Table Finder
This article serves as a companion article to the security advisory PTR has released which is viewable at: PTR Security Advisory: Cereus Poker Uses Weak Encryption. It is intended to explain the severity and implications of this security risk to the broader non technical poker playing audience.
Overview
PokerTableRatings has discovered a critical flaw in the Cereus Poker software which affects both Absolute Poker and Ultimate Bet, allowing an attacker to hijack victim’s poker accounts and display their hole cards in real time. We have alerted the Cereus Network to this vulnerability, providing them with source code necessary to demonstrate the problem. We hope our e-mail and this bulletin are sufficient motivation for them to fix the problem.
We have no way of knowing if this exploit has been discovered and used to steal from Cereus users, but it seems unlikely. It is our hope that this information will allow Cereus users to protect themselves.
The issue in general terms is that rather than using industry standard SSL encryption Cereus has used a custom form of encoding (not encryption) which can be cracked using the windows calculator.
For interested readers we’ve explained the vulnerability in as non technical of a manner as we could below, otherwise you can skip ahead to the section entitled “Risk Levels for Players.”
Cereus Poker has responded to our communications with them about this issue. You can view these communications here.
Proof of Concept
Explanation
When logging into a poker client on your PC what is actually happening behind the scenes is a connection is established to the servers owned and operated by the poker network. This connection is used to transmit all data between your PC and the servers, including sending your username and password, betting actions, and your hole cards.
This can be thought of as a conversation between your computer and the poker network, which might go something like:
PC: I’d like to play poker my username is bob and my password is 123456
Server: You are logged in
Or:
Server: A new hand has started at your Table 1
PC: Ok
Server: Your hole cards for Table 1 are Ac Jh
PC: Ok
On all poker networks this data is encrypted in a manner that would prevent any intercepted data from being used to gain access to your account, or steal your hole cards. This means essentially that the conversation is obscured to prevent eavesdropping, so that someone listening in cannot “hear” your password.
Almost every poker network uses some implementation of the SSL protocol, which is the same type of security mechanism that everyone from banks to government agencies use to secure their data. There are several freely available implementations of this protocol including the open source OpenSSL . SSL is the industry standard, and is generally regarded as best practice for encrypting network transmissions.
The problem is that the Cereus Poker network does not use SSL to encrypt their communications; they use a custom form of encryption which is XOR-based. This form of encryption is known to be extremely weak, and in fact their particular implementation makes it particularly simple to decrypt network data due to an easily discoverable key.
In fact, the encryption that the Cereus Network employs isn’t so much encryption as it is encoding. To see how simple it is to decode this data, simply open up your windows calculator and set it on scientific mode. All that is really necessary to decode the data stream is the XOR button .
The requirement for this vulnerability to be exploited is network access. This means that if you are playing on an open wireless network, a cracked wireless network (something which is increasingly simple to do), or on a physical network which has been compromised – an attacker could dump the network traffic and exploit this vulnerability maliciously.
Implications
The implications of this vulnerability are that Cereus Poker accounts can be compromised and have their funds stolen and that an attacker could know the hole cards a Cereus Poker player is dealt in real time, then presumably exploit this knowledge to have an advantage against them at the poker tables.
This attack can either be directed, in which a person who is known to play on the Cereus Network is targeted and exploited – or passive in which an entire network’s traffic is logged and communications to the Cereus Network servers are decrypted.
Wireless networks are particularly exploitable due to the ease with which they can be compromised without having physical access, only proximity to the victim. Indeed in many cases they won’t even need to be compromised because the wireless network is not encrypted.
Physical networks are also vulnerable to a variety of attacks, especially if the physical network is on a hub (instead of a switch) which allows an attacker to passively observe all network traffic. However a physical network can also be compromised by any network hops between a victims’s PC and the Cereus servers. They are also vulnerable to an ARP cache attack which can fool their PC into sending all network packets to an attacker’s PC which would then transparently relay the information to the router – resulting in uninterrupted internet access for the victim.
