Skip to main content

8 posts tagged with "facetime"

View All Tags
MissedRemote access★ Pinned

XPoint / BetRivers PA: CIV-88 retest — FaceTime RDP sustained for 1 hour; Tailscale Mac-to-Mac RDP undetected

XpointRushStreet Interactive (BetRivers)
xpointbetrivers-pardpfacetimetailscale

Source. June 30, 2026 weekly sync.
Ticket. CIV-88: BetRivers PA — advanced spoofing review (retest).

What we tested

Two additional spoofing checks from the June 23 CIV-88 cycle, confirmed during the week ending June 30:

  1. FaceTime RDP — sustained session duration
  2. Tailscale Mac-to-Mac RDP — detection reliability

Both against BetRivers Pennsylvania (XPoint).

What happened

1. FaceTime RDP — 1-hour confirmed session

  • ✗ A tester in New Jersey remotely controlled an iPhone in Pennsylvania via Apple's built-in FaceTime screen sharing.
  • ✗ The session ran for a full hour — bets placed continuously on both sportsbook and casino throughout.
  • No block or interruption at any point.

This confirms the initial FaceTime gap is not a brief window at login — it is an open, sustained exposure for the full session duration.

2. Tailscale Mac RDP — detection failed

  • ✗ Two Macs paired under one Tailscale account.
  • ✗ An out-of-state device initiates remote control of an in-state (PA) host via native macOS screen sharing (Finder).
  • No local interaction required on the host — the remote connector receives full control.
  • ✗ The geolocation check passes against the host's in-state position.

Why it matters

Both retests deepen the Pennsylvania compliance picture from June 23:

  • FaceTime — the gap is now quantified as hour-long, not transient. Any operator conversation about "we catch it eventually" is contradicted by a full session of uninterrupted wagering.
  • Tailscale + macOS — the same unattended desktop-control pattern that GeoComply blocked on FanDuel NJ the same week remains undetected on BetRivers PA / XPoint.

Cross-reference

Xpoint profile → · June 30 weekly sync →

MissedRemote accessVPNFake GPS appJailbreak / Root★ Pinned

Radar / Wind Creek Casino Online PA: iOS RDP, DroidVNC + Tailscale, and Android VPN undetected (results June 19)

RadarWind Creek Bethlehem
radarwind-creekwind-creek-bethlehempennsylvaniardp

Source. June 23, 2026 weekly sync.
Ticket. CIV-91: Wind Creek Bethlehem PA — environment compliance updates.

What we tested

Full integration testing of Wind Creek Casino Online PA (Radar) across iOS, Android, and browser. Results delivered June 19.

What happened

TestResultDetail
RDP — iOS FaceTime & iPhone Mirroring✗ Non-compliantNot detected. User outside PA (TN) remotely controls an in-state iPhone and places bets. In-state user must log in first; remote user controls the screen from there.
RDP — Android DroidVNC + Tailscale✗ Non-compliantNot detected. Remote user in an excluded state places bets on a PA Android device using DroidVNC and Tailscale together.
VPN — Android (Turbo VPN)✗ Non-compliantNot detected on Android. User logged in, placed bets, and played casino with VPN active.
VPN — iOS✓ CompliantVPN detected at login and mid-session.
RDP — Android (TeamViewer, AnyDesk, HopToDesk)✓ CompliantDetected at login or interval check.
Fake location — Android (FLA)✓ CompliantDetected before and during a gaming session.
Cross-border into exclusion state✓ CompliantUser fails geolocation at or just past the border (~90 m buffer).
Rooted Android + mocked location⚠️ Compliant*User fails for mock location / jurisdiction errors. Root itself not detected, but mocked location is caught. With GPS JoyStick the failure took longer — suggesting IP mismatch or low confidence score rather than direct root detection.

UX issues — new user flow & deposit

Operator-side friction observed during the same test cycle (not Radar detection failures, but worth tracking):

  • Android Galaxy S16 deposit loop: debit card deposit failed and sent the user into a loop — account flagged for Wind Creek approval with no timeline and no clear prompt. User attempted 3 times before abandoning.
  • ID verification false positive: notification asked user to close any app using the camera (triggered by screen recording). User bypassed by restarting the app — screen recording continued undetected.
  • No autofill for address, phone, or email on either platform.
  • Deposit methods limited to PayPal, Venmo, and debit card only.

Why it matters

Three undetected vectors on the same Radar deployment while the "standard toolkit" checks pass — native iOS screen sharing, Android DroidVNC + Tailscale, and Android VPN. The compliant iOS VPN handling directly contrasts with the undetected iOS RDP gap.

