The following story was recounted to me several years ago. It was told to me under the condition that the names, dates and other identifiable data be kept confidential. The person who told me this story did not identify himself, however I was able to corroborate many of the items and events that were described in his recount. Many of the dates, times and other items that follow have been fictionalized. Note -- most , if not all, of the system vulnerabilities have been improved or completely eradicated, but as this story shows, there was a time when someone with a bit of technical knowledge and just enough creativity was able to capitalize on a design failure. The story below has been edited and a few details may not be exactly as originally told -- it was never proof-read by the person who recounted the story.
"How I Rigged the Lotto!"
Recounted by Peter A.
It was, May 1996, while working as the bartender at Joe's Sports Grill in Long Beach, California that I first came into contact with a California Lotto terminal. Though the bar's name was Joe's, the owner was named Bill. Bill enjoyed the bar's evening crowd so he often slept during the day and came in late to work the night shift. I was given the daytime shift. The daytime shift was slow -- there were a couple of "regulars" but I could never really understand why Bill even opened the place for daytime business. Anyway to make a long story short, it was this lack of business, which gave me the opportunity to fully examine some of the characteristics and quirks of the Lotto terminal -- this is when I started fantasizing about rigging the Lotto. One of the amazing aspects of the Lotto terminal was its lack of security. It simply plugged into a normal telephone jack. Not only was the telephone connection simple -- the line itself was also accessible on the outside of the building in the alley through what is known as a "TNI box" -- a plastic telephone box just like the one most of us have on the side of the house. There was no security whatsoever. This is still the standard method for connecting Lotto terminals to the network.
Easy access for anyone!
Top - Typical telephone (TNI)
Middle - TNI box open
Bottom - Notice standard modular jack
|
At that time, the Lotto terminal and network worked in a very simple manner. When a client would buy a Lotto ticket the operator would put their filled out Lotto card into the terminal. The machine would issue a ticket with serial number and would then place the selected numbers and a corresponding serial number into a data file. The data file would collect the data from several tickets and batch the ticket data. The terminal would then periodically send the batches up to a regional terminal, which in turn would further bundle them into larger files and finally send them to the main computers. What was most fascinating about this process was that during periods when the phone lines were interrupted by such things as weather or physical damage, the store terminal would place all of the information into a "pending" file and simply wait for the connection with the main computers to come back on line. When the connection was reestablished the terminal would then send all of the "pending" data up to the region. I never imagined that the system had these kinds of quirks. This meant that during times of interruptions, a local Lotto terminal could actually be holding "pending" data until after the actual Lotto drawing was done. If the winning numbers could be inserted into the "pending" data before the batch was transmitted, one could then create a winning ticket after the fact! The trick would be to interrupt the connection, find out the winning numbers from the draw -- then insert them into the batch and create a replacement lotto ticket with the winning numbers and a correct serial number. I thought about these vulnerabilities for days. If I could see exactly what the transmitted data looked like, perhaps it could be modified. I had always been a backyard tinkerer, but I knew my limitations and for something like this I would need an expert.
Enter a Partner
While growing up we all meet a budding genius or prodigy somewhere along the line. Some of these young people will become scientists or the inventors of future technology, literary masters or visionary artists. Some, however will peak way too young and burn out long before they even become adults. They don't lose their abilities or their intelligence, but they may find that the system for getting certificates and degrees for things that they already know is slow, tedious and menial. So their lack of "certs" seems to disqualify them from the "cover-your-ass" bureaucratic environment, which requires documentation for everything and everyone. Without a patron and without a business sense, these prodigies are just tossed to the side road, while people with far less ability move ahead professionally and financially. I went to elementary school with one such person. His name was Roy. In the 6th grade, he was building radios, amplifiers, oscilloscopes, rockets and other electronics that were way beyond the understanding of the typical 12 year old. Roy was indeed a prodigy, but his abilities could not be identified by aptitude tests or the challenges presented by a typical 6th grade curriculum. Roy's teachers never knew about his amazing abilities -- he just appeared to be average. There weren't any tests relating to ohms, resistance or circuitry in any of the classes that we took in those days... In high school his passion for electronics moved to computers and programming. Independently, he acquired a knowledge of physics and science that was always years ahead of his chronological age.
