Whenever tens of thousands of devices are crammed onto one public wi-fi network, there will always be security risks. But add to the mix the high-profile nature of the Super Bowl—an event that consistently earns a top-priority security response from federal law enforcement—and there is a real cause for worry.
The heightened concern stems in part from the kinds of people that generally attend the big game, says Carl Herberger, the vice president for security at Radware, an Israel-based cybersecurity company. The stadium is likely to be packed with wealthy corporate executives and sponsors, politicians, and celebrities, many of whom carry around mobile devices brimming with sensitive information and valuable contacts.
Herberger estimates that between fans’ mobile devices and the stadium’s built-in connections, there will be somewhere around 100,000 devices connected to the stadium this weekend. In one potential attack, hackers could infiltrate attendees’ phones through a security hole in stadium infrastructure—its wi-fi network, for example, or its official app. By infecting a large group of devices, the hacker could establish a botnet, a network of connected devices that work together to complete larger-scale attacks like sending spam or flooding a server with requests in a denial-of-service attack. The huge network “becomes a gigantic single point of failure, like the Death Star, for a bot,” Herberger said. “It’s a nice, juicy target to conscribe into your botted army.”
Short of establishing a botnet, hackers could fool stadium-goers into connecting to the wrong wi-fi network. This is a popular trick in airports: An open, free wireless network with an innocuous-sounding name entices people to connect. But once they’re on the network, a man-in-the-middle attack can intercept unencrypted web traffic, or inject malicious code and infect the connected device.
Hackers can also use the same “evil-twin” approach to mimic a cell tower rather than a wireless router. Many law-enforcement agencies use these devices, often called Stingrays, to scan and find a target cell phone in a populated area. Deployed by a hacker, a cell-site simulator could allow for man-in-the-middle attacks through a device’s mobile data connection.
Some companies have publicized the fact that they supplied Levi’s Stadium with networking equipment and infrastructure, Herberger noted. “To be honest, I think that’s a bit disturbing,” he said. Knowing the stadium’s hardware and software setup could help hackers tailor an attack to the vulnerabilities in a specific product.
Law enforcement hasn’t shared the specific cybersecurity precautions in place in Santa Clara, and the NFL would not comment on its security plan. But the area is preparing for every eventuality: To secure the stadium from attacks, the NFL is collaborating with the Department of Homeland Security, which has designated every Super Bowl since 2001 a “national-security special event,” unlocking extra resources, personnel, and surveillance equipment. Hundreds of federal agents from agencies like the Transportation Security Administration, Customs and Border Protection, and the Coast Guard will pitch in, a DHS spokesperson said.