I Saw a Video of Someone Using a Remote Control to Cheat an Arcade Machine — Is It Real?

In October 2023, a video began circulating in arcade operator forums across the Philippines. It showed a player at a slot-style machine in what appeared to be a shopping mall arcade in Quezon City. The player held a small device — about the size of a car key fob — in their left hand, held casually against their thigh. After several plays, they pressed a button on the device, and the machine immediately triggered a bonus round and paid out a significant jackpot. The player cashed out within 90 seconds and left. The video had 40,000 views within a week and sparked a debate: is this real, or is it staged? I can answer that question directly: it is real. I have documented RF-based cheat devices in arcades in Manila, São Paulo, and Bangkok. They are not theoretical. They are commercially available, continually evolving, and represent one of the most difficult-to-detect exploitation categories because they require no physical modification to the machine.

This article explains how RF and infrared remote-control exploit devices work, what they can and cannot do, and how to determine whether your arcade has a remote-control exploit problem.

How RF and IR Remote Exploit Devices Actually Work

The key technical concept to understand is that many arcade machines use wireless receivers — typically infrared (IR) or radio frequency (RF) — for legitimate purposes. The most common example is the remote control included with many machines for technician use: a simple IR remote that allows the technician to access the service menu, adjust volume, or trigger diagnostic tests without opening the cabinet. These remotes communicate using standard consumer IR protocols at 38 kHz. The machine’s main board has an IR receiver module mounted somewhere on the cabinet — often behind a small transparent window near the top bezel — that decodes the IR signal and passes the command to the firmware.

The attack exploits this legitimate communication channel. An attacker uses either a programmable universal remote (capable of learning and replaying IR signals) or a more sophisticated RF device that transmits at the specific frequency the machine’s receiver expects. By recording the IR signals from a legitimate technician remote — either by capturing them during a service visit or by purchasing a remote from a secondary market seller — the attacker can replay those commands at will from across the room. The machine cannot distinguish between a signal from the legitimate technician remote and a signal from a recording device because the IR protocol has no cryptographic authentication. If the signal pattern matches, the machine executes the command.

In Brazil, a variant of this attack uses RF rather than IR. Some machines use 433 MHz or 315 MHz RF modules for wireless peripherals — wireless button panels, wireless credit displays, or wireless ticket printers. Attackers use commodity RF transmitters (programmable modules available online for under $20) to transmit commands on these frequencies. The advantage of RF over IR is range and line-of-sight independence: an RF signal penetrates walls and cabinets, meaning the attacker does not need to be near the machine or even visible on camera.

What These Devices Can and Cannot Do

It is important to understand the limits of remote-control exploits. A remote control cannot create new functionality — it can only trigger functionality that already exists in the machine’s firmware. The device can:

• Access the service menu and modify payout settings if the remote has a valid service menu command code.
• Trigger diagnostic tests that reset counters or clear audit logs.
• Activate the credit or jackpot trigger if the machine’s firmware has a remote-activatable jackpot or credit function (most common on older machines).
• Change game configuration settings such as difficulty level or payout cycle length.

The device cannot:

• Create credits from nothing — it can only access the credit system through commands the firmware already supports.
• Bypass physical security — if the machine requires a physical key turn to enter service mode, no remote signal can replace that mechanical action.
• Modify firmware — remotes send commands to the running firmware; they cannot reprogram the firmware storage.

How to Detect Remote-Control Exploitation

Detection is challenging because there is no physical evidence on the machine. The attack leaves no solder marks, no modified wiring, and no foreign components inside the cabinet. Detection must rely on behavioral and electronic indicators:

• Audit log anomalies: Look for service menu access events at times when no technician was present. Remote-control attacks typically generate service menu access log entries because that is the interface they exploit.
• Configuration drift: If a machine’s payout settings change without authorized intervention, a remote control is the most likely vector.
• IR receiver signal monitoring: Some anti-cheat modules include an IR activity monitor that logs every IR command received. If commands arrive when no technician is on site, something is transmitting unauthorized signals.
• CCTV correlation: Review footage for players holding a device near the machine that is not a phone — or holding their phone in a position that is not consistent with normal phone use (held at the machine rather than looked at).
• Spectrum analysis: The definitive detection method is to use an RF spectrum analyzer in the arcade during peak hours. This device scans for radio transmissions and identifies the frequency, duration, and signal pattern. If you detect 433 MHz or 315 MHz transmissions consistently near specific machines, that is a strong indicator of RF exploit activity.

