Network Architecture Findings in a Widely Deployed Casino Management Platform

Case Study: Network Architecture Findings in a Widely Deployed Casino Management Platform

Discipline: Casino Infrastructure Security Research
Scope: Industry-wide deployment review
Disclosure Posture: Coordinated with platform vendor

Background

Aristocrat Technologies' Oasis 360 Casino Management System is one of the most widely deployed CMS platforms in the regional and tribal gaming market. It handles player tracking, electronic gaming machine accounting, ticket-in and ticket-out processing, and a range of compliance reporting functions that gaming regulators rely on. For most operators, it is the operational backbone of the floor.

Doradus Labs has held Master Certification on Oasis 360 since 2011. Across more than a decade of deploying, integrating, and supporting the platform in production environments, our engineering team developed a deep working knowledge of how the system is most commonly installed, and of the recurring patterns in those deployments that carry risk operators may not realize they have inherited.

In 2025, Doradus Labs initiated a formal, internally funded security assessment of the standard Oasis 360 reference architecture. The objective was not to test any individual operator's environment. The objective was to characterize the security posture that operators inherit when the platform is deployed according to the typical patterns we encounter in the field.

The Assessment

The assessment was conducted against a representative laboratory environment configured to mirror the network topology, service exposure, and authentication patterns common to production deployments. The methodology drew from CIS Benchmarks for the underlying infrastructure, standard network reconnaissance using tools such as Nmap and Wireshark, and protocol-level review of the management and diagnostic interfaces exposed by the platform and its supporting components.

Findings clustered into four categories.

1. Network segmentation. Standard deployment patterns place user-side workstations and floor-side gaming systems in network segments with insufficient enforcement between them, creating lateral movement paths that many operators are unaware exist.

1. Service exposure on gaming endpoints. Electronic Gaming Machine network interfaces expose diagnostic and management services that, while operationally useful during commissioning, are rarely hardened or removed before production use.

1. Cryptographic posture. Several transport and authentication mechanisms within the standard architecture rely on cryptographic parameters that no longer reflect current industry baselines for sensitive financial and regulatory data.

1. Diagnostic endpoint encryption. Specific diagnostic and telemetry endpoints transmit in cleartext, exposing operationally sensitive information to anyone with passive access to the relevant network segments.

Coordinated Disclosure

Doradus Labs prepared a detailed technical report describing the findings, the conditions required to observe each issue, and remediation guidance for both the platform vendor and operators running affected deployments. The report was submitted to Aristocrat Technologies through established channels and was accompanied by direct correspondence with the ATI engineering team. Specific exploitation details are deliberately not published.

This is the standard expected practice for security research that affects a partner's platform: disclose privately, work with the vendor on resolution, and share only the level of detail with the public that helps operators evaluate their own risk without increasing exposure for any single deployment.

What This Means for Operators

For casino operators running Oasis 360, particularly Class III deployments at tribal and regional properties, the findings underscore a point that applies to nearly every enterprise platform: a vendor-blessed reference architecture is a starting point, not a finished security posture. Defaults are designed for broad operability, and the work of tightening segmentation, hardening exposed services, and aligning cryptographic parameters with current standards is the responsibility of the deploying operation.

Doradus Labs offers targeted Oasis 360 deployment reviews for operators who want to understand their specific exposure against the findings described above. These engagements are conducted under non-disclosure, deliver a written assessment with prioritized remediation steps, and can be scoped to range from a focused network architecture review to a full environmental audit.

About Doradus Labs

Doradus Labs delivers managed IT, cybersecurity, and intelligent video analytics services to gaming operators and other high-availability environments. We have held Master Certification on Aristocrat Oasis 360 since 2011, and our work in the gaming vertical extends from day-to-day operational support to the kind of architectural research described here. Our objective in publishing this case study is straightforward: to help operators understand the security realities of the platforms they depend on, and to demonstrate the depth of technical expertise we bring to every engagement.

To request an Oasis 360 deployment review, contact our team at [contact details].