Anyway if there was one person out there who could understand the possibilities that I'd discovered it would be Roy -- and if I could even find Roy -- the question then became would he be interested? I need to jump ahead now. I did find Roy, and yes, he was interested. In fact he was more enthusiastic than I'd ever imagined. The prize money was just the "icing" for Roy. The challenge was actually accomplishing the task. We swore that we would not discuss this project with anyone -- not family and not friends. We also agreed that we would not bring anyone else in on the project. We would split the winnings 50/50. To the public we would simply be the holders of the "winning" Lotto ticket.
"How We Did It"
After Roy was satisfied that I'd indeed found real vulnerabilities in the system, we set out to discover the finer points of the system. Roy created a unit to monitor the line -- it was stealthy, could not be detected and would not interfere with the Lotto terminal's data transmissions -- we connected to the telephone wires in the telephone box in the alley. I set off to fine tune a technique to make sure that we could produce a proper receipt. One day I arranged to make the Lotto terminal jam and stop working. Bill called the Lotto offices and they sent over a technician. When the technician came out, I made sure that I would be there to watch him access the unit. He first pressed a sequence of keys on the unit which I was able to write down, while pretending to do inventory. He then cut a tag on the side of the machine, lifted the top off and unlocked another panel. The wire tag was identical to sealing tags that were available at a local surplus store that I frequented. From what I saw, there were a couple of RS232 ports and a serial port under the panel. He attached a handheld monitor to one of the ports, pressed a couple of buttons on the monitor and closed up the machine again.
I later told Roy about what I'd seen. He said that it sounded like a typical reset procedure for a POS terminal. He said that he would know more after he could check the transmitted data. The unit that he'd created to capture the data showed some remarkable characteristics of the system. The data was encrypted but it was a very old technique that had long ago been broken. He was able to decode all of the data and to our amazement the transmitted data was incredibly simple. It was just a simple sequential file showing time, selected numbers and the serial number of each transaction. He was also able to look at the information input during the service call as well. It was exactly as he suspected -- routine POS reset codes. From Roy's knowledge of POS codes, not only could these codes be used to access the equipment, but all traces of access could be reset as well by using a hack that some 14 year old kid from Finland had created... The entire data aspect of the project now seemed suspiciously too simple, but as I later found out, the actual paper ticket would be the most important piece of the project. The ticket would have to be flawless and the only way to make that happen would be by producing the "winning" ticket on that exact machine -- in the proper sequence and with a correct serial number!
As luck would have it, the method soon presented itself. We would purchase several tickets separately and keep one from the middle of the group -- to be replaced. I would make the machine generate a paper advance that would allow me to take a strip of Lotto paper and keep it to be used later. After the Lotto drawing, I would key in the winning numbers and print them on the saved strip of Lotto paper. The Lotto terminal would be reset based on the methods that Roy had discovered in the captured data and his knowledge of both proprietary and standard POS programming. Dates, times serial numbers and everything else could be substituted to look exactly like a routine transaction had occurred.
Waiting for the Perfect Storm
Now that we had formulated the methods to accomplish our project, two more things would need to occur at precisely the right time. We needed a large jackpot and a huge storm to coincide. We wanted the large jackpot for obvious reasons and the storm was needed so that our machine could "lose its connection." Well perhaps we were destined to accomplish our goal for some future "good deed" that we would some day accomplish as a result of our beckoning "good fortune," but in any event, it all came together on December 18th. After a typical southern California late season heat-wave the weather changed suddenly on Wednesday and the entire Los Angeles area suffered one of the worst rain storms in history. During that same week the Lotto had achieved one of the biggest jackpots since its inception - $226,000,000. This was the perfect opportunity. Lotto sales that week were already brisk as was usual any time that the Lotto got into 9 digits, but this week there was an even larger frenzy for tickets than usual. On top of that Bill even asked me to stay and work a double shift on Wednesday to help cover the evening shift, because he was feeling a little run down -- I couldn't have asked for a better situation. I had planned to ask Bill for some extra hours, if the circumstances were right, but this way I didn't need to, thus one more potentially unusual occurrence was avoided. These would all be very important later. It never happens this easy in the movies.
