Following a serious vulnerability disclosure affecting casinos globally, an executive of casino technology vendor Atrient has assaulted the security researcher who disclosed the vulnerability at the ICE conference in London. This is the story of a vulnerability disclosure gone bad, one involving the FBI, a vendor with a global customer base of casinos and a severe security vulnerability which has gone unresolved for almost four months and being hidden by the vendor.
Our story begins with two white-hat security researchers, Dylan and Me9187, who were on a Shodan safari back in September when they noticed what looked like a casinos player reward server (with no authentication) exposed to the public internet. After a little more investigation by the researchers, it became obvious that the server was supporting player reward kiosks in Casinos all over Las Vegas.
These kiosks are made by a vendor called Atrient, and are what they call their 'PowerKiosk Marketing Platform' and marketed to casinos globally who use these kiosks to engage their casino customers with a loyalty reward program.
Depending on the kiosk setup and casino, the kiosks provide loyal casino customers with an interface they can use to register their purchases at the casino and receive loyalty bonus in return. Bonuses can include theatre and show tickets, comped hotel rooms, entries into cash prize draws and anything the casino wants to use as rewards, including offering cash back on purchases in some locations.
These kiosks and the back end server communicate the personal details of their users and send data like drivers license scans (used for enrollment), user home addresses and contact details, as well as details about user activity, unencrypted and over the public internet. When the researcher discovered that the unauthenticated reward server was directly connected to the kiosks on the casino floor, they realized that everything the API the kiosks used was wide open to criminal abuse.
Every single kiosk was calling home to the server in plain text and all data sent from the kiosks to the server is clearly visible on the network. Because there is no SSL protection and because the API is wide open and vulnerable to abuse, it is possible to identify kiosks by their Mac address and use the unsecured API to change details, track users and add credit to user accounts and even spin up your own kiosk on a VM and connect it to the network in order to have your own personal home kiosk.
Atrient were not segregating these kiosks into vlans, their FTP access was wide open and unencrypted, and all of this was discovered using the Shodan search engine, all of it was publicly visible to anyone on the internet who knew where to look.
Atrient is a market leader in selling these loyalty kiosks to casinos and because these kiosks have been sold to casinos all over Las Vegas, the United States and via their partnership with Konami, to casinos all over the world. Considering that Atrient COO Jessie Gill said in the media recently that they "don’t have a different version for different operators; we integrate all functions in a single product", there is a very high likelihood that this vulnerability affects all of their customers, including their white label partners Konami who rebranded Atrient's tech for their own customers.
The security researchers who first discovered this vulnerability, Dylan and Me9187, told me that the vulnerability was just the tip of the iceberg when it came to sloppy security practices at Atrient. They saw casino WiFi network passwords stored in plaintext, user personal data stored in plaintext and no attempt to secure anything.
They even found Atrient's third party contractors (based in India) posting Atrient's source code on Github and asking stack overflow questions about it, an indicator which made it obvious to the researchers that security was not being taken seriously.
It was clear to the security researchers that Atrient had outsourced their development to India where a significant amount of their services were being hosted, including their FTP, kiosk management services and the development servers. It was obvious to the security researchers that the subcontractors were not taking basic security steps to secure any of this infrastructure from being discovered on the open internet.
Reporting The Vulnerability
The security researchers acted in good faith, followed responsible disclosure best practices and tried to directly contact Atrient to report the vulnerability and make them aware of how serious a problem this was. For a company like Atrient with a global customer base and a record of talking about how secure their systems were, you would expect them to respond immediately. Unfortunately Atrient completely ignored repeated emails to multiple executives and members of the Atrient team.
The researchers even left messages with their contact details on the FTP server for the admins to see, warning them about the vulnerability. The made every good faith effort to get in touch with the vendor and responsibly disclose, but to no avail.
Atrient completely ignored the researchers except to follow them on Linkedin and Twitter and showed no interest in communicating with the researchers in any way.
The researchers then reached out to me, asked for my help in contacting Atrient and asked me to tweet out about the vulnerability on Twitter, so I helped them.
Enter The FBI
When I sent out the tweet reporting that I was working on a story about the vulnerability, one which affected casinos all over Las Vegas, the tweet was noticed by the FBI's Cyber Fusion Unit who then reached out to me for a conversation.
This particular FBI division worked towards connecting security researchers to vendors when vulnerabilities had been discovered, particularly in cases where the vulnerability is serious and the researchers are being ignored by the vendors.
I was asked to put together a call with the researchers and the FBI and on the call the researchers briefed the FBI on the vulnerability they had found and the attempts they had made to contact Atrient. The FBI then set up a call for the next day between Atrient and the security researchers so we could all get on the phone together and make sure Atrient properly understood how serious the vulnerability was. Now that the FBI was involved it seemed as if Atrient was finally taking the vulnerability disclosure seriously which gave us hope that the vulnerability would be quickly remediated.
