PTR Security Alert: Cereus Poker Network
This article serves as a companion article to the security advisory PTR has released which is viewable at: PTR Security Advisory: Cereus Poker Uses Weak Encryption. It is intended to explain the severity and implications of this security risk to the broader non technical poker playing audience.
Overview
PokerTableRatings has discovered a critical flaw in the Cereus Poker software which affects both Absolute Poker and Ultimate Bet, allowing an attacker to hijack victim’s poker accounts and display their hole cards in real time. We have alerted the Cereus Network to this vulnerability, providing them with source code necessary to demonstrate the problem. We hope our e-mail and this bulletin are sufficient motivation for them to fix the problem.
We have no way of knowing if this exploit has been discovered and used to steal from Cereus users, but it seems unlikely. It is our hope that this information will allow Cereus users to protect themselves.
The issue in general terms is that rather than using industry standard SSL encryption Cereus has used a custom form of encoding (not encryption) which can be cracked using the windows calculator.
For interested readers we’ve explained the vulnerability in as non technical of a manner as we could below, otherwise you can skip ahead to the section entitled “Risk Levels for Players.”
Cereus Poker has responded to our communications with them about this issue. You can view these communications here.
Proof of Concept
Explanation
When logging into a poker client on your PC what is actually happening behind the scenes is a connection is established to the servers owned and operated by the poker network. This connection is used to transmit all data between your PC and the servers, including sending your username and password, betting actions, and your hole cards.
This can be thought of as a conversation between your computer and the poker network, which might go something like:
PC: I’d like to play poker my username is bob and my password is 123456 Server: You are logged inOr:
Server: A new hand has started at your Table 1 PC: Ok Server: Your hole cards for Table 1 are Ac Jh PC: Ok
On all poker networks this data is encrypted in a manner that would prevent any intercepted data from being used to gain access to your account, or steal your hole cards. This means essentially that the conversation is obscured to prevent eavesdropping, so that someone listening in cannot “hear” your password.
Almost every poker network uses some implementation of the SSL protocol, which is the same type of security mechanism that everyone from banks to government agencies use to secure their data. There are several freely available implementations of this protocol including the open source OpenSSL . SSL is the industry standard, and is generally regarded as best practice for encrypting network transmissions.
The problem is that the Cereus Poker network does not use SSL to encrypt their communications; they use a custom form of encryption which is XOR-based. This form of encryption is known to be extremely weak, and in fact their particular implementation makes it particularly simple to decrypt network data due to an easily discoverable key.
In fact, the encryption that the Cereus Network employs isn’t so much encryption as it is encoding. To see how simple it is to decode this data, simply open up your windows calculator and set it on scientific mode. All that is really necessary to decode the data stream is the XOR button .
The requirement for this vulnerability to be exploited is network access. This means that if you are playing on an open wireless network, a cracked wireless network (something which is increasingly simple to do), or on a physical network which has been compromised – an attacker could dump the network traffic and exploit this vulnerability maliciously.
Implications
The implications of this vulnerability are that Cereus Poker accounts can be compromised and have their funds stolen and that an attacker could know the hole cards a Cereus Poker player is dealt in real time, then presumably exploit this knowledge to have an advantage against them at the poker tables.
This attack can either be directed, in which a person who is known to play on the Cereus Network is targeted and exploited – or passive in which an entire network’s traffic is logged and communications to the Cereus Network servers are decrypted.
Wireless networks are particularly exploitable due to the ease with which they can be compromised without having physical access, only proximity to the victim. Indeed in many cases they won’t even need to be compromised because the wireless network is not encrypted.
Physical networks are also vulnerable to a variety of attacks, especially if the physical network is on a hub (instead of a switch) which allows an attacker to passively observe all network traffic. However a physical network can also be compromised by any network hops between a victims’s PC and the Cereus servers. They are also vulnerable to an ARP cache attack which can fool their PC into sending all network packets to an attacker’s PC which would then transparently relay the information to the router – resulting in uninterrupted internet access for the victim.
Testing
In our lab, using a dummy cracked wireless network, we’ve been able to successfully hijack our own test poker accounts without being connected to the network the test victim is playing on. We’ve also been able to observe hole cards as they were dealt in real time from a test victim, using the same mechanisms.
