Well, good afternoon. How's everybody doing? Good? All right. So for those of you guys
that came in a little late, perhaps you're still expecting a talk about airplanes, something
that probably would have been pretty controversial, right? Well, the airplane talk is not going
to happen. The speaker could not be with us. And so luckily, though, we have something
that is going to be completely non-controversial given where we all are, and that's a talk
about cheating at poker. So we want to give these guys a big hand because not only is this
going to be an awesome talk, but they stepped in at obviously the very last minute and they're
going to put on a great show for you guys. So let's give Ellie and Celine a big hand.
Bonjour. My name is Ellie, and this is Celine. And today we're going to tell you about our
secret.com talk. For obvious reasons, we tried to keep it quiet before coming in. You can
imagine why. So this is a work we did with one of our friends, Jean-Michel, during our
spare time. And so try to imagine if James Bond was cheating at the Vy, at poker, and
I'm not saying he is, but try to imagine for a second. He would go to the lab, to queue,
and take a picture. And he would say, hey, I'm going to take a picture. And he would
say, hey, do you have, like, one of those insane, crazy gadgets, and then I can cheat
and see all the cards? But, well, that's just a movie, right? And we only have, like,
lame cheating device. Well, a few years back, I was casually trolling onto the black
market forums into the Chinese one, and a post caught my attention. I don't speak very
well Chinese, but it was about, like, a weird device, and the guy lost all his money, and
he was worming people, and it was super high tech. I don't quite understand what he was
saying. I don't understand it, and then when I tried to show it to one of my friends who
speak better Chinese, the post was gone, and I'm like, okay, I must have hallucinated.
It was, like, 2 a.m., probably not going to happen. And then it's even getting in the
back of my mind, and a few months after, I come across this post, which basically says,
I'm not going to read it out loud, blah, blah, blah, yes, those devices, it is real.
I don't know what it at that point is, but it is real, and people got ripped out in Texas,
and a lot of people lost a lot of money, about 100K, and then a lot of people got ripped
out, and then it killed all gaming for poker in Texas. And at that point, I'm like, well,
if someone have it in the United States, then I probably can find it on the Internet.
And sure enough, I was able to find the seller. As soon as I knew what to look for, I was
able to find the seller, and the seller used this for a bargain, which is only 4,000 euros,
about $5,000.
And the seller, with 40% discount, right, he tried to make you a good price, this weird
device, and that's all you get, this picture. And so this is a Romanian seller.
Of course, I knew this thing was from China, because I read earlier the blog post, the
post on the forum, so we traced it back to China, and we were able to find the guy who
built the real thing, who would hopefully sell it for us for a cheaper price. And so
we identified the guy, got into a contract, or a friend of us got into contact with him,
and we were able to get him to give us a device. And the guy was like, sure, I give
you a good deal. I give you the device and a bunch of gizmo. Don't worry, it's only
$1,500. Please wire me it through Western Union. Yeah, and you're like, okay, that
seems absolutely normal. I'm going to go to Western Union and just wire $1,500 to China.
What can go wrong?
Well, we did it. And then we waited.
A lot. And when we were about to lose hope, a package arrived. Yeah, we're on. We have
a talk for DEF CON. We didn't know it was working yet, but we feel pretty confident
at that point. And so here's a demo of what it looked like. I wish I could give you a
better demo, but it's super small. So here's what it looked like. So I'm going to shuffle
the card.
.
It's a fair shuffle, no sleight of hand, I promise. And so I'm going to deal two cards.
I'm going to put a card, and...
So... wait, what?
Yeah. What the hell is going on, right? Something is reading the card out loud? So it is
anyone of you have figured out what it is? No? Okay, let's try again. As you see, the
phone is gone, so we're going to try again.
Shower shift hold and...
Yeah, it works, it's really works, and it's what you see
and what a poker player on the table will see.
It doesn't miss, it doesn't misread, it's actually
extremely effective, and it breaks parts of the crypto.
extremely accurate.
So that's the story of this talk.
We're going to tell you what the hell is going on, and we're going to tell you what works
for you about it.
