Levi’s Stadium is one of the most technologically advanced stadiums ever built.
It features 12,000 network ports, 1,200 access points, 1,700 beacons, and a DAS system, looking to accommodate an audience of 68,500 visitors. The stadium’s bandwidth capacity is 40Gbps (4x greater than the NFL stadium mandate put into place in 2015). Fans follow the game on 2,000 IPTVs.
When Levi’s Stadium hosts Super Bowl 50 in just a few days, it’ll bring a new approach to the overall game experience by offering fans network connectivity via Wi-Fi, Bluetooth, and a number of other digital services.
But the more connected stadiums become, the more risks they create. Such a concentration of mobile users could entice hackers looking to steal data from high-profile celebrities, politicians, and others at the game. It could allow someone to commandeer the stadium’s TV screens. It could allow a hacker to enslave thousands of unsuspecting mobile users with no more than a pocket’s worth of technology.
Here’s our assessment of the risks smart stadiums create and how venue operators and fans themselves can stay safe.
The new fan experience at smart stadiums
The demand for smart stadiums is growing as the list of connected venues expands. Some of the newest include Mercedes Benz Stadium, U.S. Bank Stadium, and SunTrust Park in the U.S. Smart Stadiums are also being built in Rio for the Olympic Games and in Russia for the 2018 FIFA world cup.
Think of 70,000 people tweeting, posting, and sharing every moment during the game. It will stretch even the best network to the max, forcing telecommunication companies to upgrade the surrounding infrastructure. Fans at last year’s Super Bowl consumed more than 6 terabytes of data.
This year fans will stay connected through Levi’s Stadium’s 40Gbps of bandwidth capacity provided by Comcast Business Ethernet, beacon and access points supplied by Aruba Networks, and switching equipment from Barcode.
Another dimension of the experience is the Levi’s Stadium mobile app, which lets fans order food to their seats, find the shortest bathroom line, watch real-time replays, and much more.
More connectivity means more opportunities for hackers
Radware’s Emergency Response Team (ERT) experts have assessed the Levi’s Stadium network architecture and have raised several concerns for the venue network operators to take into account.
1. Smart stadiums are a true Bring Your Own Device (BYOD) nightmare.
Open Wi-Fi networks present one of the biggest attack vectors for network- and malware-based attacks. The risk of your mobile device being hacked in an environment like this grows exponentially with more and more people connecting to the same open Wi-Fi.
Fake cell phone towers and access points could be deployed as well to intercept and track users. There is even a risk of a denial of service attack leaving fans unable to take advantage of the benefits of a smart stadium.
Hackers, whether their motives are political, social, or financial, can take advantage of the stadium network to steal personal data such as passwords, emails, and photos.
Unsecure and vulnerable access points or evil twins could be used to spread malware and mine for data. Hackers may gain sensitive user information through fake pop ups, text messages, or spoofed websites.
2. The Levi’s Stadium mobile app could be compromised.
For instance, credit card information could be leaked when fans take advantage of the food ordering feature.
Last year researchers found the NFL app exposed users’ personal information via a man-in-the-middle (MITM) attack right before the Super Bowl.
3. Hackers could disrupt the game on field or on national TV.
Hackers could also cause game-related issues. During the AFC championship game between the Broncos and Patriots on January 24th, the Patriots experienced network issues with the tablets coaches use to review plays. A hacker could execute such a scheme against either team, knocking out the Wi-Fi used to receive and review plays.
Additionally, the stadium TVs or national TV live broadcast could be compromised since they too connect to the stadium infrastructure.
How to keep Super Bowl fans safe
So, what needs to be done?
Smart stadium and smart venue operators need to regularly review and inspect their network to defend against these threats.
Investing in smart stadium technology is only the first step. The second is investing to keep it secure. There are two major aspects to this.
1. Make sure defenses are in place.
Put in place the right protections before each access point, and protect the whole network from malware. The same applies for protecting application servers.
2. Stay up to date.
Once security is in place, keep it up to date by routinely downloading software upgrades and patches. Conduct audits and penetration testing between events. Use ACL and load balancing.
Fans attending Super Bowl 50 should take these simple steps to keep their devices and information secure.
- Ensure your phone is updated with the latest operating system.
- Disable Bluetooth and Wi-Fi when not in use.
- Make sure you are using the stadium Wi-Fi if you have to use it – avoid network names similar to the real one.
- Use a VPN
- Be careful when using ATMs – Understand how to spot and avoid card skimmers. gathering card data at stadium ATM’s
- Use RFID shields to protect RFID cards and exercise caution when presented with pop up notifications while browsing
Smart stadiums will offer fans a more connected and enjoyable experience, as long as both fans and stadium operators take care to stay secure.
Learn more about the newest security threats from Radware’s 2016 Global Application and Network Security Report.
Learn more about cyber-attack detection and trends in the 2016 Global Application and Network Security Report.
Daniel Smith is an information security researcher for Radware’s Emergency Response Team. He focuses on security research and risk analysis for network and application based vulnerabilities. Daniel’s research focuses in on Denial-of-Service attacks and includes analysis of malware and botnets. As a white-hat hacker, his expertise in tools and techniques helps Radware develop signatures and mitigation attacks proactively for its customers.