- Security researchers recently discovered a serious flaw on the FIA’s website
- The bug gave them access to personally identifiable information about drivers
- So far, there is no indication that criminals have gained access to the data
Millions of dollars are being spent on cyber security in Formula 1, but this has not protected the sport’s drivers from having their personal information compromised.
In fact, security researchers Ian Carroll, Gal Nagli and Sam Curry claim they managed to hack the website of the sport’s FIA governing body and gain access to every driver’s passport, driver’s license and PII.
Fortunately, there is no evidence that this FIA vulnerability was accessed by threat actors, and the bug has since been patched, but it serves as a strong warning to third-party websites who may believe they may be too niche to be targeted.
How did they do it?
The compromise came through the FIA’s driver categorization website, where drivers can apply for their FIA Super License – which drivers must renew every year if they want to continue in the sport.
As the portal is public and anyone can apply, researchers were able to create their own FIA license account, update their details and edit their own information. But they noticed that when they updated their profile, the server sent them more information that they entered.
For example, if they edited their name and email, the server would send back their name, email, date of birth and, crucially, their ‘role’. The ‘roles’ refer to the access privilege – driver, FIA staff or admin.
So, in what appears to be a shockingly simple ‘Mass Assignment’ API bug, the researchers simply changed their access to ‘admin’ – and gained access.
The admin rights, as you can guess, gave them access to anything and everything. This included all F1 driver applications along with their uploaded documents such as passports and personal contact details – they could even see internal FIA communications regarding licensing decisions.
“The FIA became aware of a cyber incident involving the FIA Driver Categorization website during the summer,” a spokesman told TechRadar Pro.
“Immediate steps were taken to secure the drivers’ data and the FIA reported this issue to the relevant data protection authorities in accordance with the FIA’s obligations. It has also notified the small number of drivers affected by this issue. No other FIA digital platforms were affected by this incident.”
“The FIA has invested extensively in cyber security and resilience across its digital estate. It has put world-class data security measures in place to protect all its stakeholders and implements a security-by-design policy in all new digital initiatives.”
In Formula 1, data security is a high priority. Most teams even have official cybersecurity partnerships — such as Williams and Keeper Security, Bitdefender and Ferrari, and 1Password and Red Bull — that simply outline that no one is safe with weak links in their vendors, partnerships, or in this case, their governing body website.
The best protection against identity theft for all budgets