All of our tests were done in a lab environment, using cheap commercial grade hardware. There is some custom software involved in actually logging in a hijacked account, and decrypting the hole cards. The source for all of the testing totals less than 500 lines. The wireless network cracking and snooping was done using freely available open source software.
Risks Levels for Players
The below chart attempts to quantify the level of risk a player has of being victimized in each type of networking scenario.
| Network Type | Risk Level |
|---|---|
| Public Unsecured Wireless | Severe |
| Public Secured Wireless | Moderate-High |
| Public Wired | Moderate |
| Home Unsecured Wireless | Moderate |
| Home Secured Wireless | Moderate-Low |
| Home Wired | Low |
- Unknown wireless network in college dorm called “Linksys”
-
- Public Unsecured Wireless
-
- Severe Risk
- Starbucks or airport wireless, requiring login
-
- Public Secured Wireless
-
- Moderate-High Risk
- School computer lab, plugged in
-
- Public Wired
-
- Moderate Risk
- Home wireless network called “Linksys” or “netgear” not requiring key or using WEP key (10, 26, or 58 digit hexadecimal number sometimes generated from a user passphrase)
-
- Home Unsecured Wireless
-
- Moderate Risk
- Home wireless network requiring WPA2 key
-
- Home Secured Wireless
-
- Moderate-Low Risk
- Home wired network
-
- Low risk
*It is worth mentioning here that a player who can be specifically targeted is at an unquantifiable but elevated level of risk.
Suggestions for Players
The biggest step a Cereus player can take to protect them is to simply stop playing on the Cereus Network until these issues have been resolved. There is no way of being 100% secure at the moment. The below suggestions are precautionary and are no way guaranteed to prevent exploitation.
If a player chooses to continue playing on the Cereus Network while the network is still vulnerable, they should at minimum plug directly into their modem. This will prevent anyone on the network from exploiting them. If a wired network is not an option, the player should make absolutely sure their network is encrypted using WPA2 encryption.
We absolutely advise against playing on any unknown or public networks –especially wireless networks.
We also recommend against a player revealing that they play on the Cereus Network until these issues are resolved, so as to avoid making themselves a target. Suggestions for Cereus Network
In order to properly resolve these vulnerabilities the Cereus Network should upgrade all of their network communications to use the industry standard OpenSSL library which is freely available at http://www.openssl.org/. When implementing the SSL changes you should be sure to validate your peer certificate so as to prevent an SSL man-in-the-middle attack.
We would also recommend that the Cereus Network undergo a real and impartial security audit. We’re happy to lend a hand in whatever way we can in this regard.
Synopsis
In summary, there is a critical vulnerability in the Cereus Network software which makes it possible for an attacker to hijack poker accounts and view hole cards. The only 100% protection is to stop playing on Cereus Network until they upgrade to using SSL. To our knowledge there are no cases of this vulnerability being used to exploit actual players. PokerTableRatings.com created test accounts for all proof of concept testing done during the discovery of this vulnerability. We do not have passwords to any unauthorized user accounts. The Cereus Network has been notified of this vulnerability. We will continue to report on this as it develops.
Update 2010-05-06: Cereus poker has responded and appears to be taking these flaws seriously, read response here: http://www.pokertableratings.com/blog/2010/05/cereus-poker-security-response/
Makes sense I quit playing on those sites, and I ain't playing there no more after this insight
lol
how would they know which table the player is at? is there a way to read that also?
Great work.
UB and AP have always been vulnerable to outside and inside cheating. They lie, decieve and cover up. You can see players mucked cards in some games too. I don't understand why people are still playing there.
great work PTR
LMFAO the second major scandal to hit this site after potripper. surely this should finish them off now ?
UB money for Stars anyone?
no wonder they say this on their websites first page, "The popularity of our software is no secret, but that doesn’t mean we’re satisfied."