So it's a device, of course.
And so the device is this.
It's a phone.
Or it looks like a phone.
It's here for those who can see it.
It basically looks like a legitimate phone.
We believe it's actually inspired by a Samsung core.
If you compare the two back to back, it's almost the same thing.
On the left side, you can see the Galaxy core.
On the right side, you can see the modified device.
So they have a bunch of built-in security features, which make it hard to analyze.
The first one is they send you the activation code separately, and there is no way to activate
the device without it, so they're extremely careful, which actually speaks a lot about
how professional they are.
Right?
Consumer support as well.
They have removed ADB and debug mode, so it runs on Android, but you cannot run ADB in
You can't have any debug mode.
And they also prevent you today taking a screenshot by simply removing this ability to make sure
you cannot extract a screenshot of the poker player or the poker video player analyzer,
as they call them.
Got it.
So a few fun facts.
Looking at it, it's a custom ROM, Chinese 4.22.
It's also used in clone devices from Samsung.
The cheating hardware is completely hidden from the UI.
It's a completely distinct secret.
You can't see it.
You can't probe it.
So if you don't know what you're looking for, it's just a phone.
And so it's really, really resilient to, like, someone telling you you're cheating, you hand
over your phone.
There is absolutely nothing to see.
It operates like a phone.
It can make phone calls.
It has as many apps you want.
Your Facebook, Snapchat, all works perfectly.
So it's really hard to know if it exists.
And the funny story is we also found a lot of code who actually found it on to China.
Not sure why they need that, so we're there on the side of the back door.
So how does it really work?
Well, in James Bond movie, it would work like this.
First, this man would put his glasses and it would just work magically.
I wish it would work that well, but no, that's not how it works.
The way it works is you have a pack of cards, and they're going to give you multiple options
to get any type of card, including bicycle from the United States, also the one popular
in China, Macau, Hong Kong, and so forth.
So you choose the type of card you want, and they will mark them for you, and the device,
the device itself has a bunch of interesting electronic embedded to it.
The first thing they have is infrared LEDs, which go into a black and white camera.
So the infrared LED will go, will shoot infrared light through the side of the device, because
the side of the device is actually modified to allow infrared to go through.
The infrared will illuminate the side of the poker player, and as a result, what you will
see is the ink is made to absorb the light.
So you will see those black dot markings, and that's what the camera is capturing.
So basically what they do is they use infrared absorption to mark the side of the deck.
That's the basic underlying principle.
Here is an exposed view.
So as you can see here, you probably don't realize it, but the device is on, and if
you squint really hard, you can see three purplish dots on the top right, and these
are the LED.
And if you turn off the light, you see the LED.
Because we took it with a camera, and with the UV filter off, or the IR filter off, and
you can see clearly the three LED which are embedded in the side of the poker player,
and if you can get an idea, it's very, very small.
It's here.
Impossible to know if you don't know what it is.
So again, speak a lot about the quality of the construction and the professionalism of
this kind of device, which really clearly show this is not a homemade or like a low
operation.
It's traditionally made, and they probably make a lot of money out of those.
So here is an exposed view.
So I tear it open, and what you can imagine here is you see probably an orange square.
This is like custom hardware.
They actually backed into the phone.
Here's a better view.
So you have the camera as I mentioned, which is here.
Then you have a custom chip which under the AV, both the audio and the video, which is
separate from the phone and then bridge back to the phone.
And then here is from the top view.
You can see the three LEDs that I mentioned earlier, and you can see on the right side
there is two dots which are basically the out for RF and Bluetooth, and we'll see how
they've been used in a few seconds.
And so all of those are connected to a simple antenna which go around the back of the phone
to a little better reception.
So now Céline is going to walk you through how the user experience looks like and how
you use the app that they actually embed into the phone.
Hi.
Can you hear me?
Ah.
Can you hear me?
Yes.
So I'm Céline.
And so I'm going to show you how the Poker Player application works.
Okay.
It's back.
So this is a screen shot of the device where you can see the Android app menu.
And can you spot in this screen, you can see the Android app menu, and can you spot in
this screen shot which app is used to control the device?
