Cybercrime at Super Bowl LII – How not to get Hacked
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Cybercrime at Super Bowl LII – How not to get Hacked

If you lose your shirt in Minneapolis, make sure it’s to bettors—not hackers.

Super Bowl LII is this Sunday when Minneapolis plays host to the New England Patriots and Philadelphia Eagles. And wouldn’t you know it, where there are hundreds of thousands of visitors with connected mobile devices and disposable income, there will also be cybercrime.

I’m not sure this weekend represents the Super Bowl for Cybercrime, that distinction probably goes to the Olympics next month. But it’s pretty darned close. Just the nature of the event lends itself to all sorts of social engineering and malfeasance.

Think about it, you have an influx of jovial people on a football pilgrimage to support their team. They’re in a new city. They’re looking for things to do, places to go and deals to take advantage of. Many of them are drinking heavily which, I have been told, impairs judgment. It’s a perfect climate for hackers. And they take full advantage.

Cybercriminals will attempt to use football-related websites and apps to spread malware and steal sensitive personal information, or even take over your phone. They’ll also take advantage of social networks and the ability to shorten links (making their actual destination impossible to discern) to infect your connected devices. This may be your first Super Bowl, but it’s not theirs. These criminals know the tricks to get you to click or download what they’re pushing.

Five Tips for Staying Safe at the Super Bowl

  1. Only Download Apps from Official Marketplaces – Both the Google Play store and the Apple App Store have stringent rules for inclusion. They also regularly remove apps that have security concerns. Only download apps from there. Never download apps from unknown sources.
  2. Don’t root or jailbreak your phone – Yes, it sounds cool to say you have a jailbroken phone. And sure, there may even be advantages to it. But they’re not security-based. Opening up root access just lets hackers bypass built-in security features that would otherwise have protected you.
  3. Keep your Wi-Fi radio off – I know you may want to listen to the call on the radio from your seat in the stadium, or maybe you just want something playing at your tailgate. Use something else. Also, make sure your Wi-Fi radio, or any of your other devices for that matter, don’t automatically connect to Wi-Fi hotspots.
  4. Don’t connect to Public Wi-Fi – A lot of people say, “make sure it’s secure.” You aren’t going to do that. Be honest. Just err on the side of caution and stay off public Wi-Fi hotspots. Yes, it’s an inconvenience, and yes you’ll use more data. But something tells me if you can afford the trip, you can afford a little extra data.
  5. Enable your Built-In Security Features – Android Device Manager and Find my iPhone are examples of proprietary security tools that can make a big difference, allowing you to lock your phone or even wipe it, remotely. This is obviously the nuclear option, but it’s good to have, just in case.

How the Super Bowl itself Prepares for Cyber Crime

Obviously, you don’t get a ton of information about this year’s cybersecurity implementations until after the game itself on account of the fact that disclosing that information could help undermine said security (right Geraldo?). But we can glean some information from past Super Bowls to give us an idea of the level of security.

For starters, the Super Bowl is more or less a trendsetter in terms of cyber security concepts, strategies, and platforms. What works at the Super Bowl, arguably the largest annual event in the US, will trickle down into the Enterprise sector in the coming months and years.

The Super Bowl’s security implementations feature redundant IT systems that can withstand cyber attacks. Knock one system offline, there’s another ready to step in immediately to avoid any issues. Additionally, information sharing is key. The Super Bowl has to coordinate with state and local law enforcement, as well as with federal agencies and the private sector. If you think this is a nightmare, the Super Bowl is pretty much just dealing with domestic agencies, the Olympics next month in South Korea will require coordination between international agencies, governments, private agencies, and domestic law enforcement agencies.

If that sounds like a logistical nightmare, it’s because it is.

And finally, given the high profile nature of the event, special attention needs to be paid to infrastructure like electrical grids and public safety systems, or really any targets of note. At Super Bowl XLIX four years ago, there was a 30-mile no-fly zone for drones. As drones have advanced, I imagine that no-fly zone is going to be extended as well.

“Conventional methods to detect and mitigate threats from drones are limited; radars either don’t detect drones or characterize them incorrectly (i.e. migratory birds),” explained CACI International vice president Michael Kushin in a column for the Federal Times. “Additionally, if radar does detect the drone, it cannot mitigate the threat or identify the source.”

Even the Teams are Worried About Hacking

Back in 2007, the Patriots were caught filming hand signals on their opponents’ sidelines. It was called Spygate. It was kind of a big deal. The league found the Patriots had years of taped signals matched with the plays they were calling. And while the Patriots claimed everyone else was doing it too, the league felt it was a bad enough violation to dock them a first-round draft choice and $750,000.

If you don’t understand anything about football, just know that it was a massive scandal.

“Spygate was Flintstones stuff compared to what’s going on now,” Ed McAndrew, a former federal prosecutor, now a lawyer specializing in cybercrime at Philadelphia’s Ballard Spahr, told the Philadelphia Inquirer.

What he’s referring to is that in 2011 the NFL began using tablets instead of old-school three-ring binders to hold their playbooks. These tablets are connected devices, they hold crucial information about their respective teams—plays, schemes, entire game plans.

That information can be compromised any number of ways. A player could simply lose an unencrypted tablet, leave it in their car one day and have it stolen, and boom. Everything is blown. Additionally, interception of wireless signals between the coaches and quarterbacks could be used. Or just good old fashioned social engineering.

“A lot of time the players don’t realize they’re high-profile targets,” Robert Panella, a managing director of K2 Intelligence, told the Inquirer. “And it’s not just the athlete, it’s the family and friends who can put them at risk.”

K2 Intelligence is partnered with the NFL Players Association and works to limit athlete vulnerability.

“We go into [player’s] homes and have them put all their devices and accounts on the table,” said Patrick Doherty, another Director at K2 Intelligence. “We don’t just go in and check on the modem, routers, and passwords. We show them their total exposure. Anything online is at risk.”

The Cyber Security Tips InfoSec Experts give to NFL Players

If you were wondering, here is the advice that K2 gives the pros:

Public WiFi should always be deemed insecure. Whether you are using a tablet, a laptop, or an iPhone, when traveling you have fewer protections and could be vulnerable to a man-in-the-middle attack. Someone could set up in a hotel, create an account that masquerades as the hotel WiFi, and intercept all of your communications.

Use a VPN (a virtual private network), or WhatsApp or Signal to encrypt your communications. WhatsApp and Signal are both free in the app store and encrypt data end-to-end, making for more secure texts and calls.

Do not commingle personal and professional data on the same device. Avoid accessing social media accounts on equipment used for business. Do not forward professional data to a personal account.

Use dual-factor authentication when signing on. Even in the event that someone learns your password, a second piece of information can help prevent a hacker from logging on through an unauthorized device.

Don’t keep sensitive information in the cloud.

Ballard Spahr’s Ed McAndrew adds these tips:

Immediately report any suspicious activity or the loss of a device immediately. If you’re an Eagles player, alert your position coach. If a playbook is on a device that’s gone missing, the team could wipe the device before it gets too late.

Don’t share passwords and don’t reuse them. It’s simple data hygiene.

Wrapping Up

Whether you’re going to the Super Bowl or just watching it from home on your couch (or not watching at all), this is good advice for staying safe when you travel anywhere. Your mobile device is your lifeline, but if you’re not careful hackers can use it to hang you with. Make sure you know what your devices are connected to, make sure you have strong security in place and don’t take chances.

Most of all, have fun and enjoy the game!


Patrick Nohe

Patrick started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. Patrick covers encryption, hashing, browser UI/UX and general cyber security in a way that’s relatable for everyone.