How to Prevent Remote-Control Attacks

Prevention requires blocking the communication channel the attack uses.

• Disable the IR receiver at the firmware level if it is not needed for daily operations. Most machines allow the IR receiver to be disabled through the service menu. This eliminates the entire IR-based attack vector.
• Cover the IR receiver window with opaque tape if firmware disable is not available. This is a low-tech but effective solution that costs nothing.
• Replace fixed-code RF peripherals with encrypted alternatives. If your machines use wireless button panels or credit displays, upgrade to versions that use encrypted, authenticated communication protocols.
• Install an RF monitoring module that listens for unexpected transmissions on known attack frequencies and generates an alert when detected.

FAQ

Q: Are these devices really sold online?

A: Yes. A search for “arcade remote control” on various e-commerce platforms returns multiple listings for universal remotes marketed specifically for arcade machine access. Some sellers even list which machine models their remotes are compatible with. The devices are sold as “replacement technician remotes” but their availability to any buyer with $30 and an internet connection means they are also a widely accessible attack tool.

Q: Can a smartphone app do the same thing?

A: Only if the phone has an IR blaster (some older Samsung and Xiaomi models include this). Most modern smartphones dropped the IR blaster years ago. For RF-based attacks, a phone alone cannot transmit on 433 MHz or 315 MHz — it requires an external RF transmitter module. Phone-based arcade attacks more commonly use Bluetooth rather than IR or RF.

Q: My machines are less than three years old. Are they still vulnerable?

A: Newer machines are less vulnerable to IR attacks because many manufacturers now use encrypted or rolling-code IR protocols that prevent simple signal replay. However, this protection is not universal. Check your machine’s documentation or ask your distributor whether the IR interface uses encryption. If the answer is unclear or the answer is “standard IR,” assume the machine is vulnerable.

What to Do Next

Walk your arcade floor today and look at each machine. Find the IR receiver window — it is typically a small dark plastic rectangle near the top bezel or main display. Check whether it is exposed and active. If your machines have a service menu option to disable the IR receiver, do it today. If not, cover the window with opaque electrical tape. Take a photo of each machine showing the covered receiver. Then review your audit logs for any service menu access in the past 30 days that does not correspond to a documented technician visit. If you find any, you may have already been affected.

Q: I taped over all my IR receivers. Does that solve everything?

A: It solves the IR attack vector, which is the most common one. It does not solve RF attacks if your machine uses wireless button panels, wireless credit displays, or wireless ticket printers — all of which use RF rather than IR. And it does not protect against Bluetooth-based exploits if your machine has an active Bluetooth interface. Taping the IR receiver closes one door firmly. Depending on your machine model and installed peripherals, there may be other doors that also need addressing. The complete approach is: disable IR (tape or firmware), disable Bluetooth (if unused), replace any fixed-code RF peripherals with encrypted versions, and install an RF activity monitor for 433 MHz, 315 MHz, and 2.4 GHz bands. This four-step approach covers all three wireless attack surfaces simultaneously.

One additional detection method worth mentioning: perform a periodic “IR sweep” after hours. Turn off all machines, darken the arcade, and use a smartphone camera (which is sensitive to IR light in a way the human eye is not) to scan for IR activity near your machines. If you see IR flickering from any device that should not be transmitting, you have found a hidden transmitter. This is a low-tech technique but surprisingly effective — I have used it to locate concealed IR exploit devices in arcades in Bangkok and Jakarta.