Is There a Checklist for Arcade Security That Covers All Machine Types?

An operator in Chiang Mai, Thailand, once asked me to review a security checklist he had found online — a generic list of “arcade security tips” from a trade magazine. It included items like “install security cameras” and “train staff to watch for suspicious behavior.” When I walked through his 45-machine venue, I found that exactly zero of the items on that generic checklist would have detected the specific exploits his machines were facing. The fish table machines needed I2C bus monitoring. The redemption counters needed ticket serialization checks. The crane machines needed grip-strength calibration logs. A single generic checklist for all machine types is like a single maintenance schedule for all vehicles — it will never fit anything specific enough to be useful. What operators need is a machine-type-specific checklist that covers the unique vulnerabilities of each category.

This article provides exactly that — broken down by machine type, with specific inspection points based on the attack vectors I have observed across Thailand, Mexico, and the Philippines.

Category 1: Fish Table / Multi-Player Gaming Cabinets

These are the highest-value, highest-target machines in any arcade. The checklist reflects that risk level.

• Verify firmware hash against manufacturer reference (weekly). Fish table firmware is targeted more aggressively than any other type.
• Scan I2C bus for unauthorized devices (monthly). Fish tables have multiple peripherals (button panels, coin acceptors, display controllers) creating a large I2C attack surface.
• Reconcile server-side player balance totals against client-side machine totals (daily). A mismatch of more than 1 percent means data is being modified between the client and server.
• Check for unauthorized Bluetooth or Wi-Fi modules (monthly). Many exploit devices communicate wirelessly with the attacker’s phone.
• Verify button panel wiring — every button should trace directly back to the control board with no intervening components (quarterly).
• Audit player accounts with unusual credit accumulation patterns (weekly). Players who receive credits without corresponding coin-in events warrant investigation.
• Check real-time clock battery — exploits often trigger only during specific hours to avoid detection during peak monitoring periods (monthly).

Category 2: Slot-Style and Reel-Based Machines

The primary attack vectors are RNG manipulation and coin mechanism bypasses.

• Verify that RNG output distribution matches expected statistical profile over a 1000-round sample (monthly). Use a chi-squared test — your distributor’s technician should be able to run this.
• Inspect coin acceptor path: coin slot to validator to counter to cash box — every component wired directly, no splices (quarterly).
• Check for modified payout display: does the displayed payout percentage match the configured percentage? Some exploits modify the display to show the expected number while the actual payout rate is different (quarterly).
• Verify door-open sensor logs against service records — any door opening that does not match a documented service event is a red flag (weekly).
• Check bill validator firmware against manufacturer current release (monthly). Bill validators have their own firmware and their own vulnerabilities.
• Review coin counter increments against physical coin drops — a 5% or greater discrepancy indicates tampering or calibration drift (weekly).

Category 3: Ticket Redemption and Prize Games

The indirect theft vector — exploit ticket generation, redeem for prizes with real value.

• Audit total tickets issued per machine against ticket redemption counter totals (weekly). Discrepancy means tickets are being generated without corresponding paid gameplay.
• Verify ticket barcode or serial number uniqueness — duplicate ticket numbers indicate counterfeit tickets (weekly, if your system supports serialization).
• Check redemption terminal access logs for unauthorized employee override events (daily).
• Inspect all sensors — button sensors, motion sensors, target sensors — for physical obstruction or misalignment that could create false triggers (monthly).
• Review prize inventory cost against ticket issuance value — if prize cost consistently exceeds ticket value by more than 15 percent, investigate (monthly).
• Test ticket dispenser motor current draw during dispensing — abnormally low current indicates the dispenser is running without actually cutting tickets (monthly).

Category 4: Crane and Claw Machines

Mechanical and voltage-based attacks, plus emerging phone-app-based exploits.

• Measure claw grip voltage against factory specification — a deviation of more than 0.3 volts indicates tampering (monthly).
• Verify payout cycle configuration: number of paid plays since last win output. If the counter has been manually reset without authorization, it is suspicious (weekly).
• Check joystick and button input path for signal interceptors (quarterly).
• Disable unused Bluetooth capability at the firmware level if your crane supports it (once only, then verify quarterly).
• Inspect prize chute sensor for false trigger mechanisms (monthly). Some exploits involve mechanically or optically falsifying the prize-drop sensor.
• Review win rate per play session — a win rate above 15% for a crane configured at 8% indicates tampering (weekly).

