and does the card recognition is not in the app. It’s in a kernel module. So, now Elie’s going to talk about how the card markings are done. Okay.
So, Celine just showed you that the app should read the marking but the key question is, how does the marking come onto the card in the first place? Because, obviously if you were to have a bad deck or a deck that doesn’t feel legitimate in the hand, people will be suspicious. Again, this is for cheating.
So, what they do is, when you order the device they ask you which type of card you want. I ordered Bicycle because that’s the one we most use in the United States and that’s what you receive. As you can observe, it’s wrapped up, so if you were to actually hand it over in a Poker game it will look like a normal Poker deck of cards that you would open. The pip sign is still on. So, how do they get the cards in?
What happens is they resealed it and put the cards… they open the cards, obviously, for marking, by opening the bottom of the deck. But when you open the deck, if you don’t remove the transparent sleeve then you won’t see that. So that’s very clever of them. And then you have the cards. If you manually inspect the cards and if you want to look at them up close, you’re welcome to after the talk to do that. It’s really hard to even feel it or see it.
It’s actually really, truly a regular Bicycle card as they probably are bought and then marked. And so, as Celine mentioned, the only difference is under infrared light you will see the markings. So the regular cards up here like this on the right side which is basically just blank. Whereas the marked card has this absorption ink which will mark those dots.
Each card name and number will have a different distinct pattern which repeat multiple time over the card for redundancy and because they don’t know how well is the angleexactly, right, they want to be angle proof as much as possible. We even found devices which are more expensive and we ran out of money. We have two cameras, one which tries to actually increase the angle of vision to make it more robust. And then you have short black, long black and that’s basically zero and one, and that’s how they mark the card. And then they have a bunch of functions. Here’s one where basically the upper digit is the number for the color, and then the lower digit is for the number.
This is why they will always say Diamond or Heart Six, Club Four, because they first read the suit and then they read the value of the card. But, sure, I mean, no gentlemen’s device will be complete if it doesn’t have a bunch of bells and whistles, right? So, let’s look at how you actually interact with the thing, right? Because even if you have it, it’s really hard to use by itself.
So, they bring you a few things. So first thing they have is a remote and the remote will do two things for you. A, it will allow you to change dynamicall and silently the number of players at the table because people can come and go. Or they see people leaving the room, bye bye.
And then the other one is, we have the sound on and off. So, as you mean is that people are talking to you, you don’t want to get caught, you can turn off the Poker Player. We looked into it with Jean Michel and it’s basically a standard 2-FSK modulation, series three common, one for the sound on/off, one for incrementing the player, one for decrementing. It’s on the 800-megahertz frequency so standard RF, really easy to jam.
Really easy to also impersonate so you can probably change the volume at will if you know there is one in the room. And then in the app configuration you can obviously choose between the speaker and the headset. So, the headset is composed of two parts. The first part is this thing which is a remote.
And so, the remote has a volume button which is to increase or decrease the sound of the ear piece, and an on and off button. Can any one of you guess what is the lanyard for? Come on, be creative. No, it’s just to hang on to your neck.
Sorry. So yeah, that’s the necklace. And so what it does actually is, this is connected to the phone in Bluetooth but the earpiece you have in your ear is so tiny they couldn’t fit the Bluetooth transmitter so this thing will basically be a bridge which will do Bluetooth to the phone up and transfer it into RF so you have analogue RF into your ear. So again, very easy to eavesdrop with any SDR if you know what to look for. And it’s very, very tiny. It has a tiny battery.
When you have it on you it’s very impossible to tell. They also have another very cool device which is a haptic feedback. So, the idea here is, again, a Bluetooth P4.
They call it a P4 1 and you saw on the screen before that it’s disconnected or connected. And what it does is, it has a bunch of vibrators that you would put either on your arm or or on your leg and each of them will vibrate to tell you who is going to win, who is the second one, who is the third one, and so forth. So, it will ring in sequence and so you can have this haptic feedback if you don’t like to have an earpiece.
Hey, I think they will have customers, you know, they try to operate everyone’s needs. For those who don’t really look like, they even have the sneaky display idea where, so basically what happens when you read the card it switched the minutes and the seconds to the first winner and second winner, so you can just look at the time on your phone and like, “Oh, yeah. All in.” The most funny part of the device was the wireless camera. And so, you can activate the wireless camera, again, from the UI and it comes packaged as a car key, there are many, many other options for you. They’re also for watches, belt, shirt and a bunch of other.
