Bad Security Stories, Volume I: The Big 12 Still Has No Idea If Their Football Coach-to-Player Communications Were Actually Compromised

Your humble author is starting a new Sniff Wi-Fi blog series today: Bad Security Stories

Yours truly may not be the second coming of Bruce Schneier -- though from what I've read of Schneier's I like his vibe -- but all these years of sniffing (and working in Wi-Fi in general) have led to me picking up a fundamental understanding of communications and data security. So let's blog about it!

A college football cheating scandal -- or at least, the potential for one -- was recently uncovered and resolved in a matter of three days. To steal a quote from a memorable-but-not-to-be-described-in-polite-company scene in the film Tommy Boy... hmm, that's a mystery.


A quick primer:

Throughout last year's college football season, there were several accusations of 'sign-stealing'. Sign-stealing involves comparing the hand signals, posters and other 'signs' used by football coaches to signal to their players what formation and/or orchestrated 'play' to run.

For the 2024 college football season, most conferences (groups of universities which compete against one other in football) adopted wireless coach-to-player communication.

Since coach-to-player communication is one-way communication, more advanced wireless technologies like Wi-Fi and 5G/cellular were not needed (read: too expensive). So the conferences settled on simple wireless communications over unlicensed frequencies; similar to an old-fashioned walkie-talkie.

You can probably see where this is going... Lots of one-way wireless communication is unencrypted, and it turns out that was exactly the case for almost all the big college football teams.

Now, if you know anything about sniffing -- and your humble author would like to think he knows a thing or two -- then you know that 3rd party wireless sniffing in undetectable. Be it a Wi-Fi network, cellular networks or (in this case) college football coach-to-player communications; a 3rd party can sniff without a trace as long as four conditions are satisfied:
  1. The eavesdropper must be within radio frequency range of the transmitter.
  2. The eavesdropper must have a device tuned to the same frequency(ies) as the transmitter.
  3. The eavesdropper's device must support the communication protocol -- what us Wi-Fi folks call 'modulation and coding scheme', or MCS -- of the transmitter
  4. The eavesdropper must know the receiver's encryption key(s), or... the wireless communications must be unencrypted.
Just going through the list... anyone in the stadium would be within range (especially if they snuck in a directional antenna), the frequencies being used were well-known, the same protocols were used by every team's headsets & helmet speakers, and -- based on ESPN's initial reporting of the breach -- the communications were unencrypted. 

4 for 4! We had a definite, documented case of coach-to-player communications being vulnerable to wireless eavesdropping; apparently to anyone in possession of an over-the-counter police scanner! And... if said eavesdropping did happen, it could not possibly be proven or disproven because (again) 3rd party wireless sniffing is undetectable.

That is bad. But honestly, it would not qualify as a Sniff Wi-Fi 'Bad Security Story' on the aforementioned facts alone. Mistakes happen. Unencrypted wireless happens. We don't want to highlight missteps unless there is a significant level of malice or negligence or deception involved... which, in this case, there is.

Just three days after the initial report of Texas Tech -- a relatively strong football team in the Big 12 conference -- asking for an investigation into whether two rival teams might have used non-public knowledge of unencrypted wireless coach-to-player communications to gain an advantage, the Big 12 conference came out with a statement: "At no point was any Big 12 competition compromised."

WHAT??!?!?

How on Earth would the Big 12 conference know that no malicious sniffing occurred? There were tens of thousands of people in the building. Coaching staffs for two Big 12 schools which were privately made aware of unencrypted coach-to-player communications in late Septempber -- Baylor and Texas Christian (TCU) -- were allowed in stadiums without their possessions and person searched for scanners. There are literally countless scenarios where a bad actor could have 'compromised' a Big 12 football game without anyone having any clue it was happening because -- say it with me -- 3rd party wireless sniffing is undetectable

That, my friends, is a Bad Security Story. It is one thing to have a known vulnerability. I don't think it's a reach to say literally everyone reading this blog has, at one point or another, communicated across a platform that was eventually found to have some sort of security limitation and/or flaw. 

