Digital Dark Side of the Winter Olympics

Jul 15, 2009

Highway 99, the Sea-to-Sky Highway, runs from ­Vancouver to Squamish along the Howe Sound on the way to Whistler, and is one of my favorite drives in all of North America. For 17 days this coming February, the Sea-to-Sky Highway is going to be swamped with millions of travelers traversing the 120 miles from Olympic venues in Vancouver to the slopes in Whistler.

Policing crazy drivers won’t be the only security problem at the 2010 Olympics and Paralympics. In fact, traffic is likely to be the least of the many security challenges. More than a million visitors will be descending on British Columbia. With 80+ nations and some 5,500 athletes participating, even a security force north of 50,000 people is likely to have difficulty keeping everyone safe.

And since we’re all intimately familiar with the events of Munich in 1972, all of us want to see the Olympics of 2010 proceed smoothly. There are always threats, of course. They range from overly lubricated sports fans to groups like the ­militant Islamic Uighur separatists, who threatened suicide bombings at Beijing Olympics in 2008.

Reduce the Risk: Go “Lean”
Beyond physical security is the growing issue of cyber-security. Cyber-security concerns are not simply a question of whether a few laptops are getting hacked. In fact, the digital threat ­vector represents issues impacting communications ­confidentiality, identity theft, emergency response, organized crime, and even (perhaps especially) espionage.

Let’s look at the technologies we’re dealing with. Of course, journalists, business people, and most of the security team will be carrying laptops or using desktop computers. All of these connect to the Internet either over a wire-based network or wirelessly, via some variant of WiFi.

When a hacker targets a WiFi connection, he’s usually attempting to gain access to files and personally identifiable information from either the data stream traveling over the network, or by tunnelling into the PC or laptop itself. The other common activity of Internet-protocol hacking over a wireless network, like WiFi, is to introduce some form of spyware or malware to the digital device.

Then there are all those phones. Most Vancouver providers offer GSM service, while a few offer CDMA with somewhat better reception. Most hackers won’t target these mobile telecommunications standards. A much easier (and far more potentially lucrative target) are the Bluetooth and WiFi radios that more and more phones are equipped with.

While many security officials are familiar with WiFi ­hacking, most aren’t quite as familiar with Bluetooth attacks – and these can be particularly troubling.

First, although Bluetooth is intended for close-range networking (within 10 meters or so), Bluetooth devices have been “sniped” from far longer distances – accessed by ­specially modified communications “rifles” from upwards of a mile away or more.

A Bluetooth intrusion can also introduce malware and spyware to the device, although this is far less prevalent than on PCs. More commonly, a Bluetooth intrusion can remove data, notes, contact information, and other personal and private information from the device, most often for later identity theft and other crimes.

However, Bluetooth intrusions have also been used to tap phones, creating a mobile “bug” going wherever the owner goes, as well as a turning the phone into a tracking device, designed to locate the phone’s owner at any time. As you might imagine, with the number of dignitaries at an event like the Olympics, turning phones into mobile tracking bugs opens up a wide world of worry.

It’s also possible to turn a smartphone like a BlackBerry into a bugging and tracking device without Bluetooth. All it takes is a few minutes out of the owner’s hands to launch a Web page and download a software program that hides on the device.

Keep in mind that the typical iPhone and BlackBerry can hold up to about 16GB of data. In 2007, I wrote that a typical phone could hold 64MB, roughly the equivalent of 28,000 printed pages of data (or seven complete sets of all seven Harry Potter novels). But 16GB is 250 times that capacity.

A typical 4-drawer file cabinet holds about 16,600 sheets of paper (trust me, I did the math). 250 times 28,000 pages is about 7 million pages – or 421 file cabinets. That’s what a typical BlackBerry or iPhone can store – the equivalent of 421 file cabinets of confidential information.

If you were so inclined, you could lug those 421 file cabinets onto an Olympic ice hockey rink and you’d be able to fill the entire rink from goalie to goalie – with file cabinets arranged side-by-side. Twice. That’s how much data a typical BlackBerry holds.

It’s easy to see how a hijacked phone can put someone’s safety at risk and how intercepted or stolen data from computers and phones can have a severe impact on privacy, identity theft, and even espionage. People keep extremely confidential information on these devices, and if a phone from a senior government official is hacked or stolen, the information could comprise a motherload of intelligence “take.”

Fortunately, some rather simple practices can reduce the risks of these digital devices measurably. First, turn Bluetooth off. Yes, it may mean you can’t talk on your cute little headset, but I’m sure you’ll survive for a few days. Next, never, ever give your phone to anyone else, and always have a strong awareness of where it’s located. Guard it as securely as you would guard your wallet.

When it comes to your computer, be sure to install a software firewall, keep your virus and spyware definitions up to date, and update all your software before you leave for the Olympics.

When connected to any network at the Olympics, refrain from accessing anything sensitive, especially banking information. If possible, clean your PC of all potentially sensitive files as well – go as lean as you can.

The bottom line is this: a digital intrusion is the easiest way to get inside of all your physical defenses – and the damage done is often orders of magnitude more ­difficult to recover from than all but the most heinous of physical attacks.

David Gewirtz is the Cyberterrorism Advisor for the International Association for Counterterrorism and Security Professionals, a member of the FBI’s InfraGard program, and a member of the U.S. Naval Institute. He can be reached at
© FrontLine Security 2009