Silicon Valley’s High-Tech Super Bowl Stadium Could Be a Target for Hackers

The Bay Area will host this year’s big game in the league’s newest venue, an arena chock-full of technology and networking equipment.

The San Francisco 49ers play a home game at Levi's Stadium in Santa Clara, California. (Tony Avelar / AP)

As many as a million fans in Denver orange and Carolina blue are expected to descend on the Bay Area this weekend for the Super Bowl. Of those, some 70 thousand of the luckiest, wealthiest, and best connected will get to watch the game from inside the state-of-the-art Levi’s Stadium in Santa Clara.

Completed in 2014, the stadium lives up to the reputation of its Silicon Valley home. Crammed full of networking equipment and 400 miles of fiber-optic cable, it was built with an outsize capacity for supporting Internet-connected devices. Underneath the stadium seats, 1,300 wi-fi access points broadcast a free wireless network to the assembled fans, who are never more than 10 feet from a node. The entire arena can handle a traffic load that’s four times higher than NFL’s minimum standard for football stadiums.

The stadium’s connectivity is aimed at solving a problem that is increasingly plaguing older venues: During well-attended games, cell and wireless networks can easily get clogged up when too many fans tweet, post photos, and stream video all at once. The networks built into Levi’s Stadium are designed to banish this modern nightmare—but their sheer scale makes the stadium an attractive target for cyberattacks.

Whenever tens of thousands of devices are crammed onto one public wi-fi network, there will always be security risks. But add to the mix the high-profile nature of the Super Bowl—an event that consistently earns a top-priority security response from federal law enforcement—and there is a real cause for worry.

The heightened concern stems in part from the kinds of people that generally attend the big game, says Carl Herberger, the vice president for security at Radware, an Israel-based cybersecurity company. The stadium is likely to be packed with wealthy corporate executives and sponsors, politicians, and celebrities, many of whom carry around mobile devices brimming with sensitive information and valuable contacts.

Herberger estimates that between fans’ mobile devices and the stadium’s built-in connections, there will be somewhere around 100,000 devices connected to the stadium this weekend. In one potential attack, hackers could infiltrate attendees’ phones through a security hole in stadium infrastructure—its wi-fi network, for example, or its official app. By infecting a large group of devices, the hacker could establish a botnet, a network of connected devices that work together to complete larger-scale attacks like sending spam or flooding a server with requests in a denial-of-service attack. The huge network “becomes a gigantic single point of failure, like the Death Star, for a bot,” Herberger said. “It’s a nice, juicy target to conscribe into your botted army.”

Short of establishing a botnet, hackers could fool stadium-goers into connecting to the wrong wi-fi network. This is a popular trick in airports: An open, free wireless network with an innocuous-sounding name entices people to connect. But once they’re on the network, a man-in-the-middle attack can intercept unencrypted web traffic, or inject malicious code and infect the connected device.

Hackers can also use the same “evil-twin” approach to mimic a cell tower rather than a wireless router. Many law-enforcement agencies use these devices, often called Stingrays, to scan and find a target cell phone in a populated area. Deployed by a hacker, a cell-site simulator could allow for man-in-the-middle attacks through a device’s mobile data connection.

Some companies have publicized the fact that they supplied Levi’s Stadium with networking equipment and infrastructure, Herberger noted. “To be honest, I think that’s a bit disturbing,” he said. Knowing the stadium’s hardware and software setup could help hackers tailor an attack to the vulnerabilities in a specific product.

Law enforcement hasn’t shared the specific cybersecurity precautions in place in Santa Clara, and the NFL would not comment on its security plan. But the area is preparing for every eventuality: To secure the stadium from attacks, the NFL is collaborating with the Department of Homeland Security, which has designated every Super Bowl since 2001 a “national-security special event,” unlocking extra resources, personnel, and surveillance equipment. Hundreds of federal agents from agencies like the Transportation Security Administration, Customs and Border Protection, and the Coast Guard will pitch in, a DHS spokesperson said.

Stadiums’ vulnerability to technology glitches was on display as recently as last week, when the Microsoft tablets on the New England Patriots sideline stopped working mid-game. Teams use the tablets to review photos of recent plays, but a “network cable malfunction” rendered the Patriots’ technology inoperable for part of the first half of the AFC Championship game, according to the NFL.

Much more worrying, the 2013 Super Bowl was delayed for more than 30 minutes just after halftime, after the power went out in parts of the New Orleans Superdome. The blackout was caused by a malfunction in a device that was monitoring the electrical load to the the stadium. According to the manufacturer, the device sensed an “abnormality” and shut down the power.

In the runup to this year’s Super Bowl, the FBI is investigating a spate of attacks on fiber-optic cables in the Bay Area. In an internal memo obtained by NBC Washington, officials wondered if the pattern of severed cables could be part of a “more complex plot,” but said that there are no “specific, credible threats” against the Super Bowl.

If you’re one of the bigwigs or high-rollers attending the game, how can you keep your own devices safe? Make sure you’re connecting to the authentic stadium wi-fi and not a malicious knockoff—or better yet, avoid wi-fi in favor of generally more secure mobile data. Installing a virtual private network can help keep more sensitive information safe.

But the best thing to do is use your device as little as possible, and disconnect from networks unless you’re using them. “Consider everything public,” Herberger said. “If you’re afraid of seeing it on The New York Times, then don’t do it.”