Back in June of 2017, famous soccer player Lionel Messi wanted a secure wedding where no information could leak out from the party premises. Fernando Villares from the InteliX Ingeniería company was in charge of security at the wedding and succeeded in isolating the perimeter from the outside world by using free software and tools. Most interestingly, the guest were all carrying phones.
During the VoIP2Day 2018, held a few weeks ago in Madrid, there was a conference given by Fernando Villares entitled “Security is not a game, football YES,” where he explained his methodology.
It all started when Fernando found a reward of the equivalent of $12,500 in bitcoin on the dark web for the guest list and other information about Messi’s wedding. He reached out to Messi through the wedding organizer Adrián Pavía, who is also a common friend, and ended up working for Messi as no cybersecurity was in place for the event what so ever.
First of all, the City Center casino hotel in Rosario, Argentina was open to the public the previous days. The venue would have to be prepared for a private party with a large number of athletes, models, employees, suppliers and organizers, and some €1,7 million in insurance money.
Although there was a confidentiality agreement and a prohibition to introduce telephones in the area, another contractual clause prevented the organizers from confiscating any phones. Besides, no enforcement of the rule was viable anyway taking into consideration the VIP-status of each guest. Furthermore, the medium consisted of various signal waves, Bluetooth connections, extensive computer equipment, lighting and sound systems, external threats such as drones, paparazzi etc. So, Fernando had to anticipate all the aforementioned in his security model. The solution, therefore, was to prevent communications without interfering with the event equipment.
The first step of the operation consisted of a physical examination of the area in which a hidden camera was found. Secondly, an Open Source Intelligence study was carried out on the guests, suppliers, and staff. Finally, the team analyzed both the radio spectrum with simple Digital Terrestrial Television cards, encrypt all computer assets, and train key employees with access to sensitive information employees with access to sensitive information.
More precisely, the devices were encrypted with the TLS cryptographic protocol and SRTP profiles, disposable SIM cards were also used, and inside communication was made through Telegram and walkie-talkies encoded on VHF frequencies.
When all of the internal security systems were in place, the team decided to implement an informational “bunker” by asking the authorization of the Ministry of Justice to use equipment capable of blocking the frequencies of GSM 2G, 3G, 4G and WiFi 2.4 and 5.8 GHz frequencies, and as a consequence, Bluetooth and DECT cordless telephones. It was for the first time such efficient security measures were set in motion at a civic event in Argentina.
As post-event precautions, the squad had a global detection system to see in real time if something was leaking, as well as bots on social networks that searched for keywords. They also had established a wired zone for the use of its digital transmitters by the television channels, so that if they left it, they lost the signal.
The mission was a success, and no unwanted photos or videos came out of the event. As a fun fact, some media outlets accused the security experts of working for Israel just because the team used the keyword “Mossad.”