The Stadium of the Future Is Smart, But Is It Safe? How Hackers Could Target the Super Bowl – And How to Stop It


Levi’s Stadium is one of the most technologically advanced stadiums ever built.

It features 12,000 network ports, 1,200 access points, 1,700 beacons, and a DAS system, looking to accommodate an audience of 68,500 visitors. The stadium’s bandwidth capacity is 40Gbps (4x greater than the NFL stadium mandate put into place in 2015). Fans follow the game on 2,000 IPTVs.

When Levi’s Stadium hosts Super Bowl 50 in just a few days, it’ll bring a new approach to the overall game experience by offering fans network connectivity via Wi-Fi, Bluetooth, and a number of other digital services.

But the more connected stadiums become, the more risks they create. Such a concentration of mobile users could entice hackers looking to steal data from high-profile celebrities, politicians, and others at the game. It could allow someone to commandeer the stadium’s TV screens. It could allow a hacker to enslave thousands of unsuspecting mobile users with no more than a pocket’s worth of technology.

Here’s our assessment of the risks smart stadiums create and how venue operators and fans themselves can stay safe.

[You might also like: Here Are The Specific Ways the Republication National Convention (RNC) and Democratic National Convention (DNC) Will Be Cyber Attacked]

The new fan experience at smart stadiums

The demand for smart stadiums is growing as the list of connected venues expands. Some of the newest include Mercedes Benz Stadium, U.S. Bank Stadium, and SunTrust Park in the U.S. Smart Stadiums are also being built in Rio for the Olympic Games and in Russia for the 2018 FIFA world cup.

Think of 70,000 people tweeting, posting, and sharing every moment during the game. It will stretch even the best network to the max, forcing telecommunication companies to upgrade the surrounding infrastructure. Fans at last year’s Super Bowl consumed more than 6 terabytes of data.

This year fans will stay connected through Levi’s Stadium’s 40Gbps of bandwidth capacity provided by Comcast Business Ethernet, beacon and access points supplied by Aruba Networks, and switching equipment from Barcode.

Another dimension of the experience is the Levi’s Stadium mobile app, which lets fans order food to their seats, find the shortest bathroom line, watch real-time replays, and much more.

More connectivity means more opportunities for hackers

Radware’s Emergency Response Team (ERT) experts have assessed the Levi’s Stadium network architecture and have raised several concerns for the venue network operators to take into account.

1. Smart stadiums are a true Bring Your Own Device (BYOD) nightmare.

Open Wi-Fi networks present one of the biggest attack vectors for network- and malware-based attacks. The risk of your mobile device being hacked in an environment like this grows exponentially with more and more people connecting to the same open Wi-Fi.

Fake cell phone towers and access points could be deployed as well to intercept and track users. There is even a risk of a denial of service attack leaving fans unable to take advantage of the benefits of a smart stadium.

Hackers, whether their motives are political, social, or financial, can take advantage of the stadium network to steal personal data such as passwords, emails, and photos.

Unsecure and vulnerable access points or evil twins could be used to spread malware and mine for data. Hackers may gain sensitive user information through fake pop ups, text messages, or spoofed websites.

2. The Levi’s Stadium mobile app could be compromised.

For instance, credit card information could be leaked when fans take advantage of the food ordering feature.

Last year researchers found the NFL app exposed users’ personal information via a man-in-the-middle (MITM) attack right before the Super Bowl.

3. Hackers could disrupt the game on field or on national TV.

Hackers could also cause game-related issues. During the AFC championship game between the Broncos and Patriots on January 24th, the Patriots experienced network issues with the tablets coaches use to review plays. A hacker could execute such a scheme against either team, knocking out the Wi-Fi used to receive and review plays.

[You might also like: 2016 Summer Olympics: In the Crosshairs]

Additionally, the stadium TVs or national TV live broadcast could be compromised since they too connect to the stadium infrastructure.

How to keep Super Bowl fans safe

So, what needs to be done?

Smart stadium and smart venue operators need to regularly review and inspect their network to defend against these threats.

Investing in smart stadium technology is only the first step. The second is investing to keep it secure. There are two major aspects to this.

1. Make sure defenses are in place.

Put in place the right protections before each access point, and protect the whole network from malware. The same applies for protecting application servers.

2. Stay up to date.

Once security is in place, keep it up to date by routinely downloading software upgrades and patches. Conduct audits and penetration testing between events. Use ACL and load balancing.

Fans attending Super Bowl 50 should take these simple steps to keep their devices and information secure.

  • Ensure your phone is updated with the latest operating system.
  • Disable Bluetooth and Wi-Fi when not in use.
  • Make sure you are using the stadium Wi-Fi if you have to use it – avoid network names similar to the real one.
  • Use a VPN
  • Be careful when using ATMs – Understand how to spot and avoid card skimmers. gathering card data at stadium ATM’s
  • Use RFID shields to protect RFID cards and exercise caution when presented with pop up notifications while browsing

Smart stadiums will offer fans a more connected and enjoyable experience, as long as both fans and stadium operators take care to stay secure.
Learn more about the newest security threats from Radware’s 2016 Global Application and Network Security Report.

Learn more about cyber-attack detection and trends in the 2016 Global Application and Network Security Report.

Download Now

Daniel Smith

Daniel is the Head of Research for Radware’s Threat Intelligence division. He helps produce actionable intelligence to protect against botnet-related threats by working behind the scenes to identify network and application-based vulnerabilities. Daniel brings over ten years of experience to the Radware Threat Intelligence division. Before joining, Daniel was a member of Radware’s Emergency Response Team (ERT-SOC), where he applied his unique expertise and intimate knowledge of threat actors’ tactics, techniques, and procedures to help develop signatures and mitigate attacks proactively for customers.

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Locations
Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program

CyberPedia

An Online Encyclopedia Of Cyberattack and Cybersecurity Terms

CyberPedia
What is WAF?
What is DDoS?
Bot Detection
ARP Spoofing

Get Social

Connect with experts and join the conversation about Radware technologies.

Blog
Security Research Center