I think this is a completely unfair and slanderous allegation, if your uber techies found a flaw, why couldnt they produce an example showing an OPPONENTS hole cards? I mean ya, perhaps a very remote possibility someone with access to your network would be able to get something, but how realistic is the threat? I think its un-cool for your website to make this front page news when you couldnt even provide 1 example of exploiting another player.
lol Carpe. That was an OPPONENTS hole cards. Reread before you make a fool of yourself.
If you live in an apartment and you've known the guy downstairs plays at UB and you have the knowledge to do this, you're getting his hole cards.
My only problem is that posting this pretty much ensures somebody will try to do it now. People who don't read PTR (and that's a lot of people) are now in danger when they weren't before. Why not just send this to CEREUS and then write an article about how PTR saved the day later?
Russ Hamilton Fallout Faction is responsible IMO.
@iammojay
Because cereus has proven itself to be a "bit" slow concerning these matters. Better to inform the public now.
Were the researchs paid by Stars and Tilt?
hmmmm looks like they wont let u open absolute any more.. and it say that 21k players are playing... if ptr could find out how many other people do u think known this for quite some time now and havent said a damn word. peace out ap and ub.. getz at me
CHECK OUT XBLINK! HENCE THIS IS WHY HES UP
Good Lookin' out PTR. Thanks for the story!!
Ya this is not fair at all for UB. Fuck on the front page...really?
lol @ not being fair.
It's not fair for all the customers of UB that they have likely been vulnerable to playing in a rigged game for a long time (years?). This is unimaginable incompetence to not use industry standard encryption on the connection between client & server.
ty ptr.
that video shows nothing im pretty sure right? lol
@spiderman123 are you ignorant?
o no xblink shud start withdrawing ha
Doesn't surprise me. I use to be able to make the person to my left or right not be able to see there cards in sng's. Like 8 years ago. Also use to be able to get sng refunded by un registering right before the start of the torny. Seems like they still haven't got all the flaws worked out.
And this is why i play mostly live :)
Good work PTR. Certainly not surprising to me that "Cereus" is being exposed as a shady organization. (for what, the 3rd time now?)
the video shows that a different computer having nothing to do with the logged in account can access info
Will take AT LEAST A MONTH to properly implement and test new security, closer to truth is to say it will be implemented in like 3-6 months. Take your $ out if you like your $!
that s so scary. I ll nver play again on this room.
I think the lower stakes are still safe, just because if someone is able to crack the encription code he wouldn´t play 50NL.
great work, this site should be banned after all what happend in the past.
Umm...someone has to hack into your local network in order for this to work. And you guys are freaking out like this will effect everyone. I think not.
"I would also like to emphasize to your readers that this issue would require someone to have access to their local network and also have the technical capabilities to crack our encryption in order to gain access to the player data and see the clear text like you did in your demonstration."
THE FACTS STILL STAND THAT NO OPPONENTS HOLE CARDS WERE REVEALED. For crying out loud, you could PEEK THROUGH SOMEONES WINDOW and see their holecards, prob be alot less work than taking a month to actually find the means to calculate it and sniff out someones network.
The bottom line is they def should have SSL encryption, and they prob will here soon, but for you all to cry bloody murder is just being gullibale, This is far from some security scandal that PTR is making it out to be by making this front page news. Shame on u.
I believe that the high rollers should be worried about this. Now, I totally understand that AP has a dark past and this obviously does not help them at all. THey now MUST use the SSL encryption and they should have to try to compensate all players somehow. I know that someone needs to have access to your network and so on. But the fact, that there is a way to crack the network is UNACCEPTABLE!!. We put our money here and I strongly believe that we have the right to get some sort of compensation. If not, Its time to search for other sites my friends.
sorry I've seem to have jumped to conclusions, ignore my post @ 12.33 am
but still:
any decent IT guy that works for your internet provider or any provider up stream between you and Cereus couldsniff your traffic and hack you.
SUPER SUPER FISHY BY PTR
"And this is why i play mostly live "
the table you were playing at probably has a hole cam. lol
well they had to say something to draw the attention away from the fact that they are gonna start charging for searches
Carpe, I don't think you are grasping what the guy is doing here.
