Attacks/Breaches

10/12/2017
11:10 AM
50%
50%

Olympic Games Face Greater Cybersecurity Risks

Cybercriminals may alter score results and engage in launching physical attacks at future Olympic Games, a recently released report warns.

Berkelely, Calif. - The Olympic Games in the coming years are likely to face far more serious cyberattacks and ones that will be more difficult to detect, according to a report released this week by the UC Berkeley Center for Long-Term Cybersecurity (CLTC).

And although the Summer Olympics don't roll into Los Angeles until 2028, US officials are already considering the cybersecurity threats for the high-profile event. The Los Angeles Organizing Committee for the 2028 Olympic Games provided support for the CLTC report.

The concern is understandable. During the 2008 Beijing Olympics, security officials fielded 11 million to 12 million daily alerts, with roughly a half dozen falling into the imminent threat category, according to the report. And in the 2012 Summer Olympics in London, six major security incidents - five of which involved DDoS-related attacks - were brought to the attention of the event's CIO. Last year, at the conclusion of the Rio Olympic Games, Russian hackers pilfered medical records of athletes from the World Anti-Doping Agency.

While most of the threats that have emerged at the Olympics have largely fallen into the categories of reputational harm and financial harm. Cybercriminals ran ticket scams, manipulated websites, pilfered payment information, and attacked maintenance systems, but even more serious attacks are likely in the future, said Betsy Cooper, CLTC executive director, who presented the findings during a panel session here at the University of California at Berkeley this week.

Threats to Grow Darker

While most of the past attacks on sporting events center on IT systems at stadiums and ticket sales and operations, future cyberattacks at the Olympics may occur in eight key areas, says Cooper.

The areas include cyberattacks to facilitate terrorism and kidnappings and panic-induced stampedes; altering scoring systems; changing photo and video replay equipment; tampering with athlete care food dispensing systems; infiltrating monitoring equipment; tampering with entry systems; and interfering with transportation systems.

"I was surprised to learn there are instances where human decisions are overridden by technology," Cooper said, in reference to a growing reliance on using technology to make the first call in a sporting event, rather than a human referee.

She pointed to the reliance of electronic line-calling technology Hawk-Eye that is used in such sports as tennis. The Association of Tennis Professionals (ATP) plans to fully use electronic line-calling technology at its Next Gen Finals match, reports Tennis.com.

"Increasingly technology is being used to assist with referee calls," Cooper said, noting the potential of hackers breaking into such systems and altering the outcome of the scoring systems. "With more automation, there are more potential vectors of attack."

Betsy Cooper, CLTC executive director; Doug Arnot, Broadstone Group Chairman; Brian Nelson, LA 2028 General Counsel; Missy Franklin, five-time Olympic Medalist; and Steve Weber, panel moderator and CLTC faculty director
Betsy Cooper, CLTC executive director; Doug Arnot, Broadstone Group Chairman; Brian Nelson, LA 2028 General Counsel; Missy Franklin, five-time Olympic Medalist; and Steve Weber, panel moderator and CLTC faculty director

These type of attacks not only have the potential to alter the outcome of which athletes become gold-medal winners at the Olympics, but also detection of this type of hacking may be more difficult to detect, she added.

If an electronic referee is called into action multiple times over the course of an athlete's performance, a hacker could occasionally slip in to alter the results just enough to tip the win in the target's favor.

Athletes could also face physical harm if cybercriminals were to tamper with automated food systems that dispense such items as protein drinks that have specific nutrients doled out for each athlete. An Olympic swimmer who is allergic to gluten, for example, could get a protein drink laced with gluten after a cybercriminal, or nation-state, seeks to take that athlete out of the games, according to Cooper.

Such attackers are likely to be cybercriminals looking to make money by betting on certain teams or players and altering the results to win, or a nation-state or patriotic national wanting to rig the game so their home team wins, said Doug Arnot, chairman of the Broadstone Group and a panelist at the Olympics cybersecurity panel.

Missy Franklin, a five-time Olympic medalist swimmer and panel member, said as an athlete she is first and foremost worried about physical security, and then secondly, cybersecurity threats that can alter the outcome of a game.

"It's intimidating and threatening," Franklin said, noting technology is used to determine the swimmer who touches the wall first when deciding the outcome of a game.

That said, however, Franklin noted that human referees are also used to make calls on the way a swimmer makes a lap turn or whether they start the race prematurely.

Keeping a Level Playing Field

CLTC made several recommendations to minimize the attack surface at the Olympic Games. One is to balance opportunity and risk by questioning the need to add new technology at the risk of enlarging the attack surface.

Another suggestion is to have a human as a backup to any technology, and to give human referees the ability to verify that the technology used in the games is producing the correct results.

Cybersecurity training on such issues as phishing to social engineering should be provided to all Olympic staff members and officials, according to the report.

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Related Content:

 

 

 

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Veterans Find New Roles in Enterprise Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/12/2018
Understanding Evil Twin AP Attacks and How to Prevent Them
Ryan Orsi, Director of Product Management for Wi-Fi at WatchGuard Technologies,  11/14/2018
7 Free (or Cheap) Ways to Increase Your Cybersecurity Knowledge
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19349
PUBLISHED: 2018-11-17
In SeaCMS v6.64, there is SQL injection via the admin_makehtml.php topic parameter because of mishandling in include/mkhtml.func.php.
CVE-2018-19350
PUBLISHED: 2018-11-17
In SeaCMS v6.6.4, there is stored XSS via the member.php?action=chgpwdsubmit email parameter during a password change, as demonstrated by a data: URL in an OBJECT element.
CVE-2018-19341
PUBLISHED: 2018-11-17
The u3d plugin 9.3.0.10809 (aka plugins\U3DBrowser.fpi) in FoxitReader.exe in Foxit Reader 9.3.0.10826 allows remote attackers to cause a denial of service (out-of-bounds read) or obtain sensitive information via a U3D sample because of a "Read Access Violation near NULL starting at FoxitReader...
CVE-2018-19342
PUBLISHED: 2018-11-17
The u3d plugin 9.3.0.10809 (aka plugins\U3DBrowser.fpi) in FoxitReader.exe in Foxit Reader 9.3.0.10826 allows remote attackers to cause a denial of service (out-of-bounds read) or obtain sensitive information via a U3D sample because of a "Read Access Violation starting at U3DBrowser+0x00000000...
CVE-2018-19343
PUBLISHED: 2018-11-17
The u3d plugin 9.3.0.10809 (aka plugins\U3DBrowser.fpi) in FoxitReader.exe in Foxit Reader 9.3.0.10826 allows remote attackers to cause a denial of service (out-of-bounds read), obtain sensitive information, or possibly have unspecified other impact via a U3D sample because of a "Data from Faul...