The "And Casinos Have No Fix" part of the title seems exaggerated; if nothing else, it appears that only a small subset of 5+ year old machines are affected.
It absolutely is exaggerated. I left a job at a real money slot manufacturer 3-ish years ago where I was a mathematician and 'the rng guy'. Even then our machines weren't susceptible to this attack. We had a fix. And by 'weren't susceptible' I mean probably weren't but could be, because getting the rng wrong is super easy to do. Don't be shocked if regulators just pull these from the floor. They probably had to go through a lot of different machines from different manufacturers to find this in the first place.
From the description of the attack it seems like the only reason other machines aren't affected is because the Russian group running this hasn't gotten their hands on those machines.
Sort of maybe. It sounds like the slot machine makers are being cheap with their machines. There are such things as hardware RNG that will produce a truly random number, it's just that for most applications they're overkill. This seems like an instance where not only aren't they overkill, they're almost mandatory. They talk a bit about using encryption to protect the PRNG algorithm, but that's just a bandaid, at best it buys them a little bit of time, but ultimately it will be cracked the same way.
A hardware RNG is actually pretty cheap to make, there are actually open source (as in the circuit diagrams are available) ones floating around the internet that you can build for less than $20 worth of parts. The manufacturers probably don't want to go that far because a) compared to most of the parts in the machine it's a fairly expensive piece so it will cut into profits, b) hardware RNG function a bit different from a PRNG so properly integrating one requires a certain amount of skill, c) it isn't their problem really, they already got their money, it's the casinos that are losing, and d) it's simpler to just prosecute the handful of people doing this (for now).
That was somewhat covered by point b, but yeah, in terms of verification it's tricky to determine if a hardware RNG is actually, you know, random. The other part that makes it tricky is that most hardware RNGs don't produce enough entropy to keep a system fed during active usage so you typically need to use their outputs as inputs to more traditional PRNGs or to periodically re-seed a PRNG which was actually the main thing I was thinking about with point b.
eh, well designed CSPRNGs are a thing. If they re-seed/add to the entropy pool of the machines on the LSBs of microsecond button timing or something like that, it'll be pretty difficult to influence or predict the outputs.