Testing
In our lab, using a dummy cracked wireless network, we’ve been able to successfully hijack our own test poker accounts without being connected to the network the test victim is playing on. We’ve also been able to observe hole cards as they were dealt in real time from a test victim, using the same mechanisms.
All of our tests were done in a lab environment, using cheap commercial grade hardware. There is some custom software involved in actually logging in a hijacked account, and decrypting the hole cards. The source for all of the testing totals less than 500 lines. The wireless network cracking and snooping was done using freely available open source software.
Risks Levels for Players
The below chart attempts to quantify the level of risk a player has of being victimized in each type of networking scenario.
| Network Type | Risk Level |
|---|---|
| Public Unsecured Wireless | Severe |
| Public Secured Wireless | Moderate-High |
| Public Wired | Moderate |
| Home Unsecured Wireless | Moderate |
| Home Secured Wireless | Moderate-Low |
| Home Wired | Low |
Examples:
- Unknown wireless network in college dorm called “Linksys”
-
- Public Unsecured Wireless
-
- Severe Risk
- Starbucks or airport wireless, requiring login
-
- Public Secured Wireless
-
- Moderate-High Risk
- School computer lab, plugged in
-
- Public Wired
-
- Moderate Risk
- Home wireless network called “Linksys” or “netgear” not requiring key or using WEP key (10, 26, or 58 digit hexadecimal number sometimes generated from a user passphrase)
-
- Home Unsecured Wireless
-
- Moderate Risk
- Home wireless network requiring WPA2 key
-
- Home Secured Wireless
-
- Moderate-Low Risk
- Home wired network
-
- Low risk
*It is worth mentioning here that a player who can be specifically targeted is at an unquantifiable but elevated level of risk.
Suggestions for Players
The biggest step a Cereus player can take to protect them is to simply stop playing on the Cereus Network until these issues have been resolved. There is no way of being 100% secure at the moment. The below suggestions are precautionary and are no way guaranteed to prevent exploitation.
If a player chooses to continue playing on the Cereus Network while the network is still vulnerable, they should at minimum plug directly into their modem. This will prevent anyone on the network from exploiting them. If a wired network is not an option, the player should make absolutely sure their network is encrypted using WPA2 encryption.
We absolutely advise against playing on any unknown or public networks –especially wireless networks.
We also recommend against a player revealing that they play on the Cereus Network until these issues are resolved, so as to avoid making themselves a target.
Suggestions for Cereus Network
In order to properly resolve these vulnerabilities the Cereus Network should upgrade all of their network communications to use the industry standard OpenSSL library which is freely available at http://www.openssl.org/. When implementing the SSL changes you should be sure to validate your peer certificate so as to prevent an SSL man-in-the-middle attack.
We would also recommend that the Cereus Network undergo a real and impartial security audit. We’re happy to lend a hand in whatever way we can in this regard.
Synopsis
In summary, there is a critical vulnerability in the Cereus Network software which makes it possible for an attacker to hijack poker accounts and view hole cards. The only 100% protection is to stop playing on Cereus Network until they upgrade to using SSL. To our knowledge there are no cases of this vulnerability being used to exploit actual players. PokerTableRatings.com created test accounts for all proof of concept testing done during the discovery of this vulnerability. We do not have passwords to any unauthorized user accounts. The Cereus Network has been notified of this vulnerability. We will continue to report on this as it develops.
Update 2010-05-06: Cereus poker has responded and appears to be taking these flaws seriously, read response here: http://www.pokertableratings.com/blog/2010/05/cereus-poker-security-response/
Tags: SSL
3
8
Makes sense I quit playing on those sites, and I ain’t playing there no more after this insight
lol
how would they know which table the player is at? is there a way to read that also?
Great work.
UB and AP have always been vulnerable to outside and inside cheating. They lie, decieve and cover up. You can see players mucked cards in some games too. I don’t understand why people are still playing there.
great work PTR
LMFAO the second major scandal to hit this site after potripper. surely this should finish them off now ?
UB money for Stars anyone?
no wonder they say this on their websites first page, “The popularity of our software is no secret, but that doesn’t mean we’re satisfied.”
