Title should be "MGM Resorts Suffers Cybersecurity Attack, System Outage" (following HN norms), or at least include "Resorts." MGM Resorts was spun out of the movie studio in like the 70s.
MGM is basically a defunct rights holding company. It’s made 5 movies in the last decade, including 2 Addams Family, 2 Max (dog movies), and a GI Joe, and the Addams Family movies were really
Made by Universal. It’s also a name slapped on some other streaming app.
If I heard the name referring to a current company, I would think hotels/casinos/sportsbooks first. That said, the title could still be better.
I don't really know where you're getting this number. By my count they've made about three dozen films this decade, including a James Bond film and Creed III.
While Star Trek releasing new series every year including cartoons, Stargate didn't release anything. It has so much potential and large fanbase (myself included).
Yes, because I remember thinking that we would eventually be getting a bloated James Bond extended universe of shows (like Star Wars and Marvel) because of it.
I thought maybe it was hacking to get content. So at least the title instilled a bit of curiosity even if it wasn't the story I had imagined from just the headline
Ocean's 0x11? I wonder if it's just an attack against their email servers or a bigger one, how networked are their operations? If we believe the urban legends about how casinos operate, there's probably interesting conversations a cyber-attacker could find.
I was disturbed to hear from people first hand in Vegas saying it was making the ATMs inoperable. No details on how inoperable, like if it is just certain banking features or everything. The ATMs should not be effected in the same kind of attack that would take down the website and booking systems. Those should all be separate.
Casino floor ATMs aren't just ATMs. They are also ticket redemption machines and therefore have to connect to the MGM network to redeem. I'd imagine the whole machine shutdown for security reasons if network connection is lost.
Yes, I think that MGM has actively shut everything down, rather than some massive hack that has effected all these separate systems.
Best guess is that with the F1 races coming soon with what is expected to be the largest cashflow through Vegas ever, that MGM Resorts IT found issues in an audit in preparation for that massive event, found anomalies, and pulled the rip cord to shut everything down till they could sort out what systems were actually hit.
That is materially different than a massive hack effecting all these various systems though.
MGM has acknowledged it's an attack [1] and certain vegas gossip sites have stated that Caesars was hit last hit last week but was able to keep it better under wraps.
"MGM Resorts recently identified a cybersecurity issue affecting some of the Company’s systems. Promptly after detecting the issue, we quickly began an investigation with assistance from leading external cybersecurity experts,”
"We also notified law enforcement and took prompt action to protect our systems and data, including shutting down certain systems."
The systems are down due to MGM shutting them down, not the active attack shutting things down.
While there's something to be said for ransomware targeting casinos, "because that's where the money is," that might also attract the wrong attention, and not all from the government. They might wish it was only from the government.
Casino-based attacks aren't really because the casino has a lot of money around. 1) they have large, very detailed databases with extensive customer records (photos of drivers licenses, for example) that can are desirable on black markets 2) easy attack vector -- heavily dependent on a variety of vendor software and systems that are way out of date, run by weak, underpaid and often uninformed IT staffs unaware of some basic security vulnerabilities 3) being customer-facing and highly-regulated, casino companies are typically heavily incented to simply pay the ransom rather than face regulatory scrutiny and consumer distrust (and to restore cash flow, and because the soft IT teams probably didnt make comprehensive backups...)
I can imagine the galaxy-brain planning session where our perps are coming up with their next target. They rule out robbing international drug cartels and black-market arms dealers, because while those orgs do have a lot of cash on hand, they don't want to get on the wrong side of violent organised crime gangs.
> Best guess is that with the F1 races coming soon with what is expected to be the largest cashflow through Vegas ever, that MGM Resorts IT found issues in an audit in preparation for that massive event, found anomalies, and pulled the rip cord to shut everything down till they could sort out what systems were actually hit.