Was this only concerning the Absolute poker client or more sites???
time to play heads up :D
Warning the public about something that even PTR admits was almost definitely not happening doesn't make sense. After this report, of course somebody out there can figure it out...it's practically laid out on the video if you know how to crack the encoding. In all fairness, it's still very unlikely somebody is going to get their particular account hacked. The person doing the hacking would need to know where you live, where you have accounts, and when you are going to play. And of course they need to get close enough to retrieve the signal with two computers so they can sniff the signal and play at the same time. It's incredibly unlikely, and almost ridiculous to think somebody had done this prior to now. So again I ask, why are we know giving a guidebook to knowledgable hackers on how to rip somebody off when there was no actual need to 'protect' us in the first place? It IS irresponsible, even if CEREUS does deserve criticism for not using encryption.
anywhere there is large sums of money there ius corruption. Anywhere. Some forms are just more socially accpeted than others. Other forms become socially accepted. You would be naive to think that ultimate bet, cerues, Absolute poker, Full Tilt are the ONLY sites to cheat players. Online casinos are meant to make money and whether its the programmers subutly increasing the variance to control the vast majority of money leaving the site or workers/cheaters exploiting the flaws through the back door of a software encrytion the fact of the matter is this will always be a ciclical pattern of cheat happening in some form or another. Like seriously guys for those of you who keep defending sites like this and any site in general shake your freaking head. I mean we are lied to by our own governments everyday involving matters that they ARE held accountable for like health care or invading other countries. What the hell makes you think OFFSHORE casinos who govern themselves, audit themselves and punish themselves would never NEVER try and gain the most minimal edge to make profits.Lets get real here. I am drifting off base but the fact that ONCE a company does this there should be no second chances but some knuckleheads are defending and this is the third time. I would sure like to sell them some insurance....Mkae me rich real quick. Thats all I am not gonna hate on all the other bs that goes on online it really does no good.
The only reason UB uses a different encryption method is so they can let power users see that exact information. I not worried to much about wireless networks been hacked but what this does expose is that information can easily be accessed from other users.
A while back internal staff at UB/AB were using power user account to see hole cards obviously this has not stopped just google Russ Hamilton.
To PTR... Isnt your program just the same as any bot type of program or holdem manager that can see and read your whole cards in real time... Your video shows your program displaying your own hole cards, umm big deal there are loads of programs that can do the same thing on atleast cake ub full tilt ect... So how does this show anything special.. The only way this is possible is to have you computer it self hacked, obviously through your internet. So having your computer hacked is bad in general specially if you play poker.. I dont see anything diff between ub ap full tilt cake ect... Maybe you could be more clear and show a video that display someone elses hole cards..... thanks...
Hey guys few things:
1) We have no idea whether or not the flaw is being used to hurt players, we think the chances are slim - but there is still a chance, and we therefore have an obligation to let the public know. This is fairly standard as far as reporting software vulnerabilities go, you tell people so they can protect themselves.
2) The video shows us pulling hole cards from the air, not a specific user account's hole cards. They aren't "our" hole cards, they are just the ones that happened to be flying by in the wireless data. The attacking computer doesn't know anything about the account playing poker, so if someone were in the next room or house over playing cards - I'd have gotten theirs as well. That is the vulnerability.
Well that and we can grab logins too.
Cereus seems to be taking this very seriously, the COO has issued a statement: http://www.pokertableratings.com/blog/2010/05/cereus-poker-security-response
this cant be happen on a big site as pokerstars or fulltiltpoker
This cheep sites are located IN SAN JOSE COSTA RICA in rhomoser boulevard 400 blocks south< for legal actions
Unbelievable that another security issue would pop up with this network after the scandal with Hellmuth getting shipped the pot after he lost the hand. I'm definitely going to close out my account on both of their sites. Thanks PTR for going above and beyond to make sure that the poker community be made aware of security issues such as this.
i joined ultimate bet after the pot ripper scandal my brother said i was mad. After PTR has opened this can of worms im gonna have to agree with him.
So if i understand this correctly somebody has to be in range of another person playing at these sites in order for this exploit to work? I dont see how anyone can use this exploit than unless they know exactly if someone in their neighbourhood is playing at these sites and knows when they play. And even than most players play at 6 tables or full ring tables. you would still not know what all the other players where having for cards. Also these sites can track someone who is dumping money what something like this would look like if you constantly loose without winning a single hand against someone else.
