How to Prevent Signal Attacks on Machines: Types, Detection, and Defense
Signal attacks are the most common method of electronic cheating on gaming machines. An attacker uses wireless signals to command the machine’s credits, payouts, and game state — all without touching the machine. Preventing signal attacks requires understanding the different attack types, detecting them when they occur, and deploying defenses that block each type. This guide covers the complete signal attack prevention framework.
Signal Attack Types
Not all signal attacks are the same. Knowing the attack type determines the correct defense.
Type 1: Credit injection (most common, ~50% of signal attacks). The attacker injects signals that command the machine to add credits as if bills were inserted. The machine adds credits without payment. The attacker plays with free credits or accumulates credits and asks staff to cash out (“I’ve been playing for hours, I want to cash out my winnings”). Signature: credit counter increases without corresponding cash insertion. Detection: daily reconciliation (cash vs credits) shows persistent gap.
Type 2: Payout trigger (~25% of attacks). The attacker injects a payout command — the same signal that the mainboard sends to the hopper or ticket printer when a legitimate win occurs. The machine pays out without a winning game outcome. The attacker collects and leaves. Signature: cash hopper empties or ticket printer issues tickets without corresponding winning game events. Detection: machine pays out but payout log shows no win trigger, or hopper requires refilling too frequently.
Type 3: Game state manipulation (~15% of attacks). The attacker alters game state during play — changes a losing outcome to a winner, modifies the payout amount upward, or triggers bonus rounds prematurely. The manipulation occurs after the game is played but before the result is recorded. Signature: player appears to win on outcomes that should be losing, or collects bonuses that should not have been triggered. Detection: win rate analysis shows impossible results for that machine’s programmed probabilities.
Type 4: Log suppression (~5% of attacks). The attacker injects signals that suppress or alter the machine’s logging. Wins are not recorded, or losses are recorded as wins to make the overall statistics appear normal. This is a sophistication upgrade — the attacker is covering their tracks. Signature: gap between observed play and logged play. Detection: manual observation tally vs machine log comparison.
Type 5: Denial of service (~5% of attacks). The attacker floods the communication bus with garbage signals, overwhelming the mainboard and causing a crash or reboot. The purpose is not to steal credits but to: disrupt competitor operations (if the attacker operates a nearby venue), create chaos as cover for a physical attack (staff distracted by crashing machines), or extort the operator (“pay me and the crashes stop”). Signature: specific machines crash repeatedly at specific times. Detection: crash pattern analysis — random failures are hardware; scheduled failures are attacks.
Detecting Signal Attacks
Without bus monitors (indicators): Daily reconciliation gap of >3%, specific players with abnormally high win rates, payout frequency exceeding expected rate, machines crashing at predictable times, and revenue dropping below the machine’s historical band.
With bus monitors (definitive): The bus monitor’s log shows every blocked attack: signal type (credit injection, payout trigger, game state manipulation, log suppression, or DoS), timestamp, and signal characteristics. Cross-referencing blocked attack timestamps with camera footage definitively identifies the attacker.
Preventing Signal Attacks
Core defense: Bus monitoring device with electrical fingerprint authentication.
The device connects to the machine’s communication bus. During a 24-48 hour learning period, it observes all bus signals and builds a fingerprint database of legitimate peripherals. After learning, the device enters active protection — every signal is validated against the fingerprint database. Signals matching known peripherals pass through. All other signals (attacks) are blocked.
Why this blocks all five attack types:
- Credit injection signals: Unknown fingerprint → blocked.
- Payout trigger signals: Unknown fingerprint → blocked.
- Game state manipulation signals: Unknown fingerprint → blocked.
- Log suppression signals: Unknown fingerprint → blocked.
- DoS flood signals: Unknown fingerprint → blocked (each individual signal is blocked; the flood never reaches the mainboard).
The fingerprint authentication is the universal defense — it blocks all attack types because they all share one characteristic: the signal source is not a legitimate peripheral, so the fingerprint does not match.
Deployment: One device per machine. Cost: $150-300 per machine. Installation: 5-15 minutes per machine. Learning: 24-48 hours unattended. Maintenance: daily LED check (5 seconds per machine), weekly log review (30 minutes for 20 machines), quarterly firmware update (5 minutes per device).
Results Timeline
Day 1-2: Devices installed, learning in progress (LED amber). Signal attacks may still succeed during learning.
Day 3-7: Devices enter active protection (LED green). Logs begin showing blocked attacks. Attackers still active but being blocked.
Day 8-14: Blocked attack count starts decreasing. Attackers realize the machines are protected and reduce attempts.
Day 15-30: Blocked attacks near zero. Revenue stabilizes at the expected level. Reconciliation gap closes. The signal attack problem is solved.
Supplementary Defenses
Bus monitors are the core defense, but supplementary measures strengthen overall protection:
- RF scanner: Monitors venue-wide RF spectrum. Alerts on new or unusual signals before they target specific machines. Provides early warning of new attackers scouting the venue.
- Signal-blocking cabinet paint: Some machines can be painted with conductive paint inside the cabinet to reduce signal coupling. This is a research-level measure, not widely deployed. Bus monitors are more effective and simpler.
- Machine spacing: Position machines with at least 50cm between cabinets. Closely packed machines make signal coupling easier (signals couple into adjacent machines). Spacing reduces this coupling.
Common Questions
Can signal attacks be prevented without buying devices?
No. Signal attacks are electronic — you need electronic defense. There is no procedural or physical alternative that blocks wireless signals from coupling into the communication bus. Faraday cages, RF jammers, and software filtering have all been tried and all fail (see our article on blocking external signals for details). Bus monitoring devices are the only reliable solution.
What if new attack types emerge that the bus monitor does not recognize?
New attack types use the same mechanism (wireless signals coupling into the bus) as known attack types. The fingerprint authentication does not need to recognize the attack type — it only needs to recognize that the signal source is not a legitimate peripheral. If the attacker develops a new signal type that somehow mimics a legitimate peripheral’s electrical fingerprint, the bus monitor vendor releases a firmware update to address it. Report any new patterns in the logs to the vendor.
How many signal attacks can one device handle simultaneously?
Effectively unlimited. The device validates signals at microsecond latency. Even a DoS flood of thousands of signals per second is processed individually, each signal validated and blocked. The mainboard never receives any blocked signal.
Our guide includes signal attack type reference cards and incident response procedures.
Prevent the Signals. Stop the Attacks.
Signal attacks are the #1 method of electronic cheating, but they are also the most preventable. Deploy bus monitoring devices on all machines. The devices will block credit injection, payout triggers, game state manipulation, log suppression, and denial of service attacks — all five attack types, one device per machine. Prevent the signals. Stop the attacks. Protect your revenue.