I don't believe these are typical bank ATMs but specific to MGM that manage all the casino games (ex: pay-outs, loyalty, etc) as well, so would be tied into any MGM systems.
> Thousands of guests at MGM Resorts in the Las Vegas strip have been locked out of their hotel rooms after the company was hit with a cyber attack, according to reports.
> MGM Resorts International has about 48,000 rooms on The Strip. The company's properties include Mandalay Bay, the Bellagio, Luxor and MGM Grand, among others.
> The outage, first detected on Sunday night, has affected company emails, reservations, booking, room keys and casino slot machines.
How do those hotel door locks work? When I had an apartment with a tap keyfob, it was battery-operated and the fob seemed to be programmed for that specific lock, so I thought they could work offline.
These days the locks are online so that you can block a lost keycard from the front desk. Previously you had to open the lock with a never keycard than the lost one to make the lost one inoperable. That works kinda fine in a small hotel but not when you 48000 rooms with millionaires in them.
Fwiw you could probably build this in a way that it continues to operate without internet. This creates a new attack vector (disable the internet and you can't revoke access) but that's probably acceptable given the physical attacks possible.
Each key gets a revision number. When the first set of keys are created, they get revision number 0. The lock records a high water mark of the revision numbers it has seen. Only keys matching the water mark get to unlock the door.
When you want to revoke a key, you re-issue a new set with a higher revision number. When the guest checks out, you issue the next revision number to the next guest, effectively disabling the previous set.
You do all this as a fallback when the network fails. This way, you can still disable keys in real-time when people checkout of their room.
Does this use something like asymmetric keys so door can verify a key came from the issuing system or is there still some online/network portion?
Assuming it does use asymmetric keys to prevent someone from creating counterfeit access cards, there would still be a window (if the network is unavailable) where the old key would continue to work until a new key is scanned the first time on the door lock?
Currently at a reasonably-priced hotel in the boonies. Extended my stay the other day and they had to re-issue the keys. The keys must be aware of the reservation period, and the locks must be aware of the current wall-clock time. Finding a way to tamper with the RTC in the lock could blow up the whole system. Or, you know, a crowbar.
I'd imagine the locks in most hotels don't require an internet connection. Frankly I'd be horrified if my hotel room's locks depended on this horrendous WiFi.
MGM hotel rooms can be unlocked with smartphone NFC tap. You don't even need to visit the front desk to check in, just log in to the app. But if you can't open the app you can't get in your room. I'm guessing the front desk can issue keys to a guest in the event they lost their phone or something, but if the network is down for the front desk too then they might not be able to issue keys.
The problem is it works badly. You have to open the app which has to load and then you can get access to your key. But if you’re on an elevator then you might not have service and the app won’t load and then you can’t get to your key to use the elevator. Or worse if you don’t have great service in the corridor.
It needs to work in a way where the key is saved to your phone so it can be accessed quickly and offline.
Afaik the HID Global app saves a key in the OS key store (at least on Android) and uses the locally stored key with NFC so you just need network access to enroll a key. Not sure what vendor/app these things use (maybe it's all in house)
Some hotel chains like Hyatt support nfc keys in Apple Wallet. Because whatever microcontroller runs that is low-power, it can continue working after your phone battery is (nearly) dead too.
I know other locks use Bluetooth from an app which isn’t supported by Apple Wallet.
I did a project several years ago for mgm that involved BT, player cards, key systems, wifi, etc and I can confirm they hotel locks are controlled centrally for various reasons.
Such a system seems like it would be incredibly fragile to local attack - and this is one case where you can't just assume "physical access means you've already lost".
I agree, thats why I figured if you can get away with fooling around with a lock, some wires and a laptop in the hallway, you can probably pick the backup key more discreetly.
I was wondering the same. It would be an extreme fire hazard if a power or computer outage made the doors unopenable - especially because a fire could and likely would cause an outage.
I once was stuck in my hotel room due to a malfunction in the inside door handle, which was an annoying way to discover that the latch wasn't even mechanical on that side.
