How to hack the Jacksonville Jaguars’ jumbotron (and end up in jail for 220 years)

Three examples of the video screen tampering.
Enlarge / Three examples of the video screen tampering.

US DOJ

Was someone messing with the Jacksonville Jaguars’ giant jumbotron?

On September 16, 2018, the Jaguars were playing the New England Patriots when the in-stadium screen experienced, in the US government’s words, “a loss in reference sync which manifested as a large horizontal green lines [sic] appearing across one whole video board.”

On November 18, during a game against the Pittsburgh Steelers, it happened again—but this time, entire video sub-boards filled with green.

Then, on December 2, 2018, the Indianapolis Colts came to town and the jumbotron glitched a third time as “a single video board experienced a change of what seemed to be the zoom of one of the base graphics displayed.”

The Jaguars’ IT staff could not at the time replicate any of these video errors, and they began to suspect that what they were seeing was not a technical problem but some sort of attack. Digging into log files, they quickly found that the source of the December 2 problem was “a command to change a specific parameter” of the video control software.

Where had the command come from? An Abekas Mira video control server known as MIRA9120. The Abekas Mira was meant to help in the production and display of instant replay video to be shown in-stadium on the massive jumbotron, but this particular server had been either decommissioned or kept on hand as a spare. In any event, the team thought the server was in storage. But when they went looking, MIRA9120 turned out to be sitting in the main server room, installed on a rack just beside the active Abekas Mira servers.

IT staffers started poking around in MIRA9120 and found the remote-access software TeamViewer, suggesting that someone had been controlling MIRA9120 from somewhere else. But only limited data about the culprit could be gleaned, because the TeamViewer instance had connection logging disabled.

On December 3, the Jaguars’ IT staff disconnected MIRA9120 from the other video control servers—but they left it powered on and in place. Then they turned TeamViewer’s connection logging back on. The idea was to set up a honeypot in case the attacker returned.

During the December 16 game against Washington, TeamViewer recorded another connection into MIRA9120. The TeamViewer account number that accessed the machine was logged, and the information was passed to the FBI, which was now actively investigating the situation. Agents sent a subpoena to TeamViewer, which in February 2019 provided the IP address of the machine that had used the account in question on that day.

This IP address was controlled by Comcast, so a subpoena to Comcast finally turned up the information the Jaguars wanted: MIRA9120 was accessed on December 16 from a home in St. Augustine, Florida—a home where Samuel Arthur Thompson was living.

The secret

The Jags knew Thompson. He had spent nearly five years as a contractor for the football team, helping Jacksonville design and install their stadium screen technology. After installation, Thompson helped to run the system during football games.

Thompson also had a secret: He had been convicted of sexually abusing a 14-year-old boy in Alabama in 1988. Thompson had not reported this to the Jaguars, either, though his contract required such a disclosure.

Someone had found out about the conviction and sent an anonymous letter about it to the Jaguars’ management. Once the letter arrived, the Jaguars terminated Thompson’s contract. His last day with the team had been February 23, 2018. The relationship was thought to be over—but maybe it wasn’t.

A closer search of network traffic and log files from that February day revealed that Thompson himself had installed TeamViewer onto MIRA9120 at 9:09 am. So the pieces all fit: disgruntled employee on final day of work, the TeamViewer install, the IP address in St. Augustine.

But the FBI didn’t secure a warrant until the summer of 2019. Only in July did the FBI raid Thompson’s home in rather polite style, simply knocking on the door. (Thompson would later complain in a court filing that agents should have yelled out who they were and why they were there. He was strongly displeased about being surprised.) Thompson’s child opened the door. When Thompson himself came over, he still had his unlocked iPhone in hand—and an agent immediately grabbed it.

Then the case became something else entirely—because the phone had child sex abuse material (CSAM) on it.

Leave a Reply

Your email address will not be published. Required fields are marked *