Casinos, the FBI, security researchers… and how not to handle vuln disclosure
Like many white hat hackers, Dylan Wheeler admits that as a teenager he got his hands a little dirty and his hat, a little black – in his case eventually fleeing Australia from local authorities and the FBI after being accused of stealing more than $100 million-worth of intellectual property, including specifications for an Xbox One games system used to train US soldiers to fly Apache helicopters.
Slipping out of the country via the Czech Republic and now based in the UK, he turned to responsible vulnerability disclosure (helping identify security issues through “ethical hacking” and, if asked, helping to fix them) and does contractual security auditing work via his company “Day After Exploit Ltd”. The teenage shenanigans are behind him, he told Computer Business Review.
“[The Xbox issue] has been ironed out; I was a minor and it’s no longer active in the courts”.
Responsible disclosure however, hasn’t been going too smoothly this week, despite his best efforts and some considerable patience.
The security researcher claims that he was assaulted on Tuesday by Jessie Gill, an executive from Atrient*, a vendor which makes digital loyalty reward kiosks for casinos, after trying to make a vulnerability disclosure.
Gill allegedly grabbed him and wrestled his conference lanyard off him. (The Metropolitan Police confirmed to Computer Business Review a complaint has been made). Atrient denies all allegations.
Wheeler says he had been trying, anew, to explain the severity of an Atrient vulnerability to its executives at the ICE gaming conference in London, when the alleged incident happened.
Wait, What? Rewind…
They had a bot trawling the engine looking for an identifier for Jenkins servers, and found Atrient kiosks – connected to internal casino networks – communicating “home” via unencrypted plain text, with a connected API server also extremely vulnerable to injection of malicious code.
Among the Atrient customers potentially affected, big names like the MGM.
MGM: “Thanks Guys, Here’s Some Swag”
As first reported on SecJuice: “These kiosks and the back end server communicate the personal details of their users and send data like drivers license scans (used for enrollment), user home addresses and contact details, as well as details about user activity, unencrypted over publicly accessible internet.”
“When the researchers discovered that the unauthenticated reward server was directly connected to the kiosks on the casino floor they realized that the API the kiosks used was wide open and extremely vulnerable to criminal abuse.”
FBI Brought In…
After repeated attempts to alert Atrient executives failed to draw a response, Wheeler and his unnamed security researcher partner set about reporting this via the most official channels they could, namely, the FBI.
A recording of their conversation on November 11, 2018, with FBI officers – including Chris Geary, an experienced Cyber Division investigator–- heard by Computer Business Review reveals a patient Wheeler talking three officers through the finding.
As he explains in the recording: “It’s an unsecured server in the open. We stumbled across that which led us to an unsecured API server. You can look up player data, change settings in the configuration capacity. It’s sending plain text; completely vulnerable to injections. You can basically print money, or commercial credits if you were to exploit that. Every single kiosk is calling home to the vendor.”
“That’s a problem”, the FBI agent responds.
Atrien Vulnerabilities Still Unpatched…
The FBI – and the MGM, whose cybersecurity team responded with gratitude to being informed about the vulnerability on their network – helped facilitate a call with Atrient to discuss the issue.
In a call (recorded by Wheeler) that includes Atrient’s COO Jessie Gill and the FBI officers , Wheeler once again patiently tries to explain how bad the issue is: “The kiosks allow for promotional credits to be redeemed. Which is a big risk in that you could pretty easily inflate your account to be a ‘high roller’; redeem some rewards. Your programmers need a better security policy.”
Jessie Gill responds: “The information you’ve shared with us here is fantastic, we’d like to own this information. How do we make that happen?”
The FBI officers comment: “From the FBI side we’re very grateful for all involved in this.”
Atrient then asked the researchers to sign a non-disclosure agreement (NDA), while they in turn suggested they’d be happy to provide support and all vulnerability details for 140 hours worth of work (quoted at $400/hour for their time; approximately £150/hour each for the two).
(Atrient could, at this point, of course could have simply hired their own pentesting/security audit team to cross-reference the claims and help patch them).
Wheeler says Atrient then began to stonewall the security researchers, without the issue being fixed. No NDA was sent, an email chain reveals.
Wheeler decided to visit the ICE London conference and discus the issue.
He claims he introduced himself politely as the security researcher they had spoken to on the phone on several occasions, when things went awry. He told Computer Business Review: “I went to shake their CEO’s hand and managed to introduce myself… they understood who I was straight away.”
“Their CEO just kind of sat there. Then their COO Jessie Gill stood up saying ‘we’re talking to the FBI and talking to Scotland Yard!’
“They said: ‘You think you can have our buddies harass us!’ I said – and I don’t – have any idea what you’re taking about. Then he grabbed at my chest and pulled me into him… saying he should get the FBI and Scotland Yard to get us… He grabbed my badge and said I’m going to keep this. So I grabbed it back. Then he started forcibly pulling at it to get it off the lanyard and put it on the table.”
Reached by phone, Jessie Gill told Computer Business Review: “There was no assault.”
“There’s an indictment against this guy… his mother went to jail. There is no vulnerability… these guys have no idea what they did and didn’t do. How do I explain it? I’m not going to chase something that doesn’t exist just because you think you have something. If you look at these people trying to do this… they’ve taken information that’s publicly available and twisted it into an extortion scheme. I’m not interested in the messaging they’ve put out there. There is no police report. We went to the police not them. There is CCTV evidence that there was no assault.”
A Metropolitan Police spokesman said by email: “[We] can confirm that police received a telephone report of an altercation at Excel, Western Gateway, Newham, where a 23-year-old male was allegedly assaulted by a second male who took the victim’s event lanyard. No injuries. No arrests. Officers from Newham Police investigate. Enquiries continue.”
Atrient: “False Claims”
Atrient emailed: “We have become aware of false claims regarding a security vulnerability relating to one of our products and an alleged assault. In November 2018, one of our product sales websites was subject to a brute force attack on a demo server which contained no personal data. The extent of the attack identified demo sites that our sales department engaged.”
“We were subsequently contacted by a group. This included an individual who identified himself as Dylan English, which we now know to be an alias, Guise Bule of secjuice.com, and an individual who refused to identify himself by a name. Shortly after being contacted, it became apparent that there was a financial motive for not publicising the allegations. The FBI is aware of this group.”
Atrient added: “On 6 February 2019 we received an unscheduled visit to the Atrient stand at the ICE conference in London from one of the ‘security researchers’. He was wearing a badge which identified him as Dylan Wheeler, which we believe to be his real name. After being informed that Atrient would not pay any money he made another false accusation, this time of assault, which an ExCel Convention Centre investigation has found to be baseless.”
They concluded: “This matter is now in the hands of the company’s legal advisers and law enforcement. It would therefore not be appropriate to comment any further.”
Meanwhile, Wheeler says, Atrien’s systems remain unpatched.
“Readers may notice Atrient’s website is also insecure…