ACTING CYBER SAVVY DURING MEGA SPORTS EVENTS

Dimitri van Zantvliet
9 min readNov 1, 2020

During the 2018 opening ceremony of the Pyeongchang Olympic winter games, the ICT infrastructure was falling into smithereens behind the scenes. Hackers had gained access to the backbone and contaminated the serverpark with fast spreading malware. Can we expect the same during the Tokyo2021 games? Yes we can and they have proof of that already. Hacking a Mega Sports Event (MSE) and sports data has become the new norm! This article describes some reasoning behind it, provides insight in the cyber attack vectors, and last but not least gives advise for athletes and fans on how the mitigate their personal risk profile.

2018 PyeongChang Winter Olympic Games Opening Ceremony, courtesy korea.net

Dimitri van Zantvliet MBA CISSP CRISC CISM CISA CDPSE CIPP/E CIPM FIP is strategic cybersecurity advisor / CISO to the Dutch Olympic Committee / Dutch Sports Federation and the Dutch Government.

How Olympic CIO’s get heart attacks

In his Wired article, Andy Greenberg describes the perfect cyber-storm Sang-jin Oh ended up in during the opening ceremony of the 2018 Olympic winter games. More than 10.000 PCs, over 20.000 mobile devices, 6.300 Wi-Fi routers and 300 servers in two Seoul data centers were collapsing under his feet. While the Korean IT Director was freezing in his stadium seat, his Infrastructure team was caught by surprise by a hacking collective that had been working under the radar for months to disrupt this Olympic MSE. The malware used to disrupt the infrastructure had unprecedented technology and was loaded with false flags to point the attribution in the wrong way. The malware was named “Olympic Destroyer” a few days later.

Just two weeks ago, the US has charged six Russian hackers for allegedly carrying out a series of cyber attacks across the globe, including the 2018 Winter Olympics. The indictment coincided with the British government declaring that Russian hackers were attempting an attack on the Tokyo Olympics. And so the saga continues.

Meanwhile the technological dependencies continue to grow exponentially in the global sports landscape.

Mega Sports Events cyber risks in general

“As major sporting events become increasingly digitized, sports officials are increasingly concerned about cybersecurity. From scoring and judging systems to retail transactions and the home viewer experience, many aspects of major sporting events are incorporating new forms of internet connectivity. Along with such new technology comes great opportunity — but also great risk.”

In “The Cybersecurity of Olympic Sports: NEW OPPORTUNITIES, NEW RISKS” (link below), dr. Cooper et al summarize current and future threats. In brief, their survey suggests that while existing cybersecurity breaches — which are mostly concentrated in the financial risk category — are likely to continue, new waves of attacks are also likely to occur. The below chart from the survey shows the attacks that new technologies will make possible (or at least more likely).

Courtesy: The cybersecurity of Olympic Sports

It is clear that MSE organizers will have to think twice if the benefits of adding new technology to the landscape will outweigh the risks of doing so. Clear risk analysis should lay at the basis of such decision-making. Clear detection protocols should be developed and implemented for new to be expected and very obscure attacks.

In their article “The Sport of Cybersecurity” (link below), dr. Shackelton et al mention three trends in particular that are making it much more difficult for organizations of all sizes to mitigate the array of cyber risks they face: (1) the evolution of the “Internet of Everything”; (2) the difficulty of protecting trade secrets in such an interconnected digital ecosystem; and (3) the proliferation of threats to critical infrastructure, including public facilities. This indicates that small sports organizations are in need of central cyber security support. It is in the interest of the whole chain to protect the weakest links.

All good things come in threes..

MSE’s in general, seem to have three things in common regarding their cyber threat landscape; Individuals, event infrastructure and data. In his recent lecture, “Growing Threats of Cybersecurity Attacks in Sports”, at the university of Chicago (video below), dr. Nate Evans delivers a brief overview of the different target-groups:

Individuals at an MSE

Fans, spectators, athletes, coaches/trainers, on site officials, support staff, contractors, etc. are just a few examples of the individuals that can -and will- fall victim to cyber scams.