The Vendor Call
The next day I joined the vendor call with the FBI and the security researchers, Atrient was represented by Jessie Gill, their COO and another member of staff. When the call started and everyone had been introduced the floor was handed over to the security researchers who explained that the kiosks and supporting infrastructure was wide open, that players credit could be manipulated, that users personal data (including drivers license scans) was exposed to the public internet and how you could enter casino cash prize draws with as many entries as you wanted in order to win them, all without Atrient or their developers and subcontractors noticing.
They clearly explained to Atrient how the risk of abuse was extremely high because there is no way to differentiate the legit calls from the malicious api calls in the Atrient back end system, leaving it wide open to criminal exploitation.
Atrient's COO Jessie Gill asked what steps they could take to secure these services and the researchers advised them of the immediate steps they could take to secure their infrastructure. During the call the FBI asked Atrient if they had properly notified their customers of this breach and vulnerability in their systems, their COO Jessie quickly replied "lets talk about this offline", immediately closing down the question.
He then blurted out "I want to own this, its IP and what you know" and invited the researchers to another conversation to discuss a bug bounty and NDA with them.
The Bug Bounty Call
I was not privy to this call, but I have been told by the researchers that Jessie Gill offered them a bug bounty of $60,000 and asked them to keep the incident quiet until their lawyers could draw up an NDA and legal agreement for them to sign.
Atrient promised the researchers that their lawyers would be in touch and send them those agreements over shortly. As far as the researchers were concerned Atrient was dealing with this in the right way, moving to secure their services, reward the researchers who reported the vulnerability with a bounty and instructing their legal team to draw up the paperwork to cover the engagement. They were also promised consultancy work to help Atrient fix the vulnerability which never materialized.
The Run Around
From that point on Atrient gave the researchers the run around and the researchers tell me that Atrient have made no real efforts to secure their services. I am told that they did take the dev servers in India offline for a short time, but they have since been brought back up with the same security controls. The researchers remained in contact with Atrient who assured them that the lawyers were preparing the paperwork and that they would be paid their bug bounty shortly.
It became clear over three months of this that no legal paperwork or bug bounty was forthcoming and Atrient did not at any time ask the researchers to sign an NDA. It also became clear to the researchers that Atrient had made no significant changes to their security policies or the security of their services in that time frame. The security researchers had been given the run around by Atrient for over three months, during which time they were promised a bug bounty and promised the vulnerability would be resolved. This turned out not to be true.
The ICE Conference Assault
Almost four months after the initial disclosure to Atrient, the security researchers learned that the Atrient CEO Sam Attisha had big plans for the ICE Conference in London where the security researchers are based. Sam Attisha had planned to speak at the conference about the new facial recognition feature in their kiosks that scanned users faces, uploaded the biometric data to their servers, allowing casino customers to use their kiosks without swiping their membership cards.
This alarmed the researchers who quite rightly identified the facial scans as a serious privacy risk for the users, especially if the back end infrastructure was not properly secured, further compounding the existing security problems Atrient had.
They went along to ICE as registered attendees to try and meet with Atrient COO Jessie Gill who they had been talking to for three months and Atrient CEO Sam Attisha in order to raise these concerns and look at them in the eye.
When one of the security researchers, Dylan Wheeler, approached COO Jessie Gill and introduced himself as the researcher who Jessie had been dealing with, Jessie suddenly lunged at the researcher and violently grabbed him by his clothes on his chest before then tearing his attendee badge away from him, telling the researcher that he didn't need it anymore and that he would keep hold of it.
This whole incident was witnessed by multiple people, including Atrient CEO Sam Attisha who said nothing throughout the whole incident. The researcher started to video the incident on his phone as soon as Atrient COO Jessie Gill released him. You can see in the video below Atrient COO Jessie Gill threatening the researcher with Scotland Yard before then denying that he knew him, when he very obviously knows exactly who the security researcher was.
We have partial video of the incident below and I have requested the CCTV video recordings of the exhibition hall from the ICE conference organizers. The security researcher has since reported the assault to the London Metropolitan Police who are working with conference organizers on this incident. Dan Stone the Head of Marketing for the ICE conference told me "we take the safety of all of our visitors to ICE extremely seriously. We have reported the matter to the on-site security team and they are looking into the incident and will liaise with the police as required".
I have reached out to Atrient, calling COO Jessie Gill personally to invite him to comment on the unresolved security vulnerabilities at Atrient, his assault on the security researcher, or anything else he wanted to say but he hung up the phone on me. I am reaching out to a number of Atrient customers (Caesars Entertainment, Hard Rock International and MGM Resorts International) to establish if they have had any notification of this security breach and vulnerability from Atrient, I will update this article when I know more from them on that.
I have also reached out to previous employees of Atrient through the Glassdoor employer review service where Atrient has some horrific reviews from previous employees. I will report back with any security related insight I get from them.
** I will be updating this article as the story develops.
*** UPDATE - We are trying to contact previous victims of Jessie Gill and will report back with any further comments from them.