I can't hear you.
No.
So the app used to control the device is this one, the game app.
And so what you do is you click on the icon, start the app, and the first screen you'll
see is the login screen.
So the user name is hard coded, and there's only one.
It's the admin.
And so as mentioned earlier by Eli, the password was sent to us separately from the device.
So you type in your password, click on the sign in button, and then you access the main
screen, the main app screen.
But don't worry if you forgot the password or you don't have the password.
There is a backdoor password that we found out.
So when you log in, the main app screen contains six options slash screens.
So the first one is the game hall.
It contains a list of all the game types supported by the device.
The second one is purchase.
It contains all the game types you already purchased.
So that's the one you can use.
The upgrade screen is used to buy more game types.
Common game is the list of game types you purchased, and with a small explanation about
how the app will behave depending on the game type.
System info is not relevant.
It doesn't contain any useful information.
And the last one is settings.
It allows you to configure how the device will work.
So this is a screenshot of the game hall.
So as you can see, there's hundreds of game types that covers a lot of use cases.
So this is another indication that people behind this device are running a real lucrative
and professional business.
So now if you want to use the device to cheat, you go to the purchase screen.
On this screen, there is on top, you can see that we have three credits, and we use
two of them to buy two game types, and we have one remaining credit.
Notice that there's a poor spelling in English.
That means this device is mainly targeting the Asian market.
And they didn't spend a lot of time on the English translation.
So in our demo, we use the second game type, that's the number two, read the card directly.
So it's going to read the card directly.
So you click on it, and then the app is going to show you the settings screen.
You can configure the number of players.
You can configure input and output methods.
So it is going to detail those methods.
You can also configure the device to repeat continuously the reading of the card or just
do it once.
So if you want now to use the device, you just hit the start button on this screen,
and then you get the main game screen.
So what you can see on the top of the screen is a live capture of the hidden infrared camera
here.
And so when the cards are face down on the table, the back appears on the left part of
the screen, where the up symbol is.
Below that, you can see how many players are playing.
You can see what is the game type you use.
So we use the 1016, which is the read card directly.
Just below, you can see if you are using any haptic feedback devices and what its status.
And finally, the important information is the result of the reading.
So there's two players.
The app is reading that the next two cards on the top of the deck will be six of hearts
and eight of diamonds.
So now just a few fun facts about the app.
So we found out the backdoor password.
So this password, when you have it, you can access any devices.
And by analyzing the game app, we found out that the interesting part of the code that
controls the input and output devices and does the card recognition is not in the app.
It's in a kernel module.
So now, Ely is going to talk about how the card markings is done.
ELY BROGDONSKI- So let me just show you that the app reads the marking, but the key
question is how those markings come into the card in the first place.
Because obviously, if you were to have a bad deck or a deck who doesn't feel legitimate
in the hand, people would be suspicious.
Right?
Again, this is for real cheating.
So what they do is when you order this device, they ask you which type of card you want.
I order bicycle because that's the most one we use in the United States.
And that's what you receive.
As you can observe, it's wrapped up.
So if you were to actually hand it over in a poker game, it would look like a normal
poker deck of cards that would open the PIP sign is sealed on.
So how do they get the card in?
What happened is they resealed it and put the card.
They opened the card, obviously, for marking by opening the bottom of the deck.
But when you open the deck, if you don't remove the transparent sleeve, then you won't see
that.
So that's very clever of them.
And then you have the card.
If you manually inspect the card.
And if you want to look at them up close, you're welcome to, after the talk, to do
that.
It's really hard to even feel it or see it.
It's actually really, really regular bicycle card that they probably bought and then marked.
And so as Céline mentioned, the only difference is under infrared light, you would see the
marking.
So the regular card appears like this on the right side, which is basically just blank.
Whereas the marked card has this absorption ink, which would mark those dots.
Each card name and number would have a distinct pattern, which repeat multiple times over
the card for redundancy and because they don't know what is the angle exactly.
They want to be angle-proof as much as possible.
We even found devices which are more expensive and will run out of money.
