Categories
BLOG

lottery vending machine hack

Cops: Lottery terminal hack allowed suspects to print more winning tickets

Terminals were manipulated to produce more winning, and fewer losing, tickets.

Dan Goodin – Mar 25, 2016 6:15 pm UTC

reader comments
Share this story
  • Share on Facebook
  • Share on Twitter
  • Share on Reddit

Six people have been charged in what prosecutors say was a scheme to hack Connecticut state lottery terminals so they produced more winning tickets and fewer losing ones.

Further Reading

The charges come several months after lottery officials suspended a game called the 5 Card Cash after they noticed it was generating more winning tickets than its parameters should have allowed. The game remains suspended. Investigators say more arrests may be made in the future. Almost a year ago, prosecutors in Iowa presented evidence indicating the former head of computer security for the state’s lottery association tampered with lottery computers prior to buying a ticket that won a $14.3 million jackpot.

Citing arrest warrants, here’s how The Hartford Courant said the Connecticut scheme worked:

An investigator for the Connecticut Lottery determined that terminal operators could slow down their lottery machines by requesting a number of database reports or by entering several requests for lottery game tickets. While those reports were being processed, the operator could enter sales for 5 Card Cash tickets. Before the tickets would print, however, the operator could see on a screen if the tickets were instant winners. If tickets were not winners, the operator could cancel the sale before the tickets printed.

Based on the bare-bones description, the hack appears to have exploited software weaknesses that not only caused ticket requests to be delayed when terminals were carrying out certain functions but also to allow operators to know ahead of time if a given request would produce a winning ticket. If this theory is correct, such timing and disclosure flaws should have been caught by developers and lottery auditors long before terminal operators were able to exploit them.

Promoted Comments

  • norton_I Ars Praefectus jump to post

Hmm, a little more detail about the specific game(s) would be helpful. In my experience, the terminals that produce lottery tickets can only do so for drawings that haven’t happened yet(think powerball for instance). If this is the same or similar system, how could winning lottery tickets be generated before the drawing took place?

If I am to understand this article, it sounds like the winning numbers could be known before hand and thus a winning ticket could be generated from that knowledge. However, this is moronic and I have not heard of a lotto system that worked in this way.

This is not for the big drawings where you pick numbers and then watch the drawing later. This is for instant winners, which are like scratch off tickets that have a modest chance of winning a small amount. I guess (I haven’t played) that they eliminated the cost of pre-printing the scratch off material and just have the lottery machine print a ticket that either wins or doesn’t, and that is what was exploited.

Hmm, a little more detail about the specific game(s) would be helpful. In my experience, the terminals that produce lottery tickets can only do so for drawings that haven’t happened yet(think powerball for instance). If this is the same or similar system, how could winning lottery tickets be generated before the drawing took place?

If I am to understand this article, it sounds like the winning numbers could be known before hand and thus a winning ticket could be generated from that knowledge. However, this is moronic and I have not heard of a lotto system that worked in this way.

This is not for the big drawings where you pick numbers and then watch the drawing later. This is for instant winners, which are like scratch off tickets that have a modest chance of winning a small amount. I guess (I haven’t played) that they eliminated the cost of pre-printing the scratch off material and just have the lottery machine print a ticket that either wins or doesn’t, and that is what was exploited.

The game confused me as well. We don’t have have that in my state.

Just Google 5 card cash. It’s supposedly based on a deck of 52 cards and five are picked randomly and printed. It’s like getting a poker hand printout. From there you can see if you have a winning hand.

I’m not sure if I’d call it a ‘Hack’ as the article states. Technically maybe, but it seems more like a weakness on the designers part (as pointed out).

Sort of like how a buffer overflow hack/crack is exploiting a weakness on the designers’ part. Seriously, something like a buffer overflow vulnerability is as much a design flaw as this is.

It’s a hack/crack as much as pretty much anything else gets called a hack, it’s just a resources+timing exploit one. Tricking a system, poorly designed or not, into using so many resources that you can employ a time sensitive exploit (apparently the system that displays the resulting purchase is run before the print-out, normally by a very small degree but amplified by this, and so long as a print-out hasn’t occurred the purchase can still be canceled) that otherwise wouldn’t have an adequate window to perform is certainly as much of a “hack” as anything else.

Sort of like how a buffer overflow hack/crack is exploiting a weakness on the designers’ part. Seriously, something like a buffer overflow vulnerability is as much a design flaw as this is.

It’s a hack/crack as much as pretty much anything else gets called a hack, it’s just a resources+timing exploit one. Tricking a system, poorly designed or not, into using so many resources that you can employ a time sensitive exploit (apparently the system that displays the resulting purchase is run before the print-out, normally by a very small degree but amplified by this, and so long as a print-out hasn’t occurred the purchase can still be canceled) that otherwise wouldn’t have an adequate window to perform is certainly as much of a “hack” as anything else.

There is a difference between exploits and hacks. Hacks gain unlawful access to a system and can prosecuted federally under the Computer Fraud and Abuse Act. Exploits can not. There was a case involving video poker where something similar happened. The game was exploited but the “Hacking” charges were eventually dropped as they never gained access to the system. They still were charged with other things like wire fraud. I think something similar will happen in this case.

“hacks” cover a far wider range of activities than those which fall under the CFAA. I can’t help but be amused that we’ve arrived at a point where now people are trying to use the CFAA as a definition of “hacking.”

And exploits can definitely be successfully prosecuted under the CFAA if they run afoul of its terms, which can be tricky to determine with the intentionally vague wording and how it is sometimes interpreted in court, especially in terms of authorization where you agree to not take certain actions in regards to a given computerized system (and are therefor “not authorized” if you do anything outside those bounds, as interpreted within the context of the CFAA).

Exploits can be hacks, hacks can be exploits.

Also, this could be construed to fall under the CFAA, under either section 4 or 5, without much more shoehorning than has previously been seen.

In this case, given the nature of the multiple steps to cause the ability to exploit the poorly designed order of operations, (e.g. first causing a resource constraint cascade) I’d still refer to it overall as a hack of the system. There are more ways to hack something than just from a command line.

In either case, it was fraud, so that’s that.

Terminals were manipulated to produce more winning, and fewer losing, tickets.