How to Block Unauthorized Signals in Gaming Machines

In April 2021, I conducted a signal audit at an arcade in Manila. Using a spectrum analyzer, I detected a persistent 433.92 MHz signal centered on one particular jackpot machine. The signal pulsed in a pattern that exactly matched the credit-insertion data packet format for that machine model. Somebody was broadcasting credit commands into the machine from a distance. The machine had been in operation for three years. The credit-to-cash mismatch over that period, based on the operator’s records, suggested approximately $47,000 in unauthorized credits had been injected. A $60 transmitter had extracted $47,000. This article covers everything I have learned about blocking unauthorized signals: the technical methods that work, the devices that provide protection, and the environmental measures that make signal attacks unviable in your venue.

The Problem: Machines That Trust Everything They Hear

Gaming machines are designed around a fundamental assumption: that every signal arriving at the mainboard through the communication bus originated from a legitimate peripheral component inside the machine. The coin mechanism signals the mainboard when a coin is accepted. The bill validator signals when a bill is inserted. The button panel signals when a button is pressed. The mainboard receives these signals and acts on them. It does not verify that the signal actually came from the coin mechanism. It does not authenticate the signal source. It does not check whether the signal makes sense in context — for example, whether the coin mechanism could physically have triggered 50 times in one second. It simply accepts and executes.

This trust architecture was reasonable when the machine was designed. The components were inside a locked cabinet. There was no radio communication to inject interference. The only way to send a signal to the mainboard was to physically press a button or insert a coin. The designers correctly assumed that physical access to the internal wiring was unlikely and that anyone who had physical access could have taken the cash directly instead of manipulating signals. The design was secure in its context.

The context has changed. Radio frequency technology has advanced while decreasing in cost. Software-defined radios that can generate any signal pattern at any frequency cost under $200. Protocol analyzers that can decode a machine’s communication pattern from its electromagnetic emissions are available as open-source software running on $20 USB dongles. The trust architecture that was secure twenty years ago is a vulnerability today. The machine will accept any signal that looks like a legitimate peripheral command, and attackers know how to generate those signals.

Methods for Blocking Unauthorized Signals

There are three categories of signal blocking methods, each addressing a different aspect of the signal injection problem. The most effective approach combines multiple methods.

Method 1: Electrical signal blocking at the bus level. This is the most direct and most effective method. An external bus monitoring device connects to the machine’s communication ports and monitors every signal traveling on the communication bus. The device learns the electrical characteristics of each legitimate peripheral — the specific voltage rise time, current draw, impedance, and timing pattern that identifies the coin mechanism, the bill validator, the button panel, and every other connected component. Every incoming signal is compared to this fingerprint database. If the signal’s electrical fingerprint matches a known legitimate peripheral, it passes through. If it does not match — which is the case for injected signals, which have different electrical characteristics because they originate from a transmitter, not from a wired peripheral — the signal is blocked.

This method works because injected signals are electrically different from legitimate signals. A transmitter broadcasting into the air produces a signal with different voltage levels, different rise times, different noise characteristics, and different impedance than a signal generated by a physical component connected through a wire. The bus monitor detects these differences regardless of whether the data content of the injected signal is perfectly correct. The attacker could replicate the exact command packet structure and the monitor would still block it because the packet came from a source with the wrong electrical fingerprint. This is signal-level protection, which is more fundamental than data-level protection.

Method 2: RF shielding and attenuation. Physical shielding reduces the signal strength that reaches the machine’s wiring. A conductive enclosure — typically a metal-lined box or fabric layer wrapped around the machine’s electronics compartment — reflects external RF energy and conducts it to ground rather than allowing it to couple into the machine’s wiring. The effectiveness of shielding is measured in decibels of attenuation. A 30 dB shield reduces the signal strength reaching the machine’s wiring by a factor of 1,000. This means that an attacker who could previously inject signals from 30 meters away with a given transmitter power now needs to be within 1 meter. A 60 dB shield reduces the signal strength by a factor of 1,000,000, making injection virtually impossible with any portable transmitter.

