Industrial espionage is a major threat to all Formula One teams and the car data is their “crown jewels”. From teams recording the sounds of other cars engine noise to determine the gear ratios, to the infamous stories of staff stealing data and taking it to other teams, all common challenges. During a race weekend at Silverstone there are over 250,000 fans and it is then that teams are most exposed. We were asked if there was a risk to the teams IT systems and what we could do to help secure it. The question was: Over a 2-day test at Silverstone, could we gain access to the Williams’ network & their sensitive data?
5am was an early start, but I was quite looking forward to meeting our “friendly pen tester”. We met in a pub carpark just down the road from the Silverstone circuit with our contact from Williams who was acting as our malicious insider for the exercise. Shaun turned up and was not exactly what I was expecting, he was well dressed, articulate & clearly ex-military. We drove in convoy and were then escorted into the Williams motorhome. Over a cup of tea we ran through the initial plan for the two days and confirmed the scope of the exercise that had been agreed. Our main attack vector was going to be the wireless networks in the garage. They had a direct link to the sensitive Williams data in the pit lane and the factory network back at HQ. As we walked through the garage and onto the pit lane we located the best spot in the grandstand to try and get access.
At 9.40am we picked our spot & sat in the grandstand directly opposite the Williams pit garage and we had a clear line of sight inside. With a laptop and a directional wireless antenna (called the “cantenna” that looked like more a Pringles tube) pointing at the garage we were able to get a signal on the Williams wireless networks from 100 yards away. At 10.06am just as I was getting comfy and enjoying watching some of the cars go past there was a break through. “We are in!” Full access to the network. One of the wireless networks was using only MAC authentication, by spoofing one of the MAC addresses we were straight onto that wireless network. I expected him to get in, but not in less than half an hour.
The weather was pretty miserable, so we moved to the comfort of the motorhome to continue the recon. Shaun began expertly probing around the network and checking what ports were open and what IP addresses were responding. For several hours he worked diligently checking what services were open until he found an open web server. He opened it in a browser. It was the management interface for the server infrastructure. With some lengthy in-depth forensic investigation and careful research he was able to establish the user credentials and log on to the management console. From here he could control and shut down the entire server infrastructure, but not actually see any of the data. We took an emergency pause to let them know they needed to fix this and fix it now. Within 15 minutes the issue had been addressed, the port secured and the risk totally mitigated. We had already provided our value.
As part of the exercise we had set up a couple of machines with some “sensitive” data for Shaun to try and access. One of the machines was secured with Symantec Data Center Security: Service Advanced (DCS:SA) and one was not. The policy we had applied to the secured machine prevented all users, including Administrators, from accessing the files even if windows privileges permitted unless they used the correct application with the specified user. Now that Shaun was on the network he was able to gain access to both machines using an RDP connection and was merrily navigating his way around the file systems. We had placed a text file “flag” in a directory on each machine and his challenge was to tell us the content. The unprotected file was not a challenge, but for the next several hours Shaun tried many different methods, but he could not open or read the protected file even when he had gained Administrator access. From within the DCS:SA console we could see everything that Shaun had tried and how Symantec DCS had kept him out.
As the day drew to a close and ideas ran out our two days onsite ended. We had shown that pit lane equipment was vulnerable to access from the public grandstand and with 250,000 fans over a race weekend this could be a serious potential weakness. The risks identified have now been fixed and the project proved to be a success. Shaun had managed to gain access to a number of systems and was satisfied with what he had achieved. Even with the correct Windows privileges he was unable to get access to the files that a well-crafted DCS:SA policy had secured. With everyone feeling pleased with the days, we shook hands and enjoyed the Formula One cars out on track.
Formula One is a multi-million dollar business where advantages are measured in hundredths of a second; any potential advantage can be worth millions of pounds over a season. Ensuring that the sensitive data is kept secure is paramount to all the teams; Williams, uses Symantec DCS:SA, making sure their data is as secure as possible. Learn more about how Symantec keeps Williams security on track.