We have two cameras, one on each side, to actually increase the angle of vision to
make it more robust.
And so you have something which...
And then you have short black, long black, and then basically zero and one.
And that's how they mark the card.
And then they have a bunch of functions.
Here's one where basically the upper digit of the number are for the color and then the
lower digit is for the number.
This is why they will always say diamond or heart six, club four, because they first
read the suit and then they read the value of the card.
But short of that, I mean, no device...
No James Bond device would be complete if it doesn't have a bunch of bells and whistles.
So let's look at how you actually interact with the thing, right?
Because even if you have it, it's really hard to use by itself.
So they bring you a few things.
The first thing they have is a remote, and the remote will do two things for you.
A, it will allow you to change dynamically and silently the number of players at the
table because people can come and go, as I see people leaving the room.
Bye-bye.
And then the other one is we have the sound on and off.
So assuming that people are talking to you, you don't want to get caught, you can turn
off the poker play.
We looked into it with Jean-Michel, and it's basically a standard 2FSK modulation.
There is three common, one for the sound on, off, one for incrementing the player,
one for decrementing.
It's on the 800 megahertz frequency, so standard RF, really easy to jam, really easy also to
impersonate, so you can probably change the volume at will if you know there is one in
the room.
And then in the app configuration, you can obviously choose between the speaker and the
headset.
So the headset is composed of two parts.
The first part is this thing, which is a remote, and so the remote has a volume button,
which is to increase or decrease the sound of the earpiece, and an on and off button.
Anyone of you can guess what is the lanyard for?
Come on.
Be creative.
Nope.
It's just to hang on to your neck, sorry.
So yeah, that's the necklace.
And so what it does actually is this is connected to the phone in Bluetooth, but the earpiece
you have in your ear is so tiny, they couldn't fit the Bluetooth emitter, so this thing would
basically be a bridge, which will do Bluetooth to the phone up and transfer it into RF.
So you have analog RF.
So again, very easy to eavesdrop with any SDR, if you know what to look for.
And it's very, very tiny.
It has a tiny battery that when you have it on you, it's very, very impossible to tear.
They also have another cool, very cool device, which is a haptic feedback.
So the idea here is, again, a Bluetooth P4.
It's called a P4 one, and you saw on the screen before that it's disconnected or connected.
And what it does is it has a bunch of vibrators.
That you would put either on your arm or on your leg, and each of them will vibrate
to tell you who is going to win, who is the second one, who is the third one, and so forth.
So it will ring in sequence, and so you can have this haptic feedback if you don't like
to have an earpiece.
Hey, I think they have a lot of customers, so you know, they try to accommodate everyone
needs.
For those who don't really look like they even have the sneaky display idea, where so
basically what happens is when you read the card, it switches the minutes and the second
to the first winner and second winner.
So you can just look at the time on your phone, and you're like, oh, yeah, all in.
The most funny part of the device was the wireless camera.
And so you can activate the wireless camera again from the UI, and it's come packaged
as a car key.
There are many, many other options for you.
They also offer watches, a belt, shirt, and a bunch of other.
We got the car key one because it was easy.
It's easier to tear apart.
And so the car key looks like this.
It looks almost like a real key.
Again, here's an exposed view on how it works.
So now that you know how it works, here's an exposed view on when you use the car key.
You put a deck in front, and then you can see on the app reading it.
So you see it, and you see the deck going back and forth on the screen of the phone.
And so you can do it again.
An interesting quirk that we found is.
That's a good one.
As you can see here, they call clubs plump because there's a literal translation in English.
So we bet that it's just like translating with any bad translation software, and it's
like, well, it's plump.
It's actually club, but oh well.
But one of the funny quirks about it.
And so the key, again, has the same principle.
They have LEDs behind the plastic, which will let the infrared go through.
Here's an exposed view.
This time you have two LEDs, and the camera is just next to it.
So here's when I tear it apart.
What you see is the hidden camera on the left side, the battery.
They give you two.
This thing is like sucks so much power that I was really surprised when I looked at the
device.
There was a ton of background noise.