Apartment? I assume your home? The upkeep of locks in a hotel is a bit more involved, as customers lose keys and they need to be reset for the next room guest (for larger hotels, at least)
Over the years, MGM has bought up hotel-casinos on the Strip, and now they own most of ‘em. If you’re staying on the Strip, odds are it’s an MGM hotel.
Insane. Who is competing with them on the Las Vegas Strip? Just Blackstone with Bellagio, Cosmo, and Aria? Those investors have the power to have practically all properties on the strip not compete with each other.
I was at the Park MGM is Las Vegas yesterday and was unable to use the app or the automated checkout kiosks, though aside from the front desk being more busy than usual during checkin and checkout, nothing in particular seemed amiss.
I'm currently rewatching the Las Vegas (2003) NBC TV series (the one with James Caan, Josh Duhamel, James Lesure, Molly Sims, Nikki Cox, Vanessa Marcil etc). Feels on-brand; like every second ep is about some fantastic heist.
It's worth rewatching as a guilty pleasure, IMO. Feels quite alien compared to current fare. It's dumb but well-crafted, fun and glitzy and never takes itself too seriously. I miss that kind of show.
Surprisingly high production values for the time. It's available in 1080p with decent quality, somehow.
HDTV (ATSC) was available in 1998 in the US[1]; consumer uptake wasn't much until close to the shutdown of analog broadcasting, but it was out there. NBC broadcasts in 1080i, so it's not terribly surprising that they recorded it in a way that would look good on 1080p. I can't find anything saying exactly how it was recorded, but it wasn't uncommon to film in 1080p/24 and broadcast with 3:2 pulldown. That kind of content will look great as 1080p obviously; but if it was recorded at 1080i, a professional deinterlacing will look pretty good too.
HDTV (ATSC) is a technology that has influenced my life in pretty serious ways. My first tuner was a Sony SAT-HD100[0] in 2001.
Witnessing the transition into digital TV through my VGA port, in retrospect, taught me tons about how technology adoption, development, and standardization actually works in the real world.
I don't know anything about this particular show, but lots of programs were shot on film, and could just be scanned at higher resolution once HD video standards existed.
Unfortunately there's a lot of post-production steps that take place between the original film and the finished show. Since the 90s/noughties many of those steps take place in digital systems after the film has been scanned at the chosen resolution. Here's some detail specific to Babylon 5 and HD conversion, for example:
Oh, yeah, I'm sure it's more complicated than I made it sound, especially if you had early CGI added later like Babylon 5. What I wanted to convey was that the source material for many programs had much higher resolution than the original NTSC broadcast or VHS versions, and that's what makes it possible to produce an HD version of a show that was filmed before HD was invented.
Maybe most of the LED displays are run by the same IT department. So if I were an evil genius, this latest attack would be only the first salvo of bewildering hijinks perpetrated in the service of a multistep heist. The ultimate goal: rickroll the entire city after hijacking The Sphere ( https://www.youtube.com/watch?v=sLCeYV0SV8k&ab_channel=Billi... )
How many people would you need for such an elaborate, multi-step heist? Especially wondering because, given your reputation, I’m assuming you would need a to be more of a puppet master than an active participant.
This is the same group that brought in face recognition, and needlessly detailed data keeping on every customer and we're expected to trust them .. right?
Your opinion is valid, however I'm currently on a plane heading there, likely a third of the passengers won't be able to check into their hotel. Same with dozens of planes. Kinda sucks for them.
I live in Vegas and it also sucks for all the local MGM employees that are getting called in to have to deal it. That said, I hope things get figured out and your trip goes well!
I'll be fine, thanks. The context from allenrb is that casinos have no value to society, so that eliminating them (and therefore all the related jobs) is not a loss to anyone. That includes the employees you are referring to in your comment, and without much regard for the people heading there for a vacation.
