How to Audit My Existing Arcade for Cheating Vulnerabilities Before Something Happens

In May 2024, an arcade owner in Mexico City contacted me with an unusual request. His venue had been operating for eight years without any detected cheating incidents. He wanted an audit — not because he suspected a problem, but because he had watched two competitors in his district close down in the previous year, both citing “revenue decline” as the cause. He wanted to know whether his own venue was vulnerable. Within two days of starting the audit, I identified three machines with non-factory firmware signatures, one machine with a diagnostic port that had been bridged to accept a continuous credit signal, and an audit log system that had been configured to overwrite its oldest entries every 72 hours — which meant that any tampering event older than three days was not just undetected, it was unrecoverable. None of these issues had been detected by the venue’s staff. The owner had not been losing money — yet. But his exposure was wide open.

This article describes the systematic audit methodology I use when walking into an unfamiliar arcade for the first time. It is designed for operators who do not have a security background but want to assess their exposure before an incident forces the issue.

Phase 1: Paperwork and Baseline Collection

Before you open a single cabinet, gather documentation. Without paper records, you have no reference point to detect changes.

Collect manufacturer documentation: For each machine model in your venue, obtain the factory firmware version, the expected board layout (a photo or schematic), the expected hash or checksum of the official firmware binary, and the manufacturer’s current firmware release number. If your machines are older than two years, some of this information may not be easily available. Contact your distributor or the manufacturer directly. Even partial documentation is better than none.

Build a machine inventory: List every machine by location, model, serial number, purchase date, and firmware version. Include the control board serial number separately from the cabinet serial number — they are often different and board swaps are a common tampering indicator.

Document current machine configuration: For each machine, record the current payout percentage setting, the current jackpot threshold, the current coin or credit denomination, and the current audit log retention period. These settings form the “known good” configuration. If any of them change without authorization, you have a lead.

In the Mexico City case, this phase revealed the first red flag: three machines had firmware versions that did not match the manufacturer’s release numbering scheme. The version strings followed the correct format, but the numeric values were outside the range of published releases. Someone had recompiled the firmware with a custom version string to make it look official. Without the manufacturer’s release history to compare against, this would have looked like a normal firmware version.

Phase 2: Physical Inspection

This is the most time-consuming phase but also the most revealing. You are looking for anything that does not belong inside the machine cabinet.

Open every machine cabinet. Yes, every one. Not a sample. Not “the ones that seem fine.” Tampered machines do not look different from the outside.

Inspect the main control board: Compare what you see against the manufacturer’s reference photo or schematic. Look for additional components soldered to the board. Look for wires that go somewhere other than to a labeled connector. Look for ICs (chips) with scratched-off markings. Look for programming headers (4-pin or 6-pin connectors often labeled ISP, JTAG, or DEBUG) that show signs of recent use — bright metal contacts, flux residue, or burn marks.

Trace the peripheral wiring: Follow every wire from the coin acceptor, the button panel, and the display back to the main board. Any component in that path that is not part of the factory wiring harness is suspicious. This includes small PCBs zip-tied to the harness, wires that deviate from their expected route, and connectors that have been resoldered.

Check for non-factory firmware storage: Most arcade machines store firmware on a socketed EEPROM or flash chip. Check whether each chip’s markings and physical appearance match the manufacturer’s specifications. A chip that has been recently removed and reinserted will show minor scratches on the socket contacts and possibly excess solder on the pins. If the chip is a different brand or package type than expected, it has been replaced.

Inspect communication ports: RS-232, RS-485, USB, and Ethernet ports that are not in use should be physically disabled or monitored. Unused ports are common entry points for exploit devices. In Brazil, I have seen attackers use the RS-232 service port to flash modified firmware because many arcade manufacturers leave these ports enabled for technician access and never disable them after factory testing.

Phase 3: Electronic Verification

After physical inspection, you need to verify what the electronics are actually doing — not what the service menu reports.

Firmware checksum verification: If your manufacturer provides a firmware hash or checksum, dump the current firmware from each machine and compare it. This requires connecting a programmer or debugger to the firmware chip and extracting its contents — a task your distributor’s service technician can perform. If the checksum does not match the factory reference, the firmware has been modified.

Bus scan: Using an I2C/SPI bus scanner, enumerate all devices on the machine’s communication buses. Compare the result against the manufacturer’s expected device map. Additional devices, or devices at unexpected addresses, indicate hardware interposers or unauthorized peripherals.