We got the car key one because it was easier to tear apart. And so, the car key looks like this. It looks almost like a real key. Again, here’s an exposed view on how it works. So now that you know how it works on the exposed view, and when you use the car key, you put the deck in front, and then you can see on the app [Phone voice: Diamond 5, Diamond Queen]. So you see it and you see the deck going back and forth on this Queen on the phone.
And so, you can do it again. And interesting quirk that we found is, as you can see, here. [Phone voice: Plum 6, Diamond King]. They call ‘Club’ ‘Plum’. Because that’s a literal translation in English so we bet they just translating with any bad translation software and just like, well, it’s Plum. It’s actually Club, but oh well.
That’s one of the funny quirks about it. And so the key, again, have the same principles. They have LEDs behind the plastic which will let the infrared go through. Here’s an exposed view. This time you have two LEDs and the camera is just next to it. So, here’s when I tear it apart.
What you see is the hidden camera on the left side. The battery, they give you two. This thing sucks so much power, that I was really surprised when I looked at the device there was a ton of batteries. Seriously, I’m like, “What the hell is that?” It’s got MKT Hit.
I’m like, “What the hell…,” sorry, Emmett. “What the hell is that?” And then I look it up and basically they have a kernel module who checks the temperature of the phone and will shut it down before it explodes. So, you know, they just don’t want you to die. But this thing basically is so power angry that they had to put the system in place. And if something happened to the key, the key got really hot, and a battery which is an 800 milliampere unit will last you probably 30 minutes, so you have another one, so you go to the bathroom, open the key, plug the battery in, you go back right to the Poker game, every 35 minutes.
That’s basically what you have to do. Here’s the exposed view. You see again the camera, the two LEDs and they’re all attached. You have a small antenna and you have an MCU 8051 which controls it. We were able to find it online, except there is no data sheet, so we had to basically do guesswork when we were looking at the transmission.
And so, we were using a software defined radio to actually try to understand how the thing was transmitting images and the idea of, can we jam it, can we replace it? The answer is, yes, to both. Actually, it was very hard for us because we realized this is not digital.
It is literally an image and so we were looking at that so it emits to the 2,400-gigahertz band, like Wi-Fi, and we think it’s PAL or NTSC but we really battled it. I mean, Jean Michel and me are really accustomed to deal with analogue, we’re more like digital kids so it was really a surprise, very hard for us to figure out how to do it. But yes, with normal SDR you are able to jam the thing and to replay images at will, so you can clearly defend yourself against this thing if you play Poker cheating by just jamming their Poker player. If you don’t like Volkswagen they actually offer you a nice option to customize. Attention to detail again. So, that leaves us with a few open questions that we don’t have a good answer.
The first thing is, this is the most sophisticated cheating device we’ve ever seen and ever heard of. And it begs the question of how they created it. And it’s a lot of work that you have to rehouse a normal phone, a lot of electronics, do a lot of programming.
I mean, they have a kernel module who do immeasurable conditions And we don’t know if it’s either a tech which has been used before by casinos. We heard, if you look it up, some casinos had this technique in the 1980s, 1990s, of having some sort of camera to catch people who were counting. So, maybe that comes from there. Or they actually built it and in that case there is a large underground market that I don’t know of. But it’s really interesting to know who might be of such a device. The second thing is, we don’t believe it’s actually used in casinos because casinos have professional dealers so it’s really hard to use that kind of deck.
We believe it’s more for background playing or among friends. So, it begs the question of, who is buying it and who is basically ripping who? And finally, interestingly enough, you can’t really go buy at Office Depo infrared ink. You’re like, “Oh, can I get some infrared absorption ink?” And they will look at you very funny.
There’s only very few place who actually sell those so how they get their hands on it and how they create the marking process is something we haven’t much answer about. So, a few takeaways. Yes, James Bond devices exist. It’s really hard to find but actually you can get lucky and get one.
It’s pretty expensive but you can get one. Crimeware can be super sophisticated. You know, we have heard at DEF CON again and again about the NSA playset, but apparently the Mob Boss have, well, the equivalent and it’s just, we haven’t looked at it just yet.
And finally, it did require a lot of skillset to be able to actually prepare this presentation and we had to go from hardware analysis to software analysis to RF analysis. So, we want to basically acknowledge and thank our co-conspirators who only just want to be named by their surname. Pixel helped us with the hardware analysis and Vivi was the person who was able to get it out of China. So, a big thanks to them. So, thank you very much for attending.