Poker is a card game that many people around the world enjoy.

Poker is played at kitchen tables, in casinos, and cardrooms — and more recently, the Web. A few of us here at Reliable Software Technologies play poker.

Since many of us spend a good amount of our days online, it was only a matter of time before some of us put the two interests together.

This is the story of how our interest in online poker and software security mixed to create a spectacular security exploit.

The PlanetPoker Internet cardroom offers real-time Texas Hold’em games against other people on the Web for real money.

Being software professionals who help companies deliver secure, reliable, and robust software, we were curious about the software behind the online game.

How did it work? Was it fair?

An examination of the FAQs at PlanetPoker, including the shuffling algorithm (which was ironically published to help demonstrate the game’s integrity) was enough to start our analysis wheels rolling.

As soon as we saw the shuffling algorithm, we began to suspect there might be a problem.

A little investigation proved that this intuition was correct.The GameIn Texas Hold’em, each player is dealt two cards (called the pocket cards).

The initial deal is followed by a round of betting. After the first round, all remaining cards are dealt face up and shared by all players.

The dealer places three cards face up on the board (called the flop). A second round of betting then takes place.

Texas Hold’em is usually a fixed limit game, meaning that there are fixed amounts that a player may bet in each betting round.

For example, in a $3 to $6 game, the first two betting rounds are $3 bets while the third and fourth betting rounds are $6 bets.

After the second round of betting, the dealer places another card face up on the board (called the turn). A third round of betting then takes place.

Finally, the dealer places the last card face up on the board (called the river), and a final round of betting ensues.

Each remaining player takes their two pocket cards and combines them with the five community cards to make the best five-card poker hand.

The best hand among the players is determined by standard poker hand order.Texas Hold’em is a fast-paced and exciting game.

Bluffing is an essential part of the game, and quick decisions about who is holding what sorts of cards separate winners from losers.

Interestingly, Texas Hold’em is the poker game played at the World Series of Poker which is held annually in Las Vegas.

Now that everybody and their dog is online, and virtually all types of businesses are represented on the Internet, it’s only natural that casinos and cardrooms are there too.

Even with the reasonably easy availability of casinos on Indian reservations and riverboats, there is still real demand for more accessible games.

Being able to play online in the comfort of your own home (not to mention in your pajamas), without having to endure second-hand smoke and obnoxious players, is definitely appealing.

Security Risks Abound

All this convenience comes at a price. Unfortunately, there are real risks to playing poker online.

The casino may be a fraud, existing only to take money from naïve players without ever intending to pay back winnings.

The server running the online casino could be cracked by a malicious attacker looking for credit card numbers, or trying to leverage some advantage in the game.

Since a majority of casinos don’t authenticate or encrypt the network traffic between the player running the client program and the server hosting the card game, a malicious player could conceivably examine the network traffic (with a classic person-in-the-middle attack) for the purposes of determining his opponent’s cards. These risks are all very familiar to Internet security experts.

Collusion is a problem that is unique to poker (as opposed to other games like blackjack or craps), since poker players play against each other and not the casino itself.

Collusion occurs when two or more players seated at the same table work together as a team, often using the same bankroll.

Colluding players know what their team members’ hands are (often through subtle signals), and bet with the purpose of maximizing their team’s profits on any given hand.

Though collusion is a problem in real cardrooms, it is a much more serious problem for online poker. Using tools like instant messaging and telephone conference calls makes collusion a serious risk to online poker players.

What if all the players in an online game are all cooperating to bilk an unsuspecting Web patsy? How can you be assured that you’re never a victim of this attack?

Last, but not least (especially in terms of our story), there is a real risk that the software behind an online poker game may be flawed.

Software problems are a notorious form of security risk often overlooked by companies obsessed with firewalls and cryptography.

The problem is that a software application can introduce truck-sized security holes into a system. We spend a great deal of time in our day jobs finding and solving software security problems.

It is only natural that we turned our attention to online poker. The rest of this article is devoted to a discussion of software security problems we found in a popular online poker game. See also: VPN for online casino.

The first software flaw we’ll focus on involves shuffling virtual cards.

What does it mean to shuffle a deck of cards fairly? Essentially, every possible combination of cards should have an equal likelihood of appearing.

We’ll call each such ordering of the 52 cards a shuffle.In a real deck of cards, there are 52! (approximately 2^226) possible unique shuffles.

When a computer shuffles a virtual deck of cards, it selects one of these possible combinations.

There are many algorithms that can be used to shuffle a deck of cards, some of which are better than others (and some of which are just plain wrong).

We found that the algorithm used by ASF Software, Inc., the company that produces the software used by most of the online poker games, suffered from many flaws.

ASF has changed their algorithm since we contacted them regarding our discovery. We have not looked at their new approach.

Getting everything exactly right from a security perspective is not easy (as the rest of this article will show).

Figure 1:

Procedure TDeck.Shuffle;
var
	ctr: Byte;
	tmp: Byte;

	random_number: Byte;
begin
	{ Fill the deck with unique cards }
	for ctr := 1 to 52 do
		Card[ctr] := ctr;

	{ Generate a new seed based on the system clock }
	randomize;

	{ Randomly rearrange each card }
	for ctr := 1 to 52 do begin
		random_number := random(51)+1;
		tmp := card[random_number];
		card[random_number] := card[ctr];
		card[ctr] := tmp;
	end;

	CurrentCard := 1;
	JustShuffled := True;
end;

The shuffling algorithm shown in Figure 1 was posted by ASF Software in order to convince people that their computer-generated shuffles were entirely fair.

Ironically, it had the exact opposite effect on us.The algorithm starts by initializing an array with values in order from 1 to 52, representing the 52 possible cards.

Then, the program initializes a pseudo-random number generator using the system clock with a call to Randomize().

The actual shuffle is performed by swapping every position in the array, in turn, with a randomly chosen position. The position to swap with is chosen by calls to the pseudo-random number generator.