I think this is a completely unfair and slanderous allegation, if your uber techies found a flaw, why couldnt they produce an example showing an OPPONENTS hole cards? I mean ya, perhaps a very remote possibility someone with access to your network would be able to get something, but how realistic is the threat? I think its un-cool for your website to make this front page news when you couldnt even provide 1 example of exploiting another player.
lol Carpe. That was an OPPONENTS hole cards. Reread before you make a fool of yourself.
If you live in an apartment and you’ve known the guy downstairs plays at UB and you have the knowledge to do this, you’re getting his hole cards.
My only problem is that posting this pretty much ensures somebody will try to do it now. People who don’t read PTR (and that’s a lot of people) are now in danger when they weren’t before. Why not just send this to CEREUS and then write an article about how PTR saved the day later?
Russ Hamilton Fallout Faction is responsible IMO.
@iammojay
Because cereus has proven itself to be a “bit” slow concerning these matters. Better to inform the public now.
Were the researchs paid by Stars and Tilt?
hmmmm looks like they wont let u open absolute any more.. and it say that 21k players are playing… if ptr could find out how many other people do u think known this for quite some time now and havent said a damn word. peace out ap and ub.. getz at me
CHECK OUT XBLINK! HENCE THIS IS WHY HES UP
Good Lookin’ out PTR. Thanks for the story!!
Ya this is not fair at all for UB. Fuck on the front page…really?
lol @ not being fair.
It’s not fair for all the customers of UB that they have likely been vulnerable to playing in a rigged game for a long time (years?). This is unimaginable incompetence to not use industry standard encryption on the connection between client & server.
ty ptr.
that video shows nothing im pretty sure right? lol
@spiderman123 are you ignorant?
o no xblink shud start withdrawing ha
Doesn’t surprise me. I use to be able to make the person to my left or right not be able to see there cards in sng’s. Like 8 years ago. Also use to be able to get sng refunded by un registering right before the start of the torny. Seems like they still haven’t got all the flaws worked out.
And this is why i play mostly live :)
Good work PTR. Certainly not surprising to me that “Cereus” is being exposed as a shady organization. (for what, the 3rd time now?)
the video shows that a different computer having nothing to do with the logged in account can access info
Will take AT LEAST A MONTH to properly implement and test new security, closer to truth is to say it will be implemented in like 3-6 months. Take your $ out if you like your $!
that s so scary. I ll nver play again on this room.
I think the lower stakes are still safe, just because if someone is able to crack the encription code he wouldn´t play 50NL.
great work, this site should be banned after all what happend in the past.
Umm…someone has to hack into your local network in order for this to work. And you guys are freaking out like this will effect everyone. I think not.
“I would also like to emphasize to your readers that this issue would require someone to have access to their local network and also have the technical capabilities to crack our encryption in order to gain access to the player data and see the clear text like you did in your demonstration.”
THE FACTS STILL STAND THAT NO OPPONENTS HOLE CARDS WERE REVEALED. For crying out loud, you could PEEK THROUGH SOMEONES WINDOW and see their holecards, prob be alot less work than taking a month to actually find the means to calculate it and sniff out someones network.
The bottom line is they def should have SSL encryption, and they prob will here soon, but for you all to cry bloody murder is just being gullibale, This is far from some security scandal that PTR is making it out to be by making this front page news. Shame on u.
I believe that the high rollers should be worried about this. Now, I totally understand that AP has a dark past and this obviously does not help them at all. THey now MUST use the SSL encryption and they should have to try to compensate all players somehow. I know that someone needs to have access to your network and so on. But the fact, that there is a way to crack the network is UNACCEPTABLE!!. We put our money here and I strongly believe that we have the right to get some sort of compensation. If not, Its time to search for other sites my friends.
sorry I’ve seem to have jumped to conclusions, ignore my post @ 12.33 am
but still:
any decent IT guy that works for your internet provider or any provider up stream between you and Cereus couldsniff your traffic and hack you.
SUPER SUPER FISHY BY PTR
“And this is why i play mostly live ”
the table you were playing at probably has a hole cam. lol
well they had to say something to draw the attention away from the fact that they are gonna start charging for searches
Carpe, I don’t think you are grasping what the guy is doing here.
