In theory, such chips can be programmed to initiate an attack on a phone.
Russian President Vladimir Putin’s gift of a soccer ball to President Trump last week set off a chorus of warnings – some of them only half in jest – that the World Cup souvenir could be bugged. Republican Sen. Lindsey Graham of South Carolina even tweeted, “I’d check the soccer ball for listening devices and never allow it in the White House.”
It turns out they weren’t entirely wrong. Markings on the ball indicate that it contained a chip with a tiny antenna that transmits to nearby phones.
But rather than a spy device, the chip is an advertised feature of the Adidas AG ball. Photographs from the news conference in Helsinki, where Putin handed the ball to Trump, show it bore a logo for a near-field communication tag. During manufacturing, the NFC chip is placed inside the ball under that logo, which resembles the icon for a WiFi signal, according to the Adidas website.
The chip allows fans to access player videos, competitions and other content by bringing their mobile devices close to the ball. The feature is included in the 2018 FIFA World Cup match ball that’s sold on the Adidas website for $165 (reduced to $83 in the past week).
Adidas declined to comment on whether the chip could be a vector of a Russian hack. There is no suggestion that such balls or their chips have any security vulnerabilities. The chip itself can’t be modified, according to the product description on the Adidas website. “It is not possible to delete or rewrite the encoded parameters,” it says.
While the logo on the ball advertised the presence of the chip, it couldn’t be determined from the photos whether the chip might have been removed, replaced with actual spy gear, or, even more remotely, whether the entire ball itself was fabricated for the event and only resembled the Adidas model in question.
“The security screening process that is done for all gifts was done for the soccer ball,” White House Press Secretary Sarah Sanders said in an email. “We are not going to comment further on security procedures.” The White House declined to say whether any modifications to the ball had been identified or where the ball would be kept going forward.
The chip is the same technology used in some contactless payments, including those with Apple Pay and Google Pay.
In theory, such tags can be programmed to initiate an attack on a phone, at least one hacker has shown. In 2015, Forbes reported that an engineer used an NFC chip to send a nearby Android phone a request to open a link that – if the user agreed to open it – installed a malicious file that took over the phone.
However, such a multi-stepped attack via a soccer ball seems unlikely, said Linus Neumann, a spokesman for the Hamburg-based Chaos Computer Club, a hacker collective that for decades has exposed weaknesses in German banking, government and other computer systems. Adidas, a German company, would normally be in the CCC’s sights, but not in this case.
“Trump would have to ignore multiple security warnings and intentionally install a malware on his device,” Neumann said, adding that such a hack working would depend on the president, “falling for a silly attack like this.”
Bloomberg’s Richard Weiss and Margaret Talev contributed to this report.
Send questions/comments to the editors.