@qwerty
you don't understand it correctly, read again
I know UB has had a checkered past with security, but I think I need to call out PTR on this one. Playing at home on a WPA2 secured network is a moderate-low risk? Total rubbish. Forget WPA being compromised, yes it's possible, but somebody with the knowledge and equipment to do it has bigger fish to fry than some suburban house, those people target large banks and are interested in trade secrets and credit card numbers, not $100 in a poker account.
If someone has access to your home network they either broke your WEP encryption or they infected a comp on your home network with some malware from the internet. The people capable of breaking wireless encryption are few and far between. Yes it's fairly straightforward, but not many people are willing to spend the time and effort to learn how to do it and get the necessary equipment. So you can write that one off(although you should be using WPA as it's easier to use as well as being more secure).
If your comp has malware, everything on it is compromised already, web banking, online shopping, they probably already have your credit card details, who cares about your poker account? A keylogger will get your login details and a simple app like vnc will get your holecards in realtime no problem.
If you run a wireless network with no encryption at home then you are foolish, but tbh you would also have to live next to someone with good knowledge of networking theory. 'Some guy next door' isn't going to cut it. This exploit is simple if you know about TCP/IP and wireless packet sniffing and be malicious. Most hackers are just fooling around, not looking to cause trouble, and even then, they are very rare. Having said all that, _all_ wireless networks you control should be running on WPA unless you have a very good reason, a good enough reason to warrant having your identity stolen.
The fact is, many things are vulnerable if your network is compromised. It's quite easy to fool a user into giving you his login for most websites/forums etc... once you have local network access. Also, it's a lot easier to then compromise his/her machine with malware, at which point it's game over as I mentioned above, bypassing the need for a fancy vulnerability like above.
This vulnerability is only a problem for people who feel the need to log into sensitive accounts on open public networks. Would you feel comfortable doing web banking on an airport's wireless network? The risk is similar to this vulnerability above in that you shouldn't use/login to important stuff on open networks, it comes down to common sense. If you don't have common sense, this vulnerability is a problem for you, if you do exercise common sense then you have nothing to worry about.
As for "However a physical network can also be compromised by any network hops between a victims’s PC and the Cereus servers." it takes the bisciut. Clearly just trying to scare people with little knowledge of computers. Yes this is true, but unless you can walk into a major ISP which happens to carry all of the victims traffic(very unlikely) and jack into their core routers and then run packet filtering software and feel you can get away with it then you have nothing to worry about. The core of the internet is pretty safe from eavesdropping, partly because there is so much traffic so you need expensive hardware to filter packets and partly because you can't just jack into core routers, they are behind locked doors. Your home network is the point of failure, you can safely assume the internet itself is secure from eavesdropping.
In a nut shell, this exploit poses the same threat as having your identity stolen online. If your home network is compromised, so many other things are already fucked you won't care about your UB account. You probably won't be able to use your computer anyway because it will be riddled with spamming software.
Props on finding this vulnerability, but the scaremongering is fairly unacceptable. It isn't a major problem, it really only affects a very small minority of cases where people are being stupid and a pretty knowledgeable hacker just happens to be very close by.
Before anyone asks, I'm not affiliated with Cereus. Even if I were, everything I just said is true, look it up yourself. I just know a little about wireless and wired network security and when I see scaremongering of non-technical users.
Teflon19, you should post this on 2+2 in the News Views and Gossip thread. Maybe quell the hysteria a bit.
If they were passing your hole cards and login information in plain text, would you be a little more concerned? Well the cypher method they are using is only slightly better than plain text. The bottom line is that absolute and UB made all these claims about how secure their software is, but yet they don't even implement SSL which is the internet standard. If any online banking site did not use SSL, it would be laughable. This is no different.
Have to agree with JohnAnthony. OK it might be hard for someone to hack in or whatever, I don't even understand or care to understand what you have to do to see someones hole cards. What I do know is it seems easier to do it at AP and UB than any other site, as all other sites use the same security as online banks use. One would think after all the cheating scandals these sites have been involved in they would use the industry standard security at a minimum. Teflon says a run of the mill type person can't access or use this security flaw and is probably right, but the superusers that used to work at these sites weren't just everyday people either. Is this just another way for employees or owners to cheat? Who knows, but you would be very naive to rule it out. I would expect cash outs to be slow for a while.