I'm like, what the hell is that?
It's called MKT heat.
I'm like, what the hell?
Thermal.
Sorry.
I'm like, what the hell is that?
And then I look it up, and basically they have a kernel module which checks the temperature
of the phone.
And will shut it down before it explodes.
So you know, they just don't want you to die.
But this thing basically is so power angry that they had to put this system in place.
And the same thing happened for the keys.
The key got really hot, and a battery which is an 800 milliampere battery would last you
probably 30 minutes.
So you have another one.
So you go to the bathroom, open the key, plug the battery, and you go back right to
the poker game every 35 minutes.
That's basically what you have to do.
Here's the exposed view.
You see, again, the camera.
You see the camera, the two LEDs, and they all attach.
You have a small antenna, and you have an MCU 1851 which controls it.
We were able to find it online, except there is no data sheet.
So we had to basically do a guesswork when we were looking at the transmission.
And so we were using a software-defined radio to actually try to understand how this thing
works.
We were transmitting images in the idea of, can we jam it?
Can we replace it?
The answer is yes to both.
Actually, it was really hard for us because we realized this is not digital.
It is literally an image.
And so we were looking at that image with a 2,400 gigahertz band like Wi-Fi.
And we think it's PAL or NTNC, but we're really bad at it.
I mean, neither Jean-Michel nor me are really good at it.
We are really accustomed to do it with analog, with more like a digital kit.
So it was really a surprise and really hard for us to figure out how to do it.
But yes, with a normal SDR, you are able to jam the thing and to replay images at will.
So you can clearly defend yourself against this thing if you play poker against more
cheating by just jamming the poker player.
If you don't like Volvo again, they actually offer you a nice option to customize.
Attention to detail again.
Okay.
So that leaves us with a few open questions that we don't have a good answer.
The first thing is this is the most sophisticated cheating device we've ever seen and we've
ever heard of.
And it begs the question of how they created it.
And it's a lot of work, right?
You have to rehouse a normal phone, add a lot of electronics, do a lot of programming.
I mean, they have a kernel module in C who do image recognition, manage multiple peripherics.
And we don't know if it's either a tech.
Which has been used before by Casino.
We heard, if you look it up, some Casino had this technique in the 1980s, 1990s of having
some sort of camera to catch people doing count counting.
So maybe that comes from there.
Or they actually built it.
And in that case, there is a larger market that I don't know of.
But it's really interesting to know who might be on such a device.
The second thing is we don't believe it's actively used in Casino because Casino have
professional dealers.
So it's really hard to use those kind of deck.
We believe it's not.
Maybe it's more for background playing or among friends.
So it begs the question of who is buying it and who is basically ripping who.
And finally, interestingly enough, it's not like you can't really go buy at Office Depot
infrared ink.
It's like, oh, can I get some infrared absorption ink?
And they would look at you very funny.
There is only a few places who actually sell those.
So how they get a hand on it and how they create the marking process is something we
haven't much answer about.
So a few takeaways.
Yes, device exists.
It's really hard to find.
But actually you can get lucky and get one.
It's pretty expensive, but you can get one.
Crimeware can be super sophisticated.
We have heard at DEF CON again and again about the NSA playset.
But apparently the mob boss have, well, the equivalent.
We haven't looked at it just yet.
And finally, it did require a lot of skill set to be able to actually prepare this presentation.
And we had to go from hardware analysis.
We had to go from hardware analysis.
The software analysis to RF analysis.
So we want to basically acknowledge and thanks our co-conspirator, who only just want to
be named by their surname.
Pixel helped us with the hardware analysis.
And Vivi was the person who was able to get it out of China.
So a big thanks to them.
So thank you very much for attending.
I know that was not the talk you expected.
But thank you.
We will happily take questions if you have any.
And if you want to know more, we're going to post the slides online just for us on Twitter.
And we'll make them available.
Thank you.
Very cool.
Thanks, man.
Very cool.
Congratulations.
That was wonderful.
If everybody could please not, if you're walking out the back door, stop that.
Please exit out these doors towards where I am pointing.
To your left.