  • Long before the event takes place, tickets are being sold to regular buyers and to VIPs. Some bogus tickets will be sold and automated ticket-scrapers will use bots to buy low and sell high, collecting Personally Identifiable Information along the way. VIP data will give hackers a premium on the marketplace. (The threat is so real that Japan has passed legislation making ticket scraping illegal).
  • Fan data will be harvested by national security agencies for national security reasons and by cyber criminals to sell it on the dark web (creditcard data e.g.). Fans will receive MSE-themed phishing emails where they give away credentials to have their bank accounts hacked later on.
  • Athletes will be targeted as well for all the above but also to manipulate their mental wellbeing. An athlete or even a team can be compromised and bribed, blackmailed or forced to lose a match.
  • Site officials and support staff will be targeted to steal access to the venue and to the ICT infrastructure that supports the networks.
  • Fake (mobile) apps will emerge that will compromise users devices that install them.
  • Rogue WiFi networks will be set up to eavesdrop on the communications.
  • Fan engagement mechanisms in the venue will be mis-used to manipulate.

It is clear that the individual will be targeted long before the actual event and even more so while locally on- or around the event. I will share some individual mitigation tips and tricks a bit further on.

The venue infrastructure

Since everything is being more and more interconnected with everything and everyone, malware will spread like a virus. The massive use of WiFi and 5G has boosted connectivity tremendously. Internet of Things devices are connected to the venue’s backbone and all the different venue backbones are connected via Smart City infrastructures to each other. In general it can be said that the security control design and implementation of this new technology boost has been hugely underestimated and is lagging behind. This leads to digital vulnerabilities but even more so to physical vulnerabilities (on the top left of the graph above).

The manifestation of risks from the digital realm into the physical world is a new phenomenon that will be exploited more and more in the future. Heating, Ventilation and Air-Conditioning (HVAC) is connected with the turnstiles and communication systems. Water systems digital control systems (DCS, PLC, SCADA), are connected to lighting, CCTV camera’s and KISS cams. Everything will be controlled remotely, via mobile apps or centrally in he cloud in stead of pressing a button on site. All of the above can lead to severe panic reactions and fatalities when the digital crowd control steward announces a bomb hidden under a chair via the mobile stadium app or narrowcasting system that is used by visitors for free WiFi access.

Edge computing (local small pre-cloud datacenters) used for data analysis combined with 5G is emerging rapidly in sports centers. Real time data is being streamed to fans, sports-betters and e-sportsmen -on site and around the world- to enhance the sports experience.

Cashless stadiums provide services (such as beer) that can be paid electronically via RFID. Mobile RFID apps are used for entry and exit of stadiums and for special VIP treatment. If hacked, people are locked up or locked out.

Imagine what could happen if such infrastructures are hacked or brought to a standstill by a Denial of Service (DoS) attack. Reputations will be damaged and worst case, people will die. If large portions of the infrastructure is infected with ransomware a few hours before the opening ceremony, Bitcoins will be paid!

Next to all of the above, more and more cities are concentrating sports venues in certain areas with specific sports functions (Olympic villages e.g.). Many of these hyperconnected hubs will have a cascading effect on each other when the first cyber domino falls causing a Smart City to lock down and congest with traffic standstills. First responders such as ambulance, police- and firemen won’t be able to reach certain places in time opening up windows of opportunities for crooks and thieves.

The integrity of the sport

“Oakland A’s general manager Billy Beane (Brad Pitt) challenges the system and defies conventional wisdom when he is is forced to rebuild his small-market team on a limited budget. Despite opposition from the old guard, the media, fans and their own field manager (Philip Seymour Hoffman), Beane — with the help of a young, number-crunching, Yale-educated economist (Jonah Hill) — develops a roster of misfits…and along the way, forever changes the way the game is played”. And this is how the concept Big Sports Data was born :-)

Big data has entered the sports world and it has entered with a bang. GPS enabled wearables now register every sports move combined with heartbeats, blood-pressure and temperature. Diet information and resting hours are combined with mental health status and correlated to passes completed, bounces conquered, yards raced and touch downs won. All the data resides in cloud based Athlete Management Systems together with 4k/8k videos of specific training exercises. Hundreds of mobile apps are used to register, analyse, manipulate and combine all that data into new data-lakes full of data that are hyperconnected and exchange data on a real time basis.

