Machine Profit Dropping Without Explanation After Checking Every Possible Cause

There is a point in every difficult machine diagnosis where the operator runs out of ideas. The technician has checked the components and found no faults. The staff have been interviewed and reported nothing unusual. The configuration has been verified against the manufacturer specifications. The CCTV has been reviewed for suspicious activity. The foot traffic data shows normal attendance. Every standard diagnostic step has been performed. The profit continues to drop. The operator is at a dead end. This dead end is where bus-level monitoring provides the breakthrough. The bus monitor records data that none of the standard diagnostics capture: the actual electrical signals on the machine bus, at microsecond resolution, independent of the machine internal recording systems. The bus data reveals activity that all other diagnostics miss — and that activity is almost always the cause of the unexplained profit drop. This article explains how bus monitoring breaks through the diagnostic dead end.

Why Standard Diagnostics Hit a Dead End

Standard diagnostics are designed around a specific model of machine operation. The model assumes that the machine processes legitimate inputs (player coin insertions, button presses, and game interactions) and produces legitimate outputs (game outcomes, credits, and payouts). The diagnostics check whether the machine is functioning according to this model. If the machine is processing inputs correctly and producing outputs correctly, the diagnostics report “Normal.” The model does not account for illegitimate inputs — signals that are injected onto the bus from external sources. The diagnostics do not check for illegitimate inputs because the diagnostics were not designed with security in mind. They were designed for maintenance. The model assumption — all inputs are legitimate — is the diagnostic failure point.

When the machine is under attack, it processes illegitimate inputs that the diagnostics cannot distinguish from legitimate inputs. The attacker injects a credit signal that looks identical to a legitimate coin insertion signal. The machine processes it. The diagnostic checks the coin acceptor hardware and the credit processing software and reports “Normal.” The diagnostic passes because the machine is functioning correctly — it is processing inputs. The diagnostic does not check whether the inputs are legitimate. The bus monitor checks because it compares every signal against the learned baseline of legitimate signal characteristics. An injected credit signal that arrives on the diagnostic port line is flagged as illegitimate regardless of its similarity to a legitimate coin insertion signal because legitimate coin insertion signals arrive on the coin acceptor line, not the diagnostic port line. The bus monitor adds the source verification that the standard diagnostics lack. The source verification is the breakthrough.

The Bus Monitor as the Last-Resort Diagnostic

When all standard diagnostics have failed, install a bus monitor on the affected machine. The installation is the last-resort diagnostic step. The device records every bus event for a diagnostic period — typically one week of operation. The device log for the week is exported and analyzed. The analysis compares the device log against the machine log, the revenue data, and the environmental data for the same period. The comparison identifies the events that are in the device log but not in the machine log (injected events), the events that are in the machine log but not in the device log (deleted events), and the events where the machine log data differs from the device log data (modified events). Any of these discrepancies is a diagnostic finding that explains the profit drop.

In my experience, the bus monitor identifies the cause of the unexplained profit drop in over 80 percent of cases within the first week of monitoring. The cause is typically: credit injection through the diagnostic port (the attacker is injecting credits that the machine logs as legitimate coin insertions), unauthorized payouts through the diagnostic port (the attacker is commanding the hopper to dispense coins that the machine does not record as payouts), or counter manipulation (the attacker is modifying the machine counters to conceal the extracted credits from the revenue reconciliation). The bus log reveals the specific mechanism. The mechanism reveals the corrective action. The profit recovers after the corrective action is implemented.

In the remaining 20 percent of cases, the cause is not visible on the bus — for example, a network-based attack that modifies the machine log after it is transmitted to the backend, or a firmware-level attack that modifies the machine behavior without generating anomalous bus signals. For these cases, the bus monitor provides negative evidence — the absence of bus anomalies confirms that the problem is not at the bus level, directing the investigation to the network layer or the firmware layer. The negative evidence is valuable because it eliminates the bus-level hypotheses and focuses the investigation on the remaining possibilities. The investigation narrows with each eliminated hypothesis. The bus monitor eliminates the largest hypothesis category with a single week of data.

Case Study: The Unexplained 30 Percent Drop

I investigated a venue in Malaysia where a fish table machine had experienced a 30 percent profit drop over three months. The operator had checked everything: the game software version (correct), the payout percentage setting (correct), the component diagnostics (all normal), the staff (no changes), the player population (stable), and the CCTV footage (nothing suspicious). The manufacturer sent a technician who spent two days testing every component and found no faults. The operator was considering replacing the machine at a cost of 8,000 dollars.

