Shuffle Master Deck Mate 1 Unauthenticated EEPROM Firmware Execution Vulnerability

A vulnerability exists in the Shuffle Master Deck Mate 1 card shuffler, allowing for unauthorized execution of firmware from an external EEPROM. This issue arises because the device does not verify the authenticity or integrity of the firmware, enabling an attacker with physical access to replace or reflash the EEPROM. The modified code can execute arbitrary instructions and persist across reboots. This vulnerability is particularly concerning as it predates modern secure boot and signed update mechanisms, leaving the device open to exploitation. The manufacturer has not provided any firmware updates for this legacy model.

Impact

Exploitation of this vulnerability allows for full control over the shuffler's firmware, enabling cheating during poker games by manipulating the order of cards or bypassing the device's card count verification. Such actions could be executed without detection, even in well-monitored environments.

Reproduction

The vulnerability can be reproduced by physically accessing the shuffler and replacing or reflashing the EEPROM with a modified chip. Once the EEPROM is replaced, the shuffler will execute the unauthorized firmware without any integrity checks, allowing for arbitrary code execution.

Remediation

The manufacturer has allegedly released a firmware update addressing the flaws as of October 23, 2025. However, it is unclear if this update is applicable to the Deck Mate 1 model.