How An Australian Casino Left Its Network Wide Open To Attack

Security is a big deal at casinos, from the tuxedoed goons standing at the entrance to the gaming floor to the layers of IT protection for the data flowing to and from the site. Yet casinos still make mistakes, and one Australian gambling giant experienced a particularly spectacular stuff-up with its network.

picture from Shutterstock

Casino security expert Douglas Florence gave the example during a presentation at the Australian Security Industry Association (ASIAL) conference in Melbourne today. Discussing a visit to Australia to an unnamed casino a few years ago to consult with an IT/security manager, Florence, who works for surveillance consultancy Avigilon, described how he had tried to access the casino’s Wi-Fi network on his own phone.

There was a visible casino SSID, so he asked his host for a password. “Password? We don’t have a wi-fi network” was the slightly concerned reply.

One obvious cause could have been a nearby phone or laptop set up to spoof the casino network. However, when Florence and his host ventured outside the building, the signal remained strong well into the car park, suggesting a more complex issue.

The real drama? The passcode for the network was only a five-digit sequence. Florence tried the most obvious choice — 12345 — and discovered that he could log straight into the main network. “It turned out to be an integration partner who had added a wireless access point to one of the switches during set-up and then never removed it,” he said. No data was ever stolen, but doing so would have been relatively trivial.

While an extreme example, Florence said that casinos often had a stronger emphasis on physical security than on IT elements. “As a security solutions provider, we know we have server-based systems. We have to do more than put a lock on the door — and that is traditionally what casinos have done.”

Casinos remain a tasty target because of the huge sums of money they handle. “We know there have been attacks in the last year or two that have contributed to tens of millions of dollars being stolen from specific casinos,” Florence said. “We’re talking millions of dollars — that’s why they’ll go to this level.”

Ensuring you don’t accidentally leave an access point attached to a switch is important, and a lesson every business can learn. Managing and training staff is also important. Florence said. During a period when he worked with the Rio casino in Las Vegas, the organisation averaged one employee arrest a week — for three-and-a-half years.