Full HCL report focuses on tech set-up, potential security gaps

Haley Hintze
Published by:
Posted on: December 19, 2022 11:11 pm EST

“Hustler Casino Live”‘s investigation into the cheating allegations launched against Robbi Jade Lew and others by Garrett Adelstein in the wake of the infamous “J-4” involved far more than just the revelation that investigators found no evidence of cheating by Lew, other players, or anyone associated with the HCL streamed games. Besides the top-line statement involving both Lew and the enhanced security guidelines the show has put into place, HCL’s parent company, High Stakes Poker Productions, LLC, also issued a long-form report that detailed several related topics.

From the methodology used to examine the show’s technical aspects to an examination of HCL’s internal controls, Bulletproof (the tech-security firm retained by HSPP), detailed both its approach and findings as it searched for ways in which HCL’s controls and communications could be exploited. The investigators found no signs of tampering, and they were able to rule out most of the scenarios invented by armchair investigators to create methods through which cheating could have occurred.

Some items from the report also found their way into the top-line press statement, including Bulletproof’s list of its top five conclusions from the investigation, and the ten security and process enhancements that have been put into place by HSPP for all future HCL streams. The ten-week investigation, however, produced many other supporting findings that will not only improve and secure HCL’s future streams, but all similar live-streamed poker shows.

PokerGFX server risks identified

Hustler Casino Live, like many other livestreamed poker shows, is created via the PokerGFX software suite, through which poker-related graphics are overlaid on images captured from the table. PokerGFX runs on a Windows platform, and Bulletproof’s forensic evaluation found no evidence that malware, added programs, or such things as remote-viewing software had been installed.

“It was found that no remote control or viewing software was installed at the time of the broadcast on Sept. 29, 2022 on all systems showing hole cards except for the control machine used to display multiple machine screens,” Bulletproof’s report offers. “No USB keys, foreign devices or wireless connections were active on the system at the time of Sept. 29, 2022. This information was obtained with a forensic image and specialized software.”

Bulletproof’s report did note that some of the production-quality requirements of the HCL stream meant that some security protocols had to be disabled or ignored, such as not having hole-card information transmitted in real time to the “control machine” that effectively operates all other computers and equipment connected to the system. The information has to be made available immediately to fill its role in the mixing process involving multiple camera views and overall game flow.

Instead, as Bulletproof noted, HCL needed to strengthen its production security so that the hole-card info is shared only with those trusted employees directly involved with assembling the stream.

Overall, Bulletproof identified seven different security risks involved with the computerized aspects of the HCL production, including the PokerGFX server suite and several complementary software packages. These were the risks Bulletproof found:

  1. All non-streaming machines are connected to a private network that has no internet access but can be joined to the wireless network by the logged in user.
  2. The user and password are shared amongst staff and staff has full administrator access to the system.
  3. The antivirus license is expired.
  4. No tracking of users, actions, and internet access stored in a log file.
  5. The System BIOS is not password protected.
  6. No website tracking or user access control is utilized.
  7. Non-commercial grade network gear and router used lacks features for network security, segmentation, and logging.

Despite these security lapses, and despite slack controls over which employs had admin-level access to the HCL production, Bulletproof still determined that it was highly unlikely that cheating occurred.

Player security issues also analyzed

Bulletproof’s longer report also examined some of the supposed scenarios under which Lew or others could — in at least a theoretical sense — have received information through technical means. In the days and weeks following the September 29 stream, proposed cheating methods incorporated Lew’s water bottle, a ring that she wore, and even a purported TENS massage device supposedly being worn on her upper leg. Bulletproof even obtained a typical TENS device and experimented with various methods of adapting it to receive signals, but found nothing that worked reliably over distances of more than just a few meters.

The investigation found the TENS and other theories not necessarily impossible, but highly unlikely given the real-time limitations and the technological complexity needed. Theories involving the theft of hole-card information from the RFID-embedded cards was also generally ruled out, due to the advanced hardware needed to decode the RFID signals and the very short distances over which the passive RFID signals could be intercepted.

Instead, rather than chasing increasingly unlikely scenarios, Bulletproof returned to its recommendation of tightening HCL’s production-room protocols. “Bulletproof’s opinion is by strengthening the production booth per the previous recommendations to ensure information cannot get out electronically or personally will render most remote signaling devices useless,” the report offered. “However, it is still recommended that players be checked for devices and leave their personal belongings in a secure area. For the security of the player, each should be given a signal-blocking Faraday bag in which they can place their bags, phones, and all other personal items which will be kept in the corner on stage. Faraday bags, just as the production booth, should be tested before utilization as cell tower distance can affect results.”

Featured image source: YouTube / Hustler Casino Live