Category 5: Racing and Simulator Games

Lower exploitation rate but not zero — particularly in networked environments.

• Check for unauthorized credit injection via the service menu or diagnostic port (quarterly).
• Verify coin counter increments match physical coin drops (monthly).
• Review high-score tables for anomalous entries that could indicate score manipulation (weekly).
• Inspect network cable runs for unauthorized taps (quarterly).

How to Use This Checklist Practically

Do not print this and hand it to a single staff member. The checklist has items at daily, weekly, monthly, and quarterly frequencies, and some items require technical tools. Here is how to operationalize it:

• Daily items: Assign to the shift supervisor. These require reading logs, not opening cabinets. Time required: 10-15 minutes per day.
• Weekly items: Assign to the venue manager. These require spreadsheet checks and basic machine menu navigation. Time required: 1-2 hours per week.
• Monthly items: Assign to your technician or distributor’s service tech. These require opening cabinets and using tools like bus scanners. Time required: 4-8 hours per month.
• Quarterly items: Schedule as a full-day maintenance event with your technician. Combine these checks with regular maintenance to reduce machine downtime. Time required: 1-2 days per quarter.

FAQ

Q: My machines are different brands. Does this checklist work for all brands?

A: The checklist is organized by machine category, not by brand, because the attack vectors are category-specific. The specific component names and menu paths will vary by brand, but the underlying security concern — I2C bus integrity, payout cycle verification, firmware authenticity — is universal across manufacturers.

Q: What is the single highest-return item on this checklist?

A: For fish tables, the I2C bus scan. For slots, the RNG distribution test. For all other machines, the door-open sensor log review. These three checks together surface roughly 80 percent of the hardware-based exploits I encounter.

Q: I do not have a technician on staff. Can I do these checks myself?

A: The daily and weekly items require no technical tools — just navigation through the machine’s service menu and a spreadsheet. The monthly and quarterly items require opening cabinets and using equipment like a bus scanner or multimeter. If you do not have a technician, schedule a monthly visit from your distributor’s service technician and batch all monthly and quarterly items into that single visit.

What to Do Next

Start with your highest-value machine type — almost certainly your fish tables. Run the daily and weekly items on the fish table checklist this week. The daily items (player balance reconciliation, coin-in tracking) take 15 minutes per machine. The weekly items (firmware hash, player account audit) take 30 minutes per machine. These checks alone will tell you whether your fish tables are currently compromised. If you find anomalies, escalate to the monthly items (I2C scan, hardware inspection) this week rather than waiting for the scheduled maintenance cycle.

Q: I operate machines across multiple categories. How do I not miss anything?

A: Divide your venue into five zones — one for each machine category. Walk each zone on a fixed rotation: Monday is fish table day, Tuesday is slot day, Wednesday is ticket/redemption day, Thursday is crane day, and Friday is a verification pass across the entire floor. This rotation prevents the problem of focusing all your attention on one machine type while letting problems develop in others. Use a printed checklist for each zone, check off items as they are completed, and file the completed checklists. Over time, these checklists become your historical record — and if revenue ever drops, you can look back at your completed checklists to determine exactly when your machines were last verified clean.

Category-specific high-priority warnings: For fish tables, if the I2C bus scan reveals an address at 0x6F, 0x7A, or 0x3D that is not in the manufacturer device map, you have an interposer. For slot machines, RNG output deviating more than 2 percent from expected in a 500-round sample means either the RNG hardware is failing or it has been modified. For ticket games, if total weekly ticket issuance is rising while coin-in is flat or declining, someone is generating tickets without paying for them. For crane machines, if the grip voltage is changed from factory spec and the change is not documented, assume deliberate tampering. For racing games, any high-score entry that exceeds the previous top score by more than 30 percent in a single session is almost certainly the result of exploit tooling rather than skill improvement.