Shielding is effective but has practical limitations. It adds bulk to the machine. It requires ventilation to prevent heat buildup. It may interfere with legitimate wireless accessories like Bluetooth connectivity for ticket printers or diagnostic tools. And it does not protect against conducted interference through accessible ports. For these reasons, shielding is best used as a supplementary measure on high-value machines combined with bus monitoring for comprehensive coverage.

Method 3: Environmental signal detection and jamming. RF environment monitoring systems continuously scan the airspace around your machines and detect unauthorized signals before they affect machine operation. When the system detects a signal that matches known attack patterns — on common attack frequencies like 433 MHz, 868 MHz, or 2.4 GHz — it can trigger one of several responses: alert via audible alarm, alert via notification to the operator’s phone, activate higher-resolution recording on nearby cameras, or activate localized signal jamming on the detected frequency to disrupt the attack signal.

Jamming is the most aggressive response and carries legal risks in some jurisdictions. Before deploying active jamming, verify that it is legal in your country and venue type. Passive RF monitoring — scanning and alerting without jamming — is legal in most jurisdictions and still provides value by alerting you to an active attack in progress. Our security guide covers legal considerations for jamming.

Implementation: Building Your Signal Blocking System

Here is the practical implementation sequence I recommend for most venues.

Step 1: Install external bus monitors on all machines. This provides immediate, automatic signal blocking at the bus level. The monitors handle RF injection, conducted interference, and protocol spoofing. Installation takes 10 minutes per machine. Protection activates after 24-48 hours of learning. This single step stops the vast majority of unauthorized signal attacks.

Step 2: Perform a baseline RF survey of your venue. Use a spectrum analyzer to document the normal electromagnetic environment. Record the frequencies present, their signal strengths, and their sources if identifiable. Update this survey annually or whenever new electronic equipment is installed in the venue. The baseline enables you to identify new signals that may indicate attack activity.

Step 3: For high-value machines, add RF shielding on the electronics compartment. This provides defense-in-depth: if an attacker develops a method that bypasses the bus monitor, the shielding provides a second layer of protection that the method must also bypass.

Step 4: Implement continuous RF environment monitoring with automated alerts. This catches attacks that target machines not yet equipped with bus monitors or that exploit vulnerabilities in the bus monitors themselves.

Frequently Asked Questions

Can I use aluminum foil as cheap RF shielding?

Aluminum foil provides approximately 10-15 dB of attenuation when properly grounded, which is better than nothing but far less than commercial shielding materials. It also creates a fire hazard if it contacts live components and a short-circuit hazard if it contacts multiple exposed pins simultaneously. I do not recommend aluminum foil as a shielding solution. Use commercial shielding fabric, metal enclosure liners, or shielding paint designed for electronics applications.

How do I know if a bus monitor is actually working?

Check the device status indicator daily. Green means normal monitoring. Amber means an anomaly was detected and blocked — this is the confirmation that the device is working. If you have never seen an amber indicator after several weeks of operation, check your credit-to-cash reconciliation. If reconciliation is clean, the device may be working perfectly in an environment with no attacks. If reconciliation shows discrepancies over 3%, the device may not be providing the expected coverage — check the installation and confirm the machine’s communication bus is fully accessible through the connected port.

Can unauthorized signals come from inside the venue WiFi network?

Yes. If your gaming machines are networked, an attacker who has access to your WiFi network can inject commands through the network that appear to originate from the central server. This is not a radio frequency attack — it is a network attack. The countermeasure is network isolation: place gaming machines on a separate VLAN with MAC address filtering and strict firewall rules. External bus monitoring provides additional protection by blocking any unauthorized command regardless of whether it arrived through the network or through RF injection.

Stop the Signals Before They Stop You

Unauthorized signal injection is the single most common cheating method in modern arcades because the equipment is cheap, the techniques are well-documented, and unprotected machines are defenseless against it. The $47,000 case in Manila is not unusual. I have documented similar cases in Thailand, Malaysia, the Philippines, Cambodia, Vietnam, Mexico, Brazil, and Eastern Europe. In every case, a device costing under $100 was used to extract tens of thousands of dollars over months or years. The protection technology exists. It costs less than the revenue it protects. It takes 10 minutes per machine to install. The only question is whether you install it before or after the next incident. My recommendation: before.