Big Sports data enable coaches to buy the right team player in stead of the best player. Sports data therefore can be a decisive factor for the value of an athlete, a team or Olympic team.

It goes without saying that these exabytes of data storage, artificial intelligence and machine learning needs to be protected against (sensitive personal) data breaches, (real time) data manipulation and deletion/ransomware.

Hacking sports betting algorithms, digital match-fixing or court-siding can result in huge sums of money, hacking dietary instructions can lead to sick athletes, hacking training instructions can lead to injuries, hacking your competitors strategy can lead to competitive advantage (and jail time), etc. etc. Just use your own imagination because most of the attack vectors have not come into existence yet. The cyber/privacy risks of Big Sports Data are hugely underestimated and severe data breaches and incidents are to be expected. The sports cyber war has only just started and the hackers are always hedging their bets.

Fighting hackers is an infinite game. The best result nowadays is to stay in it..

What to do as an individual?

If all of the above did not scare you away and you’re still here then let me say “thanks for your attention” first. I will finish this article with some practical advise for the individual attending a future Mega Sports Event such as in Tokyo, Qatar, TourdeFrance, SuperBowl, etc. In short:

Social Media usage

  • Use strong passwords for your socmed apps
  • Enforce Multifactor Authentication on your socmed apps login
  • set visibility to friends only or use a fanpage instead
  • Manage what is shared online

Mobile devices

  • Ensure your device is updated with the latest operating system
  • Backup your device and data in the cloud before traveling to the MSE
  • Setup remote wipe functionality
  • Enable fingerprint and/or facial recognition or at least a pin-code
  • Always lock your device (or enable auto lock)
  • Disable Bluetooth when not needed
  • Disable WiFi when not needed
  • Only use the official password protected event/hotel WiFi
  • or rent a pocket WiFi device with a local plan
  • Always use a VPN
  • Have RFID shields to protect credit and identity cards
  • Be careful when using ATMs — Understand how to spot and avoid card skimmers
  • Be careful with installing third party apps
  • Use a different password for every account you own, and don’t save them in your browser
  • Minimize location services access for mobile apps
  • Exercise caution when presented with popups while browsing
  • Monitor Links and Websites Carefully
  • Avoid Sports event-related scams and phishing attempts delivered via email
  • Be careful when charging your device since juice jacking can happen
  • Limit hardware connections in general
  • Be wary of unsolicited calls or (whapp) messages
  • Limit the personal information given to apps and websites
  • Encrypt datastorage on mobile devices if possible
  • And finally, for the would be geeks, Do not “Root” your Android or “Jailbreak” your iPhone

Further watching:

Growing Threats of Cybersecurity Attacks in Sports by dr. Nate Evans.

The Cybersecurity of Sports: How Technology Interferes With Game Integrity and Fan Safety by dr. Betsy Cooper

Augmented Sports Reality with real time data..

Further reading:

THE SPORT OF CYBERSECURITY: HOW PROFESSIONAL SPORTS LEAGUES CAN BETTER PROTECT THE COMPETITIVE INTEGRITY OF THEIR GAMES, by prof. dr. Scott Shackelford

https://www.ncsc.gov.uk/files/Cyber-threat-to-sports-organisations.pdf

https://cltc.berkeley.edu/wp-content/uploads/2017/10/Cybersecurity_of_Olympics_CLTC.pdf

https://www.immersiv.io/blog/5g-stadiums-sports/

Nasser AL-Dosari Khalifa article about the “IDENTIFICATION AND PREVENTION OF EXPECTED CYBERSECURITY THREATS DURING 2022 FIFA WORLD CUP IN QATAR”

--

--

Dimitri van Zantvliet

dad, husband, friend, explorer, cyber geek, wonderer..and CISO of Dutch Railways