Cross-reference

Radar profile → · June 23 weekly sync →

MissedRemote accessJailbreak / RootFake GPS app★ Pinned

XPoint / BetRivers PA: Tailscale macOS RDP (unattended), Magisk mock-flag suppression, and FaceTime handoff undetected

XpointRushStreet Interactive (BetRivers)
xpointbetrivers-pardptailscalemacos-screen-sharing

Source. June 23, 2026 weekly sync.
Ticket. CIV-88: BetRivers PA — advanced spoofing review.

What we tested

Advanced spoofing checks on BetRivers Pennsylvania (XPoint), building on the June 16 compliance analysis.

What happened

1. Tailscale + Mac RDP — undetected

Two Macs on the same Tailscale account. Mac1 (out of state) connects to Mac2 (in PA) using macOS built-in screen sharing via Finder. Mac2 user does not need to be present — the remote user gets full control.

2. Rooted Android + mocked location — undetected (retested on mobile network)

Same non-compliant result on mobile connection. Setup uses Magisk with a renamed manager to avoid detection, root partially hidden. Key nuance: the mock location app (FakeGPS) is technically visible to BetRivers, but a custom low-level module suppresses the mock-location flag before BetRivers can read it — which is why it gets through. A second rooted device lost its integrity status and needs troubleshooting.

3. FaceTime RDP — undetected after local auth

The in-state person must physically handle the phone to log in and enter the 2FA code. Once logged in, the remote user takes full control — requires brief cooperation from the in-state user at the start, but no presence after that.

Why it matters

All three vectors succeeded in a follow-up cycle. The Magisk module path defeats the SDK's mock-location signal at the OS layer — not merely by hiding the spoofing app. The Tailscale + macOS pattern delivers fully unattended desktop control, which is the highest-risk RDP class on Pennsylvania deployments this month.

Cross-reference

Xpoint profile → · June 23 weekly sync →

MissedRemote accessJailbreak / RootFake GPS appResigned / tampered app★ Pinned

XPoint / BetRivers PA: iOS RDP, Tailscale macOS RDP, and rooted Android mock location undetected; standard RDP + FLA blocked

XpointRushStreet Interactive (BetRivers)
xpointbetrivers-pardpfacetimeiphone-mirroring

Source. June 16, 2026 weekly sync.
Ticket. CIV-88: BetRivers PA — compliance analysis.

What we tested

A compliance analysis of BetRivers Pennsylvania (XPoint) covering native iOS remote-control methods, Tailscale + macOS native screen sharing, rooted Android with mock-location concealment, and a baseline suite of standard remote-access tools, IP-change detection, Android fake location apps (FLA), and a resigned iOS app.

What happened

VectorResultNotes
Native iOS RDP (FaceTime + iPhone Mirroring)✗ UndetectedRemote operator in an out-of-state location placed bets on the in-state Pennsylvania iOS device.
Tailscale + macOS native RDP✗ UndetectedMesh VPN tunneling combined with built-in macOS screen sharing was not flagged.
Rooted Android + concealed mock location✗ UndetectedRoot state and hidden mocked coordinates both went unnoticed; bets and gameplay succeeded from an exclusion state.
TeamViewer, AnyDesk, HopToDesk✓ BlockedStandard commercial remote-access utilities were identified and suppressed.
IP change detection✓ BlockedIP-based relocation checks fired as expected.
Android fake location apps (FLA)✓ BlockedGeolocation manipulation frameworks were detected before wagering.
Resigned iOS app✓ BlockedTampered iOS binary was rejected.

Why it matters

Three high-impact vectors — iOS screen sharing, Tailscale-based macOS RDP, and root-concealed mock location — all succeeded on the same operator while the "standard toolkit" checks passed. That pattern suggests detection tuned to known commercial RDP signatures and common FLA tools, but blind to native OS remote-control channels and Magisk-level telemetry suppression. The iOS and Tailscale gaps are especially material given prior undetected Tailscale findings on other XPoint deployments.

Cross-reference

Xpoint profile → · June 16 weekly sync →

PartialRemote accessNear border

OpenBet / Fanatics MI: HopToDesk remote control undetected on Android (TeamViewer + AnyDesk blocked)

OpenBetFanatics Sportsbook
openbetfanatics-mirdphoptodeskteamviewer

Source. June 2, 2026 weekly sync.
Ticket. CIV-64: MI advanced spoofing retest.

What we tested

During advanced spoofing retests near the Michigan–Canada border, the team tested several remote-control applications on Android against the Fanatics MI app (OpenBet), plus iOS screen sharing for comparison.

What happened

  • HopToDeskNOT detected at installation or during an active remote session on Android. Bets were placed consistently while a remote user was in control.
  • TeamViewer — detected and blocked.
  • AnyDesk — detected and blocked.
  • iOS FaceTime screen sharing — detected near the border.

Why it matters

This is a known detection gap for a specific tool, not a blanket failure: the two most common remote-access apps (TeamViewer, AnyDesk) are caught, and FaceTime screen sharing is caught on iOS — but HopToDesk slips through entirely on Android. A sophisticated fraudster who identifies this specific gap can use it to circumvent geolocation checks on Fanatics in Michigan while the obvious tools stay blocked.