I didn't need to call Roy, we'd already made plans for him to come in, just in case a storm and a jackpot occurred together and over the last couple of weeks we were already watching this current jackpot grow. So Roy came in about 7pm, but just before he came in, he pulled the phone connector outside the building in the alley and the machine went off line, however it was still capable of selling and printing tickets. The tickets were simply held in "pending batches" until the machine was able to reconnect. Since it was raining so badly throughout the area, no one would suspect that our loss of connection was not caused by the storm. Roy purchased 40 tickets over the course of the next 35 minutes. At precisely 7:17pm he submitted our "special" ticket form. This would later become the ticket that we would replace and reprint. While no one was looking, I also took the opportunity to advance the Lotto paper which I rolled up quickly and placed in my pocket. Roy left at around 7:35pm.
39, 34,19, 38, 9, 21
At just before 8pm we switched the channel to watch the Lotto Drawing. The numbers came up -- 21, 38, 39, 34,19, 9. These would now be the numbers that we would substitute into our "special" ticket. The rush to buy tickets was over. The rest of the evening was a typical, but extremely wet Wednesday night. The customers did clear out a little earlier than usual and Bill decided that he was going home early. He asked me to stay till 2 and close up, which I gladly agreed to. The place was empty from 11pm to 2 a.m., but I stayed anyway. At 2 a.m. I closed the doors and turned off the sign. A couple of minutes later I heard a quiet knock on the back door. It was Roy. Our work was just beginning. He brought some tools and electronic devices and we began our project.
"cassarole34891xx^"
I cut the tag and exposed the locked panel underneath -- it was a security lock but it was basically a typical POS lock and Roy managed to pick it with a hard nylon pick which wouldn't leave marks -- maybe he watched a few too many Mission Impossible episodes when he was kid, but few obstacles held him back -- he seemed prepared for almost any contingency. Once that we removed the cover, Roy looked inside and found the ports. He now attached his monitor to the port and started looking at the data that it displayed. The numbers and sequences appeared in exactly the same format as the data that he monitored from the phone line, accept this was not encrypted and there were a series of tokens and flags, which identified the file as a "pending batch." He scrolled through the ticket serial numbers until he found our special ticket #653011814 followed by the temporary numbers that we had selected when he purchased the ticket at 7:17 p.m. Now we needed to change those numbers to 09, 19, 21, 34, 38, 39 -- Roy entered them and removed the previous numbers. He then disconnected the monitor. Now he needed to reset the machine back to exactly 19:17:07 (7:17:07 pm) Wednesday, December 18 ****. To do this he connected a device to the serial port -- this unit had a keypad with numbers and characters. He typed in the password "cassarole34891xx^" -- the Lotto terminal beeped 3 times and a request for the date appeared on the tiny screen. Roy re-attached the previous monitor, he needed to block the new information from being written to the file. He typed in a code that would cross four of the pins and put them into a temporary loop.
Roy now typed in the date and time. He then instructed me to install the paper that I had rolled up earlier. He looked at the back of our original ticket to see where the cut-off was for the previous ticket. This was just a little extra, since the machines do not cut off precisely anyway. Now it was time to produce the "winning ticket." The "special ticket" had three plays and three sets of numbers on it. I filled out a form earlier that evening containing two of the same number sets that were on the original ticket and also marking in the numbers "09, 19, 21, 34, 38 and 39" to create a winning ticket. Into the slot the form went and voila the "winning ticket" was produced! Roy then re-entered the current date and time. He checked the data to see if there were any anomalies in the file. Everything was in order. I re-installed the paper roll. Roy disconnected his devices and he replaced the door and locked it. He put the plastic cover on and resealed the unit with the tags that we had bought weeks before. The only thing that was left to do now was to reconnect the Lotto terminal to the phone line outside.
Roy reconnected the phone line and walked down the alley.
What happened next?
The next day, I woke up around 7 am. The newscaster on the radio periodically repeated the winning numbers and that there was only one winning ticket sold -- and the location where it was sold... Joe's Sports Grill in Long Beach!
Want to know what happened next? Did they all live happily ever after? Did the Lotto commission pay up? Was there an investigation? Hmmm...
Check back periodically for the continuation of the story...