Gaming Machine Seems to Be Controlled Externally Signs and What to Check First
The most disturbing observation a venue operator can make is a machine that appears to be moving or operating on its own — the reels spinning when no one is at the machine, the payout mechanism activating when no payout was won, or the machine lights changing in a pattern that suggests it is receiving commands from somewhere. The operator first instinct is to question their own perception. “Did I really see that?” But the perception is usually correct. External control of gaming machines is a real and documented form of attack. The control can be through RF signals, through a device connected to the diagnostic port, or through malware that has been installed on the machine. Each control method has specific signs. A bus-monitoring device can confirm the control by recording the control signals as they enter the bus and identifying the control method. This article describes the signs of external control, the step-by-step diagnostic checklist, and how to respond.
Sign 1: Unprompted Machine Activity
The most obvious sign of external control is machine activity that occurs without any player interaction. The reels spin, the lights flash in a pattern, the hopper dispenses coins, or the display shows a test screen — all without a player touching the machine. The activity may be a single event lasting a few seconds, or it may be a sequence of events lasting several minutes. The activity is the machine responding to external commands. The commands are being sent through the bus, and the machine is executing them as if they were internal commands.
Unprompted activity has two possible explanations. Explanation 1 — the machine has a software bug that causes spontaneous activity. This is rare but possible. The bug would typically manifest as a specific, repeatable pattern — for example, the reels spinning at exactly 4 AM every day when the machine does a self-test. The pattern is consistent and predictable. Explanation 2 — the machine is being controlled externally. The pattern is irregular and unpredictable — the machine activates at different times, for different durations, with different activity patterns. The irregularity is the key indicator of external control. A machine that activates at exactly midnight every night is running a scheduled maintenance task. A machine that activates at 2:34 AM on Tuesday and at 9:12 PM on Thursday is being controlled externally.
The bus-monitoring device records every bus event that causes machine activity. If the device log shows a command arriving on the bus at the exact time of the unprompted activity, the command is the cause. The device log identifies the bus line that carried the command, the command type, and the command timing. The bus line indicates the attack vector: command on the diagnostic port line suggests a device connected to the port. Command on the coin acceptor line suggests a signal injected through the coin acceptor cable. Command on the mainboard bus suggests an internal device installed on the bus. The bus line identification is the diagnostic key. It tells you where to look for the control device.
Sign 2: Patterned Activation Times
External control often follows a pattern because the attacker is following their own schedule. The attacker activates the control device at times when they are at the venue (to collect the extracted credits), when the venue is less supervised (to avoid detection), or when the machine activity is less noticeable (during busy periods when the activity blends in). The pattern may be daily (same time every day), weekly (same day of the week), or event-driven (when a specific staff member is on duty). The pattern is visible in the bus log as clusters of anomalous command events at specific times. The pattern reveals the attacker schedule and provides the opportunity for intervention — the venue manager can position security resources during the attack times.
The patterned activation times should be documented in a timeline. Plot the date and time of each unprompted activity event on a timeline. The timeline reveals the pattern: all events occur on weekdays, or all events occur between 2 PM and 4 PM, or all events occur when a specific staff member is on duty. The pattern is the evidence of the attacker schedule. The pattern also enables predicting the next attack event. The manager can position security resources at the predicted time to catch the attacker in the act. The prediction is based on the historical pattern. The prediction accuracy improves as more events are recorded. After 10 to 20 events, the pattern is usually clear enough to predict the next event with high confidence.
The Systematic Diagnostic Checklist
When you suspect external control, follow this checklist in order. The checklist is designed to identify the control method and the control device as quickly as possible, minimizing the time the machine is under external control.
Step 1 — Install a bus-monitoring device on the affected machine immediately. The device records the control signals and identifies the bus line where they are appearing. The device provides the core diagnostic data. Do not attempt diagnosis without the device. The diagnosis without bus data is guesswork. The device cost (approximately 100 dollars) is justified by the speed of diagnosis compared to days of trial-and-error investigation.
Step 2 — Check the diagnostic port. Is the port cover in place and undamaged? Is there an unfamiliar device plugged into the port? Is there a cable connected to the port that leads to a hidden device? If the port shows signs of unauthorized access, the control method is likely a device connected to the port. Photograph the port, remove any unauthorized devices, and install a locking port cover.
Step 3 — Check the machine internal wiring. Open the machine cabinet and inspect the wiring harness. Look for unauthorized devices connected to the bus — small circuit boards, RF receivers, or spliced cables that lead to external devices. Unauthorized internal devices are often hidden behind the mainboard, inside the power supply compartment, or under the coin hopper. The device may be small — a circuit board the size of a fingernail is sufficient to inject control signals. The inspection should be performed by a technician who knows the machine wiring and can distinguish between original components and unauthorized additions. Photograph any unauthorized devices, remove them, and preserve them as evidence.