I installed a bus monitor on the machine. Within 24 hours, the device log showed anomalous payout events occurring at irregular intervals — typically one payout event every 3 to 4 hours, each for approximately 50 dollars. The payouts were triggered by a signal on the diagnostic port line. The signal was an RF injection — an external transmitter was sending payout commands that the machine bus was receiving through the diagnostic port cable acting as an antenna. The transmitter was being operated by someone outside the venue. The injection was intermittent because the attacker was transmitting only when the venue was busy and the activity would not be noticed. The intermittent nature explained why the operator had never observed the payouts: they occurred during peak hours when the operator was distracted by other tasks.

The bus log provided the evidence: the anomalous payout events, the diagnostic port line as the source, and the specific timing pattern. The corrective action was to install RF shielding on the diagnostic port cable and to add a bus protection device that blocks unauthorized signals on the diagnostic port line. The corrective action cost approximately 120 dollars. The machine profit returned to normal within one week. The operator saved 7,880 dollars by not replacing the machine — the machine was fine, it was being attacked. The bus monitor had diagnosed the attack in 24 hours, after the manufacturer and the operator had spent months trying to diagnose it with standard methods.

Implementing the Last-Resort Diagnostic Protocol

Every venue should have a documented last-resort diagnostic protocol for unexplained profit drops. The protocol should specify: the criteria for activating the protocol (profit drop exceeding X percent for Y weeks, after all standard diagnostics have been exhausted), the diagnostic steps (install bus monitor, collect data for one week, analyze the bus log, compare against machine log and revenue data), the responsible staff member (venue manager or external consultant), and the escalation procedure (if the bus monitor does not identify the cause, escalate to the manufacturer for firmware-level analysis). The protocol ensures that unexplained profit drops are addressed systematically rather than by ad-hoc guessing. The protocol also ensures that the bus monitor is used before the expensive and disruptive step of machine replacement.

The protocol should include the bus monitor as a standard diagnostic tool, not an exotic last resort. The bus monitor should be available in the venue maintenance inventory, just like a multimeter or a diagnostic tablet. When a machine shows an unexplained profit drop, the technician connects the bus monitor as one of the first diagnostic steps, not the last. The earlier the bus monitor is connected, the sooner the cause is diagnosed, the less revenue is lost while waiting for the diagnosis. The protocol should reflect this: connect the bus monitor on day 1 of an unexplained profit drop, not on day 90 after all other diagnostics have failed. The early connection reduces the diagnostic delay from months to days. The revenue savings from the reduced delay justify the bus monitor investment many times over.

Frequently Asked Questions

Can I use one bus monitor for multiple machines or do I need one per machine? You can use one bus monitor for multiple machines by moving it from machine to machine. Monitor each machine for one week, then move the monitor to the next machine. The sequential monitoring is less expensive than purchasing one monitor per machine. However, the sequential monitoring means that only one machine is monitored at a time. If multiple machines are experiencing unexplained profit drops, the unmonitored machines continue losing revenue while waiting for the monitor. The sequential approach is appropriate for venues with a small number of machines (under 20) and a low frequency of unexplained problems. For venues with more machines or higher problem frequencies, purchasing one monitor per machine is recommended. The per-machine cost (approximately 80 to 100 dollars) is recovered by the revenue saved from the first problem the monitor diagnoses on each machine.

What if the bus monitor does not find any anomalies even after two weeks of monitoring? The absence of anomalies is a diagnostic finding. It indicates that the profit drop is not from bus-level attacks or bus-level faults. The cause is elsewhere: network-level (the backend data is being modified in transmission), firmware-level (the machine firmware has been modified with an exploit that does not generate anomalous bus signals), or operational (the player population has changed in a way that the venue data does not capture). Direct the investigation to these remaining hypotheses. The bus monitor has eliminated the bus-level hypotheses. The elimination is progress — it narrows the investigation. The technician moves to the next diagnostic tool: network traffic analysis, firmware checksum comparison, or player behavior analysis. Each hypothesis is tested in turn until the cause is found. The systematic approach — test each hypothesis with the appropriate diagnostic tool — produces a definitive diagnosis. The bus monitor is one tool in the systematic approach. It is the tool for bus-level hypotheses. Other tools cover other hypotheses.

How do I convince the machine manufacturer that the problem is an attack rather than a machine fault when they insist the machine is fine? The bus log data is the convincing evidence. Send the device log excerpt showing the anomalous events to the manufacturer. The log shows bus events that the manufacturer knows should not be occurring. The manufacturer may initially dispute the log because they do not trust the external device recording. The device manufacturer can provide an expert witness statement that explains the log format, the signal measurement methodology, and the baseline establishment. The expert witness statement establishes the credibility of the bus log data. With the data and the expert statement, the manufacturer typically accepts the evidence and acknowledges the attack. Some manufacturers may then offer a firmware update or a hardware modification to address the vulnerability that the attack exploited. The manufacturer response varies by manufacturer. The bus log data is the foundation for the discussion. Without the data, the discussion is a dispute of opinions. With the data, the discussion is a review of evidence. The evidence changes the dynamic from adversarial to collaborative.