The international auto racing regulatory body verified that a team of cybersecurity experts briefly accessed information within its platform for managing driver credentials – encompassing Max Verstappen’s identification documents – while the security flaw has been addressed in collaboration with the cybersecurity experts themselves.
The infringement occurred during the summer months, as a group of three cybersecurity experts — Gal Nagli, Sam Curry and Ian Carroll — gained unauthorized entry into the FIA’s Driver Categorization system. Although the successful penetration occurred some time ago, they only made their discoveries known to the general public this week through interactions on social media.
The team, all avid followers of Formula 1, made it clear that their intentions were not malicious. Their primary objective was to highlight vulnerabilities in the FIA’s digital defenses and to reinforce the “entire digital environment.”
The situation involved the system utilized by the FIA to oversee driver classifications. F1 competitors are required to possess a super license to participate, but for alternative racing categories – largely endurance events – the classification into Gold, Silver, or Bronze designations is of utmost importance. The FIA employs this platform to administer these classifications, and drivers are able to submit requests to modify their standing as well – shifting from gold to silver, for example, which can offer advantages in endurance racing where teams frequently must have a silver-designated driver.
Administrator privileges provided hackers access to driver details
The cybersecurity experts established an account on the FIA platform and found that they could alter their assigned level of authorization through Javascript commands. The platform’s architecture incorporated multiple levels of access: drivers, FIA personnel, and administrators.
By utilizing an HTTP PUT instruction, the cybersecurity experts endeavored to raise their access rights to that of an administrator – and their efforts were successful. Upon signing back into the platform, they were presented with a drastically altered interface, which contained the FIA’s internal control panel for handling driver classifications.
FIA logo
Photo by: Gabriele Lanzo / Alessio Morgese / NurPhoto via Getty Images
To validate the breach, the team made an attempt to access a specific driver’s profile. They observed that the profile contained password encryption, email contact information, telephone number, and details from their passport, along with private communications exchanged between the FIA and the driver regarding their designated classification.
The details of all F1 drivers were present within the system as well, with the cybersecurity experts noting that Verstappen’s passport record could be accessed. The team emphasized that they ceased their examination at that juncture and refrained from accessing any passport data or private information.
FIA reaction and partnering with the cybersecurity experts
After discovering the weakness on June 3, the cybersecurity experts promptly informed the FIA. The regulatory organization responded swiftly, taking the website offline the same day and collaborating with the trio to devise a lasting remedy. On June 10, the FIA affirmed that a resolution had been successfully implemented.
When approached by Autosport representatives in Mexico, an FIA spokesperson acknowledged the incident and provided an official statement on behalf of the governing body:
“The FIA was alerted to a cyber incident impacting the FIA Driver Categorization website during the past summer. Quick actions were implemented to safeguard driver information, and the FIA communicated this issue to the appropriate data protection agencies in accordance with the FIA’s regulatory obligations. Furthermore, the few drivers potentially impacted by this issue have been notified. No other FIA digital platforms were compromised during this incident.
“The FIA has invested significantly in measures to strengthen cybersecurity and resilience across its digital environment. It has implemented world-class data protection protocols to ensure the safety of all its stakeholders and is committed to embedding a ‘security-by-design’ approach in all new digital projects.”
We want to hear from you!
Let us know what you would like to see from us in the future.
Take our survey
– The Autosport.com Team
