A World Cup security expert has warned that personal devices are among the most serious cyber security considerations tournament organisers face amid concerns over attacks targeting the event.
Michael Smith, field CTO at Neustar Security Services, who led the cyber security strategy for the 2014 World Cup and Winter Olympics, said threat actors could target devices and applications to launch damaging cyber attacks.
“This is a fascinating topic,” he told IT Pro. “It’s been commonplace for a long time to use mobile applications for events. They hold our stadium tickets and our schedule. People at the event use social media applications to share events and interact with the event, its sponsors, and other attendees.”
While event apps provide attendees with vital information and complement the visitor experience, there is a risk attached as user data can be harvested and used for nefarious reasons, Smith warned.
“It has a huge potential to be abused. If you build the application to export the data without any other kind of logic, the user really doesn’t know how or what you are using.”
In November, European privacy regulators warned that two official World Cup apps posed serious privacy and security risks.
Germany’s data protection commissioner said that data collected by the two apps “goes much further” than what the respective privacy notices claim. These concerns reached such a point that security experts advised visitors to use blank phones if they were absolutely required to download them.
This isn’t the first occasion that a global sporting event has triggered security concerns either. Earlier this year, Chinese authorities were accused of using official event apps to harvest user data and monitor athlete communications during the Beijing Winter Olympics.
Hacktivism and disruption
While data privacy risks for users were a key recurring topic throughout the build-up to the Qatar World Cup, Smith said that broader external threats are also a serious cause for concern.
Large sporting events are “very interesting” from the perspective of attackers and offer a prime opportunity to cause serious disruption to the event, target a huge pool of potential victims, and capitalise on the inevitable strain placed on infrastructure by the influx of visitors.
“An event like the World Cup is more like an ecosystem than it is a single unified event,” he says. “As a security expert, this means that you have a wide variety of attackers with different abilities and goals which leads to having multiple targets that need protecting.”
The two key targets include online resources such as websites and local digital infrastructure, and end-users at the event itself.
“Online targets such as the official event website where the schedule, results, and news are posted is like a 24/7 news site, and a common attacker objective is to cause a website outage or a defacement to get publicity about their issue.”
During the preparation for the 2014 World Cup in Brazil, hacktivists caused serious disruption amidst concerns that vital funds were being allocated to build stadiums rather than improve housing and address long-running social issues.
Smith watched this process unfold in real-time in 2014 and said that cyber threats rapidly escalated as hacktivists sought to raise wider awareness of their respective causes.
“The protest shifted into the online sphere, and at first focused on the state and local government,” he explained. “The hacktivists were wildly successful as far as their technical and tactical goals: gaining system access, stealing data, posting sensitive information in public, and causing website outages.”
Before long, hacktivists shifted their attention to a broader pool of critical targets. Attacks were launched against the Brazilian central government, critical infrastructure, and well-known Brazilian brands.
Similarly, organisations outside of Brazil were targeted, including FIFA and official World Cup sponsors.
Final security concerns
With previous instances of hacktivist-led disruption at sporting occasions, it comes as no surprise that security experts have been watching events closely in Qatar.
The competition has been fraught with long-running claims of corruption and criticism of domestic social policies, making the final an opportune moment for hacktivists to make a statement on the global stage.
In late November, the warning signs were already there. Hacktivists waged a successful attack on the Qatari Ministry of Justice which saw a large volume of data stolen from a web application database and disruption to the website.
Ahead of the final, Smith said there is a serious risk that threat actors will attempt to disrupt the occasion by targeting official websites and broadcasting.
“Live video streaming from the stadium is usually licensed to a series of broadcasters and can be disrupted by a distributed denial of service (DDoS) attack against the entry point where the distribution network gets the video feed,” he said.
“Or, in a worst-case, admittedly movie-plot scenario, the attackers [could] change the video feed to show their own content.”
The prospect of a movie-plot-type scenario isn’t as far-fetched as it seems. Earlier this week, US-based sports broadcaster FuboTV was the target of a sophisticated cyber attack which knocked services offline during the semi-final between France and Morocco.
The outage sparked a wave of complaints from frustrated viewers who were unable to watch France battle for a hard-earned victory.
In a statement, the broadcaster confirmed that the outage was due to a “criminal cyber attack” and revealed it was working with cyber security firm Mandiant to investigate the incident.
Ticketing risk
Visitors attending the final in person on Sunday are also at risk of the disruption posed by cyber attacks, Smith said.
In 2014, Smith's teams were forced to contend with a piece of bot malware known as ‘Scorpyn Scanner’ which affected ticket sales infrastructure. With match tickets being released on a timed basis, this malicious bot would reserve tickets and cause serious disruption to customers.
“When it detected that tickets were released, it would reserve them and pop up a dialogue in the users’ browser so that they could click through and fulfil the order. However, people were running this bot and doing the online equivalent of queue-cutting, resulting in people not getting their tickets,” he said.
“Bots like this are still being used and are easy to find through simple Google searches.”
Don’t take risks with personal devices
For fans on the ground in Qatar this weekend, Smith issued a final warning over the prospect of using personal mobile devices at the event.
Similar to calls made by European privacy regulators, Smith says that using mobile devices places fans at great risk and advised them to take steps to mitigate potential threats.
“For the Sochi and Beijing Olympics, there were a lot of warnings about not taking electronic devices into those countries because they have a higher risk of your device getting attacked,” he said.
“These hacked devices are then taken home or to work where they are then connected to a different network, enabling attackers to use that malware to pivot into that network. Those attackers are criminal gangs or nation-state actors who want to hack devices in order to get access to other systems.
“One thing I would take under serious consideration is taking a device to a sporting event. If you need to take it, the best practice would be enabling airplane mode, so it doesn’t connect to a network.”