PTR, stick to datamining.
@ Teflon
Really isn't a major problem??? Are you serious? You left some things out of your "expert" analysis. How bout internal employees/contractors/vendors that already have access to the Cereus networks? Wasn't it an internal employee who exposed the AP flaw a couple of years ago? How about the security of the rest of the Cereus network infrastructure, if they made a mistake like this (assuming it wasn't done on purpose) what else did they screw up. To think that this is not an issue is naive, the fact that you would come make a post like this means you are either someone who really doesn't have a good understanding of security concepts or you work for AP/UB. High stakes on AP/UB will be dead after this for good reason.
Absolute BS on PTR's part, its a remote security issue and they post it on the FRONT FING PAGE to make themselves look good at the expense of Cereus. Pret Uncool
"Your home network is the point of failure, you can safely assume the internet itself is secure from eavesdropping."
This made me laugh. If the internet is so safe then why do we have encryption at all? Hey lets all do our banking on non-secure sites because the internet is safe...
"As for “However a physical network can also be compromised by any network hops between a victims’s PC and the Cereus servers.” it takes the bisciut. Clearly just trying to scare people with little knowledge of computers. Yes this is true, but unless you can walk into a major ISP which happens to carry all of the victims traffic(very unlikely) and jack into their core routers and then run packet filtering software and feel you can get away with it then you have nothing to worry about."
So what about all the hops on the Cereus physical network? Wouldn't this be an attack vector as well? And the one that posses the most risk? If I was a hacker with criminal intent why would I try and compromise my neighbors machine and see 1 guy's hole cards when I could potentially compromise the Cereus network and own everyone. Wait let me guess, Cereus does a great job at securing it's network right? Wasn't this the attack vector that was used when the AP internal employee used a flaw to win over $400K in a few months?
xblink tho
With all thats happened with AP/UB why is this site still running? It should be shut down!
The point bing that they have had problems before. Why the heck would they pull this kind of stuff again. It is good information no matter. If you are serious about your online poker you should be concerned about this type of problem.
THE TRUTH IS THIS ONLINE POKER AT ANY STAKE IS NOT REALLY SAFE,AND THOSE OF YOU THAT THINK TILT AND STARS ARE 100% SAFE, NEED TO WAKE UP THAT IF IT CAN HAPPEN AT ONE SITE IT EASILY HAPPEN AT ANOTHER. nOT AN IT TECH HERE BUT THERE ARE WAYS OF CRUMPTING SOFTWARE TO GAIN AN ADVANTAGE, AND ANYBODY WITH A SUPER USER ACCOUNT AND DON'T THINK THEY DON'T EXIST BECUSE THEY CLEARLY DO, JUST THERE NOT STUIPED ANY MORE AND WON;T HAVE LIKE 500K IN ONE ACCOUNT AND TAKE THE PROS NIGHT AND DAY. THEY PLAY LOW LIMTS OVER A 1K SN'S AND BLEED IDIOTS AND DONKS THAT WON'T KNOW ANYBETTER,,, WORD TO THE WISE YOU HAVE BEEN WARNED
Has this been checked on other sites such as Fulltilt PS etc?
Fact is if you play online, you are getting scammed ...and ripped off in some way
@ teflon19. You either have no money or you are on heroin! That was the dumbest analysis i have ever seen. Either way you should such your mouth
OK, this is definitely a vulnerability, although SSL is not the ultimate answer, as an SSL man in the middle attack is just as do-able on the same LAN as the poker user .. a lot of noise has been made of this (as it probably should) although I don't think everyone understands that it's *only* if your actually on the same LAN and also that SSL isn't a magic bullet to solve this .. the real issue is people protecting their wireless and wired LANs, not a massive CEREUS-only issue, to be fair to CEREUS. With proper hardware and SSL MITM tools, any of the other Poker systems could be hacked in a similar way. I'm sure it brought you boys lots of traffic though :)