The hacking of stopwatches used during the Olympic Games is often cited as a concrete example of a computer threat. But, paradoxically, the vulnerabilities of this type of equipment are very little documented.
This April 23, 2024, magistrates from the Paris public prosecutor's office present to a slew of journalists the major issues of the moment. Obviously, they mention the Paris Olympic Games, which will begin in less than 90 days. And during an update on the state of the threat, they mentioned the risk of hacking of timing systems. In this case, handling the stopwatches used during the competition is, in fact, almost a necessary step. THE media regularly cite this peril, understandable to the general public.
Advertisement
The strategy of security through obscurity
As the specialist watchmaking magazine reminds us Europa Starthe Swiss firm, a subsidiary of Swatch Group, “ has made its participation in the Olympics a central element of its storytelling, the objective of which is to strengthen its historical anchoring as a high-precision brand. » Certainly, the doctoral student in the history and sociology of sport Guillaume Rayot, a specialist in games and chronometry, has not yet observed in his research any error other than human in sports chronometry. But he has not yet gone through all the past editions – he is in 1990. This lack of response does not surprise him. “Switzerland not only cultivates banking secrecy, it maintains discretion over its technical innovations in the watchmaking field, one of its favorite sectors”notes the academic.
This strategy of security through obscurity — relying on secrecy to protect yourself from hackers — however has its limits. Due to the central place that chronometers occupy in sporting competitions, and the prestige issues that result from this for the nations involved, this makes them particular targets. To distort the results of other athletes or to rig the performances of those you want to help.
The suggestion of hacking chronometers is all the greater because, ultimately, these devices are connected objects and gadgets like any other. They face the same IT security challenges.
In this case, these are in particular cameras Scan'O'Vision Myria. These sensors machine-gun the finish line of the races to calculate the precise time of the athletes. This equipment is connected to its control station, equipped with the Windows operating system, via a local wired network, we learn a 2017 version of the user manual.
Advertisement
How would a pirate wanting to attack the Olympic times go about it?
“For a malicious hacker, the first thing to do would be to obtain a copy of this equipment”, explains Renaud Feil, the boss of the IT security company Synacktiv. It doesn't matter whether it's second-hand from a sports federation, or new by buying it from a reseller. “Windows or Linux would be the most familiar targets to attack, attempting to bypass known vulnerabilities to trick or tamper with the clockhe continues. But for more motivated hackers, the sensor or the transmission of information between the sensor and its station can be interesting targets. »
This could represent a challenge for hackers. Certainly, there is no known hack of an Omega sports timing system. But that obviously doesn't mean the equipment is invulnerable. For the moment, computer security researchers are more interested in equipment aimed at the general public, with very different functionalities. In a facetious way, some clever kids had fun running the cult video game since 2015. Doom on the Apple Watch. These watches are supposed yet be restrained. This includes protecting their users and keeping them in the Apple brand ecosystem.
“ We've only scratched the surface »
Closer to home, security researcher Tao Sauvage was interested in the vulnerabilities of Garmin watches. It is one of the key players in the smart sports market. As he explains on his employer's blog, Anvil Securea computer security specialist, the researcher discovered a dozen vulnerabilities on his Garmin Forerunner 245 in 2022. This allowed him to take control of this watch intended for runners.
Ultimately, the flaws found affected “ over a hundred models, including fitness watches, outdoor handhelds and bicycle GPS “, he added ” One thing is certain in my opinion: we have only scratched the surface », added Tao Sauvage about these vulnerabilities. These were first responsibly reported to the manufacturer before being detailed publicly.
Falsifying time, a security issue
The question of time security, however, goes beyond the sole field of watches or stopwatches. Researcher Adam Laurie showed this during a presentation at the conference Black Hat Europe. The latter then made a demonstration of time synchronization signal spoofing. However, a falsified time signal could be used by malicious actors to cover their tracks after an attack.
“ When you investigate an incident, you look through event logs within a certain window of time to piece together when unusual activity occurred “, he recalled. So what happens if a hacker succeeds in tampering with the clocks? The automatic recordings of activities would no longer be on the correct dates. “ You will never see events recorded before the incident actually occurs, added Adam Laurie. And in some cases, you may not even realize you're looking at the wrong time window. » Whether we are in the middle of the Paris Olympic Games or not…
