The International Casino Exhibition (ICE) has been raging all week at the ExCel convention center in London, where an unusual row has erupted between a self-proclaimed ethical hacker and a market-leading vendor of digital casino rewards kiosks.
“White-hat” hacker Dylan Wheeler (the bad ones are called “black hats”) claims he was assaulted at ICE by the COO of Michigan-based Atrient, which is exhibiting at the convention and works with some of the biggest names in the casino industry.
Atrient says no assault took place and claims Wheeler and his group of security researchers have made “false claims” about the company’s IT flaws, demanding money. It even hinted the group was responsible for an attack on its servers in November.
Leaky Server was ‘License to Print Money’
So what gives? Wheeler — who as a 17-year-old got into hot water for hacking Microsoft and the US Army — has since resolved to use his talents for good, exposing security flaws that might be exploited by criminals, a practise known in the hacking community as vulnerability disclosure .
He told Computer Business Review that he approached Atrient last year after he and a colleague stumbled on an unsecured API server belonging to the company.
The server was “wide open” and completely unencrypted, according to Wheeler, which would allow anyone to change the details and to “print money” by adding VIP credits to user accounts.
Atrient lists among its clients MGM Resorts, Hard Rock casinos, and dozens of other commercial and tribal gaming operators.
Receiving no reply from Atrient, Wheeler went to the FBI, who facilitated several Skype meetings between all three parties.
That these meetings occurred, last November, is not in doubt because they were recorded by Wheeler and published online this week on information security website SecJuice.com following the alleged assault at ICE.
In one meeting, after hearing the hackers’ concerns about the server’s vulnerability, Atrient COO, Jessie Gill, says, “The information you’ve shared with us here is fantastic, we’d like to own this information. How do we make that happen?”
An FBI officer says, “From the FBI side we’re very grateful for all involved in this.”
The hackers claim they were promised a $60,000 “bug bounty” and agreed to work with Atrient to fix the problems and mitigate future risks, but that’s when the line of communication suddenly went dead.
Seeing that Atrient was exhibiting at ICE and that the security issues had not been fixed, London-based Wheeler thought he’d pop in to see them and ask what had happened.
I went to shake their CEO’s hand and managed to introduce myself… they understood who I was straight away,” Wheeler told CBR. “Their CEO just kind of sat there. Then their COO, Jessie Gill, stood up saying, ‘We’re talking to the FBI and talking to Scotland Yard!’
“They said: ‘You think you can have your buddies harass us!’” continued Wheeler. “I said – and I don’t – have any idea what you’re taking about. Then he grabbed at my chest and pulled me into him… saying he should get the FBI and Scotland Yard to get us… He grabbed my [ID] badge and said I’m going to keep this. So, I grabbed it back. Then he started forcibly pulling at it to get it off the lanyard and put it on the table.”
Official Response Deleted by Atrient
But Gill told CBR over the phone there had been no assault and that Wheeler and his colleagues had “taken information that’s publicly available and twisted it into an extortion scheme.”
Atrient later released a largely unintelligible official statement via Twitter that mentioned “a brute force attack on a demo server which contained no personal data” in November and a “financial motive,” although exactly what it was alleging was unclear.
“The FBI is aware of this group,” it added.
Of the encounter with Wheeler, it said: “After being informed that Atrient would not pay any money he made another false accusation, this time of assault, which an ExCel Convention Centre investigation has found to be baseless.”
But the statement was apparently deleted after the recordings of the meetings between the two parties and the FBI were published online.
London’s Metropolitan Police have confirmed they are investigating an allegation of assault at ExCel, although no arrests have been made, a police spokesman said.