Was this only concerning the Absolute poker client or more sites???
time to play heads up :D
Warning the public about something that even PTR admits was almost definitely not happening doesn’t make sense. After this report, of course somebody out there can figure it out…it’s practically laid out on the video if you know how to crack the encoding. In all fairness, it’s still very unlikely somebody is going to get their particular account hacked. The person doing the hacking would need to know where you live, where you have accounts, and when you are going to play. And of course they need to get close enough to retrieve the signal with two computers so they can sniff the signal and play at the same time. It’s incredibly unlikely, and almost ridiculous to think somebody had done this prior to now. So again I ask, why are we know giving a guidebook to knowledgable hackers on how to rip somebody off when there was no actual need to ‘protect’ us in the first place? It IS irresponsible, even if CEREUS does deserve criticism for not using encryption.
anywhere there is large sums of money there ius corruption. Anywhere. Some forms are just more socially accpeted than others. Other forms become socially accepted. You would be naive to think that ultimate bet, cerues, Absolute poker, Full Tilt are the ONLY sites to cheat players. Online casinos are meant to make money and whether its the programmers subutly increasing the variance to control the vast majority of money leaving the site or workers/cheaters exploiting the flaws through the back door of a software encrytion the fact of the matter is this will always be a ciclical pattern of cheat happening in some form or another. Like seriously guys for those of you who keep defending sites like this and any site in general shake your freaking head. I mean we are lied to by our own governments everyday involving matters that they ARE held accountable for like health care or invading other countries. What the hell makes you think OFFSHORE casinos who govern themselves, audit themselves and punish themselves would never NEVER try and gain the most minimal edge to make profits.Lets get real here. I am drifting off base but the fact that ONCE a company does this there should be no second chances but some knuckleheads are defending and this is the third time. I would sure like to sell them some insurance….Mkae me rich real quick. Thats all I am not gonna hate on all the other bs that goes on online it really does no good.
The only reason UB uses a different encryption method is so they can let power users see that exact information. I not worried to much about wireless networks been hacked but what this does expose is that information can easily be accessed from other users.
A while back internal staff at UB/AB were using power user account to see hole cards obviously this has not stopped just google Russ Hamilton.
To PTR… Isnt your program just the same as any bot type of program or holdem manager that can see and read your whole cards in real time… Your video shows your program displaying your own hole cards, umm big deal there are loads of programs that can do the same thing on atleast cake ub full tilt ect… So how does this show anything special.. The only way this is possible is to have you computer it self hacked, obviously through your internet. So having your computer hacked is bad in general specially if you play poker.. I dont see anything diff between ub ap full tilt cake ect… Maybe you could be more clear and show a video that display someone elses hole cards….. thanks…
Hey guys few things:
1) We have no idea whether or not the flaw is being used to hurt players, we think the chances are slim – but there is still a chance, and we therefore have an obligation to let the public know. This is fairly standard as far as reporting software vulnerabilities go, you tell people so they can protect themselves.
2) The video shows us pulling hole cards from the air, not a specific user account’s hole cards. They aren’t “our” hole cards, they are just the ones that happened to be flying by in the wireless data. The attacking computer doesn’t know anything about the account playing poker, so if someone were in the next room or house over playing cards – I’d have gotten theirs as well. That is the vulnerability.
Well that and we can grab logins too.
Cereus seems to be taking this very seriously, the COO has issued a statement: http://www.pokertableratings.com/blog/2010/05/cereus-poker-security-response
this cant be happen on a big site as pokerstars or fulltiltpoker
This cheep sites are located IN SAN JOSE COSTA RICA in rhomoser boulevard 400 blocks south< for legal actions
Unbelievable that another security issue would pop up with this network after the scandal with Hellmuth getting shipped the pot after he lost the hand. I’m definitely going to close out my account on both of their sites. Thanks PTR for going above and beyond to make sure that the poker community be made aware of security issues such as this.
i joined ultimate bet after the pot ripper scandal my brother said i was mad. After PTR has opened this can of worms im gonna have to agree with him.