MissedRemote access★ Pinned
XPoint / RSI BetRivers NJ: Tailscale RDP fails detection in most cases, bypass-by-logout
Source. May 19, 2026 weekly sync.
Ticket. CIV-73: BetRivers NJ — RDP via macOS.
What we tested
Remote desktop access against the RSI BetRivers New Jersey XPoint deployment, driven from macOS via Tailscale. Two distinct attack methods were exercised:
- Brief one-time approval — first-touch remote-session setup requires a single approval prompt at the controlled device.
- Fully unattended — no prompt, no human interaction required at the controlled device after initial enrolment.
What happened
- Most cases: not detected. XPoint failed to flag Tailscale-based remote access in the majority of runs, allowing bets to be placed from a physically separate location.
- When detection did trigger: inconsistent and trivially bypassable. Detection events did not persist — logging out and back in cleared the restriction and the session continued.
- Both attack methods confirmed. Both the one-time-approval path and the fully-unattended path placed bets successfully.
Why it matters
This is the second cross-state confirmation of XPoint's RDP detection gap, alongside the FaceTime RDP failure at RSI Delaware (Apr 7). The gap is structural, not state-specific — RSI deployments in multiple states (AZ, DE, NJ) all show the same pattern.
Combined with the Bet365 NJ Tailscale + RealVNC bypass on Radar this week, both challenger providers running NJ sportsbooks are blind to Tailscale- driven remote sessions.
Cross-reference
- RSI Delaware (XPoint) — FaceTime RDP not detected — same cross-region pattern, different RDP tool.
- Fanatics NJ (OpenBet) — droidVNC-NG RDP blocked and named — OpenBet handles a comparable RDP-on-Android vector at the same operator footprint.