Step 4 — Check the RF environment. Use an RF spectrum analyzer to scan the frequency range around the machine. Look for strong, narrowband signals that are not from known sources — the machine power supply, the venue Wi-Fi, or the venue entertainment systems. A strong signal at 433 MHz, 868 MHz, or 915 MHz is a common RF injection frequency. Walk around the venue with the spectrum analyzer to locate the signal source — it may be a transmitter left in the venue by the attacker. If a transmitter is found, photograph it, record its location, and contact law enforcement if the power level indicates the transmitter is being operated by someone outside the venue. Do not touch the transmitter — it may be monitored by the attacker, and touching it will alert them that you have discovered it.
Step 5 — Check the machine firmware. Compare the firmware checksum against the manufacturer checksum. If the checksums do not match, the firmware has been modified. The modified firmware may include remote control functionality that does not require an external device — the machine is controlled through its own firmware by commands sent over the network. The modified firmware is a serious security incident that requires the manufacturer involvement for forensic analysis and firmware restoration.
Step 6 — Review the bus log data. The device log recorded the control signals. Analyze the log to understand: the bus line on which the signals appeared (identifies the attack vector), the signal type (identifies the attack method), the signal timing (identifies the attacker schedule), and the signal payload (identifies what the attacker was trying to do — extract credits, change configuration, or trigger payouts). The log analysis is the comprehensive diagnostic. It tells you everything you need to know about the external control attempt.
Responding to Confirmed External Control
When the diagnostic confirms external control, the response has two phases: immediate and permanent. The immediate response is to disconnect the machine from power and remove it from service. The machine is compromised and should not be operated until the control mechanism is removed and the machine is verified clean. The immediate response prevents further revenue loss while the permanent response is implemented.
The permanent response depends on the control method identified during the diagnostic. For a port-connected device: remove the device, install a locking port cover, and implement port access logging. For an internal device: remove the device, inspect all other machines for similar devices, and implement cabinet lock upgrades and tamper-evident seals. For an RF injection attack: identify and locate the transmitter, remove it or contact law enforcement, and install RF shielding on the affected machines. For modified firmware: restore the firmware from the manufacturer backup, verify the checksum, and investigate how the modification was performed — was it by a technician with unauthorized firmware, by an attacker with physical access, or by a network-based attack.
After the permanent response is implemented, verify the machine operation with the bus-monitoring device. The device log should show no control signals for at least 48 hours of operation. The 48-hour verification period confirms that the control mechanism has been completely removed. If control signals continue to appear after the response, the control mechanism was not fully removed or a secondary control mechanism exists. Repeat the diagnostic with the updated bus log data to identify the remaining control mechanism. The iterative approach — diagnose, respond, verify, re-diagnose if necessary — ensures that the external control is completely eliminated.
Frequently Asked Questions
How can I tell the difference between external control and a machine software bug? Software bugs produce consistent, repeatable activity patterns — the same activity at the same time or under the same conditions. External control produces irregular, unpredictable patterns — different activities at different times with no apparent trigger. The bus log confirms the difference: software bugs do not produce command signals on the bus (the activity originates from the software, not from a bus signal). External control produces command signals on the bus (the activity is triggered by a bus signal that the device log records). The presence or absence of command signals in the device log is the definitive distinction. No command signal = software bug. Command signal present = external control.
What if the external control is coming from inside the venue through the Wi-Fi network? This is possible if the machine is connected to the venue network and the control commands can be sent over the network. The network-based control would appear in the device log as commands arriving through the network interface, not through the diagnostic port. The device log would show the network interface receiving unusual traffic — for example, commands to the machine configuration interface or the machine game control interface. The network logs from the venue router or firewall would show the source IP address of the control commands. The IP address can be traced to the specific device that sent the commands — for example, a staff member phone or a public terminal in the venue. The network investigation requires the cooperation of the venue IT staff. The bus-monitoring device provides the machine-side evidence. The network logs provide the network-side evidence. Together, they identify the source of the network-based control.
Can the bus monitor prevent external control, or can it only detect it? The bus monitor can both detect and block external control. The device detects control signals as they arrive on the bus (detection) and blocks them from reaching the machine processor (prevention). The detection and the prevention occur simultaneously — the device blocks the signal as soon as it detects it. The device log records the blocked signal (detection) while the machine never sees the signal (prevention). The device is both a detector and a preventer. The detection function provides the evidence for investigation. The prevention function protects the machine operation. Both functions are active simultaneously. The device is the complete solution for external control: it stops the control from affecting the machine, and it records the control attempt for investigation and response.