Page 18 - RealcommEDGE-May-2016
P. 18
the stadium, determine device specifics, and evaluate for known be extremely disruptive. In some cases, it can even help stop
exploits. At no time did the authors manipulate, comprise, gain a team’s momentum. Note that shutting off lights/power is an
unauthorized access, exploit, or perform actions on the system extreme approach, and a fanatical fan may be more likely to take
that are considered illegal. a more subtle approach.
Identification Temperature Control
First, it is necessary to identify exposed stadiums. While Athlete bodies are finely tuned machines, and half time is an
numerous facilities associated with Bryant Denny Stadium were opportunity for rapid recovery and adjustment of game plans. An
discovered, there are three associated building automation attacker with control of a team locker room building automation
systems of interest: the north end zone, the south end zone, and system can alter the temperature within the locker room during
the home team locker room. half time to an uncomfortable heat setting, making it more
Enumeration difficult to concentrate on half
Evaluation of the exposed systems provided pertinent time plan adjustments and
information such as the building automation system negatively impacting the rest
manufacturer. Once the manufacturer was identified, public and recovery period for the
banner enumeration was used to reveal the software version team members. Indeed, a team
number, which was cross-referenced with a database that that had to suffer through a half
contains known vulnerabilities. At this point, an attacker could time with the heater turned
exploit the vulnerable systems and take control of operations. completely on high would no
doubt have to endure suffering
Scenarios that the opposing team is not
An attacker now has the ability to control processes associated subjected to.
with the building automation systems of the north end zone,
south end zone and home team locker room via the Internet. Displays
What impact could a fanatical fan now cause? The following Most stadium displays are
three examples outline plausible scenarios derived from years of electronic and, in many
experience working with building automation system security instances, a control path
and their control processes. exists from the building
automation systems to display
Power systems. There are a handful
Wattstopper is a common energy management and lighting of vendors that make displays
management automation system. Access to this infrastructure and signage for college/professional sporting facilities. For
likely provides the ability to shut off lights or even power example, Daktronics is a very popular manufacturer of sports
associated with various parts of the stadium. As shown during signage, including video and scoreboard displays. From an
Super Bowl XLVII, having a power loss during a live game can impact perspective, changing the score for a live game would
likely have minimal impact. However, tampering with time
16 Realcomm can go unnoticed or create a high degree of confusion. Even
if tampering with the game clock were discovered during the
game, there is little that can be done to rectify the issue if a
snap has occurred before the clock error is discovered. While
modifying the game clock is interesting, a more subtle effect
could be introduced by adjusting the play clock to provide
more or less time. The result could have a powerful effect on the
tempo of the game. For example, if the play clock was modified
to tick off a second every .75 seconds for Alabama, 10 seconds
would be lost for each 40 second play clock. Alternatively,
delaying a clock tick to 1.25 seconds for Auburn would buy them
an extra 10 seconds per play. Given the Monday Night Football
timing error that allowed 18 seconds to accidently tick off the
clock with no one discovering the issue until after the game was
over, this subtle manipulation could potentially be enacted for
some time before discovery.
Mitigation Steps
The source of building automation system exposure for sports
