The 21st Football World Cup is on from 14 June to 15 July 2018: while most of the action will be taking place in the real world, in Russia, some will be fighting it out on the virtual side. Whether they handle match broadcasts, betting platforms or ticket sales, IT systems also need a defence.
Like all big sporting events, the Football World Cup is a special occasion to bring the world together, but also a stage for instability between governments, such as the recent issues between Russia and Ukraine. The main difference between matches on the grass and virtual attacks is that hackers usually take care not to show their colours: the goal here is to leave as few traces as possible. Attributions is a political game rather than a question of IT; it takes a nose to distinguish real fingerprints from dummies left by attackers.
Access providers, operators and ADSL boxes are all potential targets to hit a goal, less with the aim to cause mayhem by infuriating spectators deprived of broadcasts than to discredit the organising country by subjecting it to disruptions in critical infrastructures like hospitals or road networks. Russia would (again?) make cyber headlines...
Broadcasts: the sticky issue of information confidentiality
Any match broadcast is a potential target for hacking: from simply blocking it, like Amélie Poulain taking revenge on her neighbour by unplugging his antenna whenever there’s a goal, to a much bigger, almost industrial scale. It’s a tricky question: being able to transmit data, but not too much; broadcasting to customers, but making sure that they cannot use their signal to share with neighbours.
In the Arabian Peninsula, the Qatari group BeIN Sports is already accusing Saudi Arabia of financing large-scale hacking of its programmes. So what defence is there? How does one encode data to be broadcast? Just one customer with ill intentions (or too good intentions, depending on your point of view) can get hold of a decoded flow and send it elsewhere. Which brings back the old question of Digital Rights Management: how do you guarantee that someone who is watching a medium cannot transmit it? In this case, the technique chosen by BeIN Sports for the time being is to make all its programmes free! Which implies that the group will have to identify other sources of revenue (through additional content or advertising).
Black market and betting platforms: data integrity is paramount
The main challenge for electronic tickets is not so much data confidentiality, but availability and authenticity. Like the previous World Cup in Brazil, this year’s tournament has already seen signs of huge phishing campaigns to sell fake tickets. Coupled with denial of service (or DoS) attacks, the consequences would be disastrous, if a system that is unable to distinguish real tickets from fake ones causes gigantic queues at the entrance to stadiums, and generates very real security problems with hooligans. As for image, imagine an opening match between Russia and Saudi Arabia in an almost empty stadium, with most of the spectators blocked outside the gates... Or sports journalists abandoned in their press rooms with no Internet connection. Data must therefore be protected by firewalls, redundancy equipment and operational backups, even without Internet access.
As for image, imagine an opening match between Russia and Saudi Arabia in an almost empty stadium, with most of the spectators blocked outside the gates...
The question of integrity should of course not be neglected: it is important to know if the right person is holding the ticket. But since this kind of electronic fraud has less disastrous consequences, the problem of integrity comes after that of availability. The aspect of the World Cup where integrity is most critical, is betting platforms: how do you make sure the wins go to the right person, the one who had the intuition to guess that Iceland would kick that unlikely saving goal against Argentina in the 89th minute? It is of course possible to encrypt the information and in this case, particularly, to use cryptographic signature technology to make sure the “prediction” was written by the right person (the betting site, not the attacker), at the right moment (preferably before the goal!), and that the money is then paid out in the proper way through the banks.
Unlike systems that give preference to data availability, for instance with tickets, in this case the integrity of the data prevails over availability – no use having a safe that continues to operate once it has been emptied. On an online betting site, one would therefore want to make sure that bets are stored in places that are safeguarded from attacks, not by backup or redundancy systems, but by real, buttoned-down network protection that combines encryption, keywords, firewalls and an automated analysis system to identify fraudulent behaviour.
What about matches?
There remains, of course, the critical moment of the match. Inside the stadium, while sports commentators need a connection to let us experience the action live, broadcast vans with their enormous, roof-mounted antennae are mostly autonomous and linked directly to satellites. Unless someone is physically there to scramble the van’s signal – and manages not to get caught – it is unlikely for a satellite to get high-jacked in the heat of a match.
At least on the field, all can rest assured. For the moment, the likelihood of hackers changing video-referee images in real time and turning Gignac’s kick against the post into a goal against Portugal is still in a distant future. And even a completely hacked-down video referee won't mean that Sergio Ramos can tackle the opponents’ goal at his own sweet will – there are still (in theory) people in the real world to keep an eye on such detail. And by abiding with proper digital rules, players should also be safe from attempts to destabilise them; the British government has even gone as far as to brief the English team on the risks of cyber attacks via their smartphones and game consoles! As long as they are not androids that can be hacked from a distance, one might still hope to see a fair game.
The British government has even gone as far as to brief the English team on the risks of cyber attacks via their smartphones and game consoles
The weakest link, currently, is still broadcasting, not from the van, but by viewers. After broadcast, no audio or video content remains unavailable for long outside of the traditional market. Ensuring confidentiality with one or even 10 persons of trust is one thing; ensuring confidentiality with hundreds of millions of viewers remains a pipe dream.
But is that really the most serious issue? On 20 May, Michel Platini declared that the 1998 World Cup was "hacked" by its organisers to avoid a France-Brazil match before the final. What if, for the next World Cup four years from now, we let Artificial Intelligence organise the event, and leave humans to play on the field?
Thanks to Paul Fariello, Security Researcher and attacking midfielder in the Security Intelligence team at Stormshield, for his valuable help in writing this article, together with Usbek & Rica.