People who find security vulnerabilities commonly run into difficulties when reporting them to the responsible company. But it’s less common for such situations to turn into tense trade-show confrontations—and competing claims of assault and blackmail.
Yet that’s what happened when executives at Atrient—a casino technology firm headquartered in West Bloomfield, Michigan—stopped responding to two UK-based security researchers who had reported some alleged security flaws. The researchers thought they had reached an agreement regarding payment for their work, but nothing final ever materialized. On February 5, 2019, one of the researchers—Dylan Wheeler, a 23-year-old Australian living in the UK—stopped by Atrient’s booth at a London conference to confront the company’s chief operating officer.
What happened next is in dispute. Wheeler says that Atrient COO Jessie Gill got in a confrontation with him and yanked off his conference lanyard; Gill insists he did no such thing, and he accused Wheeler of attempted extortion.
The debacle culminated in legal threats and a lot of mudslinging, with live play-by-play commentary as it played out on Twitter. Rapid7 Director of Research Tod Beardsley was one of the spectators. “My first reaction,” Beardsley joked, “was, man, I wish a vendor would punch me for disclosure. Boy, that that beats any bug bounty.”
— @mikko (@mikko) February 15, 2019
The story is practically a case study in the problems that can arise with vulnerability research and disclosure.
Many large companies and technology vendors now run active “bug bounty” programs to channel the efforts of outside hackers and security researchers toward productively uncovering security problems in their software and infrastructure—but the vast majority of companies have no clear mechanism for outsiders to share information about security gaps.
When it comes to disclosing vulnerabilities to those types of companies, Beardsley told Ars, “I’ve gotten everything ranging from silence to active ignorance—’I don’t wanna hear it’—to cease and desist letters telling me ‘I’ll take down your advisory.’ All of that, and I’ve gotten lots of good [responses], too. I’ve dealt with people who have not had a long track record with disclosure and I hand hold them through it.”
In this case, two relatively inexperienced “ethical hackers” tried to feel their way through what they felt was a fairly serious security problem, even as Atrient executives felt like they were being taken for a ride by unscrupulous hackers trying to make a buck. Thanks to call recordings and a months-long e-mail thread between Wheeler, Atrient, and other stakeholders in the disclosure—including a major US casino operator and the FBI’s Cyber Division—we have a pretty good idea of how the situation played out.
Atrient is a small company, plying its wares in a highly specific niche of the casino and gaming industry.
Originally founded in April of 2002 by Sam Attisha and Jashinder (Jessie) Gill as Vistron, Inc. and renamed a year later, according to Michigan corporate records, Atrient was initially a catch-all technology consulting company. It offered “solutions outside the box” (as the company’s original website described them) related to IT staffing, software development, creative services, and project management. The company briefly took a stab at the wireless business, operating Vistron Wireless Inc. to “provide marketing and technology services to the wireless industry,” according to corporate registration documents.
Within a few years, Atrient’s work grew to include software integration for casinos. By 2015, Atrient’s main focus became a casino customer loyalty system called PowerKiosk, which connects freestanding kiosks, electronic slot machines, and mobile applications to track casino gamblers and present them with rewards, special games and marketing offers. The system can track customers through loyalty cards that it issues or through Bluetooth “beacons” and geolocation using mobile applications, as well as tracking the value of a person’s rewards points accumulated by activities within the casino.
While Atrient maintains an office in Las Vegas for sales and customer support, the company’s headquarters are in a small office and retail building in West Bloomfield, Michigan. Atrient’s headquarters shares the second floor of the building with a dentist and an H&R Block Advisors office, with a Tim Horton’s donut shop and a mattress store below. (Atrient shares its office with Azilen, an IT outsourcing company with two offices in India and one in Belgium. The full relationship between Azilen and Atrient isn’t clear; at least one Azilen developer now works for Atrient’s subsidiary in Hyderabad, India, which was registered in May of 2018.)
Atrient has apparently done well in its niche, partnering with a number of major players in the casino and gaming industry. Konami cut a deal in 2014 for exclusive distribution rights to Atrient’s software for existing Konami customers. Atrient has also integrated its software with gaming systems from Scientific Games’ Bally Technology unit and International Game Technology.
Over the past year or more, Atrient was in negotiations with the gaming and financial tech company Everi Holdings—negotiations that culminated on March 12, 2019 with the announced acquisition of “certain assets and intellectual property” of Atrient by Everi. The $40 million deal was done with $20 million in cash, with additional payouts based on contingencies in the agreement over the next two years. These negotiations were ongoing as the researchers tried to make their security concerns heard.