But to pretend there was no hack just because no evidence of a hack exists?? That's Flat-Earthing my friends. (Flat-Earthing, defined as believing things [like a round Earth] don't exist just because you don't have conclusive evidence that they exist.)

The good news is Big 12 football coach-to-player communications are now encrypted -- the football teams had to ship all their helmets to the helmet speaker vendor to get them fixed, which could be a blog post of its own if I never to a Problems With Non-Scalable Solutions series -- but we still have no idea if any malicious sniffing ever did occur.

*** 

Ben Miller has worked in Wi-Fi for wayyyyyyy too many years. (Over two decades now!) You can contact Ben via email or follow him on Twitter, using the contact information below. 

If you like Ben's blog, you can support it by subscribing and by shopping through his Amazon link.  

Thank you. 

Twitter: @benmiller 

ben at sniffwifi dot com

Comments

Post a Comment

Popular posts from this blog

Five Facts About 6 GHz Wi-Fi

Image
Two pieces of important news hit the wire recently: the 6 GHz band was approved for Wi-Fi, and alcohol sales have skyrocketed .  Combine the two, and what do we get? A five-pack of Coors Light Cold Hard Facts about Wi-Fi in the 6 GHz frequency band. Editor's note: This is a relatively long post, but 6 GHz Wi-Fi is an undoubtably robust topic. If you have questions after reading this blog, comment below or contact Ben via email or Twitter using the information below, and Sniff Wi-Fi will address those answers in a future post. We may be knee-deep in a global pandemic, but that doesn't mean your humble blogger can't brew up a post on the topic of 6 GHz Wi-Fi. Wi-Fi professionals will soon have unlicensed frequency available in the 6 GHz band. Here, then, are five facts to know about Wi-Fi in the soon-to-be-available 6 GHz frequency band. Fact #1: The 6 GHz band adds 1,200 MHz of spectrum for Wi-Fi The Federal Communications Commission (FCC) is the federal
Read more

Chips, Glorious Wi-Fi 6E Chips!

Qualcomm, owners of the Atheros line of Wi-Fi radios, recently announced the availability of Wi-Fi 6E chips. Game onnnnnnn! 6 GHz Wi-Fi is here. Sort of... Qualcomm is selling Wi-Fi 6E (802.11ax w/ 6 GHz support) chips, but we don't yet know when enterprise-grade APs and mobile devices will begin supporting 6 GHz Wi-Fi. Chip-to-product timelines can vary. Wi-Fi 5 (802.11ac) saw enterprise WLAN vendors sell products only a few months after chip announcements. Wi-Fi 6 (802.11ax) saw the big vendors wait a year or more before introducing new AP models. A ton of concerns factor into a vendor's decision on when to develop, manufacture and market new AP technology. Vendors with small market share may be extra eager. Aerohive tried to boost their enterprise Wi-Fi profile by being a leader in Wi-Fi 6. On the other hand, some vendors' enthusiasm for new Wi-Fi hardware may be dulled by competing organizational initiatives. Aruba/HPE, for example, was veering f
Read more

Go To Sleep, Go To Sleep, Go To Sleep Little iPhone

Image
In some circles, Apple Wi-Fi devices are knows to have problems with lost connections.  iPhones and iPads will unexpectedly miss incoming calls, have delays in receiving push notifications and even be forced to reauthenticate. There is a solution to Apple devices' connection problems, and as with most "device problems", the fix resides on the infrastructure.  The DTIM setting needs to be increased.  ( Apple recommends a setting of 3 or higher .)  Here's why: Some Apple Wi-Fi connection problems stem from Apple iOS devices' use of 802.11 power management.  To understand what Apple devices are doing with power management, one must first understand how 802.11 power management works. Let's start with unicast data.  The 802.11 standard allows devices' Wi-Fi radios to enter the Doze state in order to conserve battery life.  Wi-Fi radios in the Doze state are unable to receive data from the AP, so APs buffer all unicast data that has a destination MAC addr
Read more