Audit log review: Pull the last 90 days of audit logs from each machine. Look for service menu access events outside normal working hours, repeated service menu access on the same machine, configuration changes that were not documented, and abnormal payout events (jackpot triggers outside statistical norms).

Payout statistical analysis: For each machine, compare the actual payout rate over the last 30 days against the configured target rate. A deviation beyond 10% in either direction suggests either misconfiguration or exploitation. This is particularly important because some exploits work not by triggering obvious jackpots, but by slightly improving the odds on every outcome — a 3% edge that generates consistent profit for the cheater without ever triggering an alert threshold.

Phase 4: Operational Process Audit

Physical and electronic security are only as good as the operational practices around them. Many vulnerabilities exist not in the machines but in how staff interact with them.

Cash handling procedures: Who collects cash from machines? Who counts it? Who enters the count into the accounting system? If the same person does all three, you have no fraud control. The person who opens the machine and removes the cash should not be the person who counts it, and the person who counts it should not be the person who enters the count into the books.

Service key management: How many people have access to the machine service keys? How are the keys stored? Is there a key sign-out log? A service key in the wrong hands provides full access to the machine’s configuration menu — including payout settings, calibration, and firmware update mode.

Firmware update procedure: Who performs firmware updates? How do they verify that the update file is legitimate (not modified)? Is the update file obtained directly from the manufacturer or from a third party? Where is the update file stored before installation? I have seen cases where a technician’s laptop contained modified firmware files that were indistinguishable from the official files except after a checksum comparison.

Incident response procedure: If a staff member suspects cheating, what do they do? Who do they tell? Is there a written procedure? Without a defined response path, staff either ignore suspicious behavior or handle it informally — neither outcome protects revenue.

FAQ

Q: How long should a full audit take for a 30-machine arcade?

A: Two to three days for the physical inspection phase (Phase 2), plus a day each for paperwork (Phase 1), electronic verification (Phase 3), and operational review (Phase 4). Total: roughly one working week. If you cannot allocate a full week, prioritize Phase 2 (physical inspection) and Phase 1 (documentation). These two phases alone will surface the majority of hardware-based vulnerabilities.

Q: What equipment do I need to perform the audit myself?

A: Phase 1 requires a notepad. Phase 2 requires a screwdriver, a flashlight, and ideally a magnifying glass or smartphone camera with macro mode. Phase 3 requires a USB bus scanner ($20 to $50 online) and a firmware programmer ($30 to $80). Your distributor’s technician may already have these tools. Phase 4 requires interviewing your staff and reviewing your procedural documentation. The total equipment investment for a DIY audit is under $150.

Q: What if I find something suspicious but cannot identify it?

A: Photograph it in detail. Send the photos to your distributor or manufacturer with a description of where the component was found and what it connects to. Even if you cannot identify the device, the photos create a record. If the device later disappears (removed by the person who installed it), you have evidence that it was there.

Q: How often should I repeat the audit?

A: A full physical inspection (Phase 2) should happen quarterly — every three months. A firmware verification and audit log review (Phase 3) should happen monthly. A configuration change review (Phase 1 documents, current configurations) should happen weekly. The weekly check takes 20 minutes per venue. The monthly check takes an afternoon. The physical inspection takes a weekend. These frequencies are based on the observed rate at which new exploits appear in the arcade security landscape.

Q: My machines are leased, not owned. Can I still audit them?

A: Check your lease agreement. Most lease agreements allow inspection for safety and security purposes. Frame the audit as preventative maintenance rather than suspicion of tampering — this is more likely to receive cooperation from the leasing company. If the lease prohibits opening cabinets, you can still perform Phase 1 and Phase 4 without opening anything, and Phase 3 can be partially performed through the machine’s service menu (firmware version check, audit log export, payout rate display).

What to Do Next

Start with Phase 1 this week. The documentation step requires no technical tools and no cabinet access — just a spreadsheet and a few hours of recording serial numbers, firmware versions, and configuration settings. This alone will surface discrepancies between what you think your machines are running and what they are actually running. If you find discrepancies, escalate to Phase 2 on the affected machines. If you find no discrepancies, schedule Phase 2 for the coming month. The goal of the audit is not to find problems — it is to confirm that you actually have the control you believe you have. Most operators I work with in Mexico and Brazil discover that their control is thinner than they assumed. Fixing that gap is less expensive than discovering it through a revenue loss event.