Cross-reference

OpenBet profile → · June 2 weekly sync →

MissedNear borderBoundary crossingRemote accessUX / messaging★ Pinned

Bet365 MI (Radar / XPoint): full competitive validation — near-border lag, FaceTime + Windows RDP undetected, UX recovery broken

radarxpointbet365-minear-borderrdp

Source. May 26, 2026 weekly sync.
Ticket. CIV-63: Bet365 MI — full Radar / XPoint integration research.

What we tested

A full integration validation of Bet365 Michigan — Radar for the mobile app, XPoint for the web client. Covered: near-border behaviour, cross-state jurisdiction handling, two RDP attack paths (iOS, Windows), and post-failure UX.

What happened

AreaResultNotes
Near Canadian border (Belle Isle)✗ Inconsistent at 200–1,000 m from the border. Betting slip continued to load but functioned unreliably — suggests an insufficient buffer zone.
Detroit ↔ Canada cross-border✗ An erroneous jurisdiction alert fired on the betting slip, incorrectly telling the user wagering is restricted to New Jersey residents while on Bet365 MI.
iOS FaceTime RDP✗ Undetected. A tester in Massachusetts placed bets remotely on a device located in Michigan with no issues.
Windows RDP✗ Undetected. A tester in Massachusetts placed wagers on both the sportsbook and casino via a Windows device located in Michigan.
UX — post-VPN-detection recovery✗ Persistent application glitches after a VPN-detection event. Tester unable to resume wagering; forced restart of the app required to restore functionality.

Why it matters

This validation lands five separate issues on a single operator in a single test cycle:

  1. Two compliance failures on the same border — buffer-zone unreliability + a flatly wrong jurisdiction message. Either could be cited as a regulator-facing defect.
  2. Two undetected RDP paths — iOS (FaceTime) and Windows — both spanning multi-state remote sessions. RDP is the textbook remote-betting fraud vector and both paths went uncaught.
  3. The UX recovery loop is broken even when detection does fire. A user who triggers a VPN block cannot recover without restarting the app, and receives no guidance on how to do so.

Cross-reference

Radar profile → · Xpoint profile → · May 26 weekly sync →

DetectedRemote access

OpenBet / Fanatics WV: FaceTime screen sharing detected at session start — account / device blocked ✓

OpenBetFanatics Sportsbook
openbetfanatics-wvfacetimescreen-sharingrdp

Source. May 26, 2026 weekly sync.
Ticket. CIV-59: Fanatics — OpenBet Locator | advanced spoofing.

What we tested

Whether FaceTime screen sharing — Apple's built-in feature for mirroring one device's screen to another over the network — would be detected when initiated at the start of a wagering session on Fanatics West Virginia (OpenBet Locator).

What happened

  • Detection fired immediately at session start.
  • Result: account or device was blocked, preventing the wagering session from continuing.

Why it matters

iOS FaceTime is a credible remote-control vector: it ships on the device, requires no third-party tools, and gives the remote party a real-time view of the screen with light interaction. OpenBet catching it at session start is exactly the moment where this defence is cheapest and least disruptive — before any bets, before any state changes.

This is the same week as the Bet365 MI validation where iOS FaceTime RDP went undetected while a user in Massachusetts placed bets on a device in Michigan. Same vector, two operators, opposite outcomes — clear evidence that FaceTime detection is a vendor / integration choice and is implementable today.

Cross-reference

OpenBet profile → · May 26 weekly sync →

MissedRemote accessBoundary crossingNear borderUX / messaging★ Pinned

XPoint / RSI DE: FaceTime RDP undetected — MI user wagered on DE iOS device

XpointRushStreet Interactive (BetRivers)
xpointrdpfacetimersi-dersi-az

What we tested. RSI Delaware deployment (newly live, April 2026), iOS device localised to DE, driven remotely via FaceTime RDP from a Michigan host. Both casino and sportsbook flows.

What happened. No RDP detection. The MI-based user successfully placed remote wagers on the DE platform across both products.

Cross-reference. The same gap was previously confirmed at the RSI AZ deployment (Jan 2026 migration from GeoComply). Two operators, two regions, same SDK gap — this is structural.

Related RSI DE findings (same test cycle).

  • Account SUSPENDED on DE-MD border crossing before any spoofing attempt was made.
  • Near-border pass/fail points inconsistent, erroneous failures even moving away from the boundary.
  • Static/mobile toggling required at MD + DE borders — major UX friction vs GeoComply's seamless PA.
  • macOS install requests access to documents folder (known security concern).
  • AnyDesk installed (but not running) silently blocks betting — false positive RDP flag.
  • Mac CPU spikes 0.5% → 16% at 1-minute intervals during poker.

Xpoint profile →