Was someone messing with the Jacksonville Jaguars' giant jumbotron?
On September 16, 2018, the Jaguars were playing the New England Patriots when the in-stadium screen experienced, in the US government's words, "a loss in reference sync which manifested as a large horizontal green lines [sic] appearing across one whole video board."
On November 18, during a game against the Pittsburgh Steelers, it happened again—but this time, entire video sub-boards filled with green.
Then, on December 2, 2018, the Indianapolis Colts came to town and the jumbotron glitched a third time as "a single video board experienced a change of what seemed to be the zoom of one of the base graphics displayed."
The Jaguars' IT staff could not at the time replicate any of these video errors, and they began to suspect that what they were seeing was not a technical problem but some sort of attack. Digging into log files, they quickly found that the source of the December 2 problem was "a command to change a specific parameter" of the video control software.
Where had the command come from? An Abekas Mira video control server known as MIRA9120. The Abekas Mira was meant to help in the production and display of instant replay video to be shown in-stadium on the massive jumbotron, but this particular server had been either decommissioned or kept on hand as a spare. In any event, the team thought the server was in storage. But when they went looking, MIRA9120 turned out to be sitting in the main server room, installed on a rack just beside the active Abekas Mira servers.
IT staffers started poking around in MIRA9120 and found the remote-access software TeamViewer, suggesting that someone had been controlling MIRA9120 from somewhere else. But only limited data about the culprit could be gleaned, because the TeamViewer instance had connection logging disabled.
AdvertisementOn December 3, the Jaguars' IT staff disconnected MIRA9120 from the other video control servers—but they left it powered on and in place. Then they turned TeamViewer's connection logging back on. The idea was to set up a honeypot in case the attacker returned.
During the December 16 game against Washington, TeamViewer recorded another connection into MIRA9120. The TeamViewer account number that accessed the machine was logged, and the information was passed to the FBI, which was now actively investigating the situation. Agents sent a subpoena to TeamViewer, which in February 2019 provided the IP address of the machine that had used the account in question on that day.
This IP address was controlled by Comcast, so a subpoena to Comcast finally turned up the information the Jaguars wanted: MIRA9120 was accessed on December 16 from a home in St. Augustine, Florida—a home where Samuel Arthur Thompson was living.
The secret
The Jags knew Thompson. He had spent nearly five years as a contractor for the football team, helping Jacksonville design and install their stadium screen technology. After installation, Thompson helped to run the system during football games.
Thompson also had a secret: He had been convicted of sexually abusing a 14-year-old boy in Alabama in 1988. Thompson had not reported this to the Jaguars, either, though his contract required such a disclosure.
Someone had found out about the conviction and sent an anonymous letter about it to the Jaguars' management. Once the letter arrived, the Jaguars terminated Thompson's contract. His last day with the team had been February 23, 2018. The relationship was thought to be over—but maybe it wasn't.
A closer search of network traffic and log files from that February day revealed that Thompson himself had installed TeamViewer onto MIRA9120 at 9:09 am. So the pieces all fit: disgruntled employee on final day of work, the TeamViewer install, the IP address in St. Augustine.
But the FBI didn't secure a warrant until the summer of 2019. Only in July did the FBI raid Thompson's home in rather polite style, simply knocking on the door. (Thompson would later complain in a court filing that agents should have yelled out who they were and why they were there. He was strongly displeased about being surprised.) Thompson's child opened the door. When Thompson himself came over, he still had his unlocked iPhone in hand—and an agent immediately grabbed it.
Then the case became something else entirely—because the phone had child sex abuse material (CSAM) on it.
From bad to worse
Thompson's iPhone, iPad, and a pair of laptops showed evidence that Thompson had used them to connect to MIRA9120, but the CSAM was actually a bigger deal. Upon finding it, agents halted their searches and obtained further warrants allowing them to search all of Thompson's seized devices specifically for CSAM.
They found plenty of it. Court documents show that Thompson's iPad also had CSAM on it; in fact, the government said, he had been using the iPad to search "the dark web for CSAM at the time the FBI knocked on his door with the search warrant." CSAM also showed up on a hard drive in Thompson's home and on a computer seized from a storage unit.
"Thousands of images and hundreds of videos on Thompson’s personal devices depicting CSAM were found," the government said. And Thompson was not just a consumer of CSAM; tragically, he had produced a series of videos with several 7- to 10-year-old children in June 2019, just a month before the warrant was served. Some had been made right in Thompson's living room.
On July 27, 2019, Thompson left the US for the Philippines without noting his international travel as required by the Sex Offender Registration and Notification Act (SORNA). The US then revoked his passport, and the Philippines deported him in January 2020. He was arrested upon his return to the US.
The case took several years to wind its way through the courts, partly because Thompson began representing himself.
Thompson filed long motions accusing the FBI of, among other things, improperly calling his attack on the Jaguars a "denial of service" attack.
He claimed that the FBI had actually exonerated him due to a typo in one agent's lengthy filing; a single line said that Thompson "did have authority" to access the MIRA9120 server, though the rest of the document made clear that he did not have such authority. (In a footnote, the government said that the FBI agent in question "has amended his report to correct this typo.")
AdvertisementThompson claimed that he had installed TeamViewer for an entirely legitimate reason related to a Monster Truck Jam. And that the warrant served on him was overbroad. And that agents should not have been able to grab his iPhone out of his hand. And that he was not given all the attachments to the warrant document. And that the FBI made him wait outside his home while it was searched. And that the Jaguars had never told him that they had learned he was a sex offender.
The relevance of this material was not all clear, but it led to months of filings and counter-filings. In the end, though, none of these gambits succeeded in throwing out the evidence against him. In a 2023 trial, Thompson was found guilty of a long list of crimes, including the Jaguars' jumbotron hack, the CSAM possession/production, and the illegal possession of "a firearm as a convicted felon."
Last week, Thompson was sentenced. He got 220 years in federal prison, "followed by a lifetime of supervised release."
As hacking cases go, this one was sad and stupid in every respect. Thompson's hack, which might have been intended to show the Jaguars that they still needed his expertise, accomplished little but exposing Thompson's CSAM activities to the FBI. (To mix sports metaphors for a moment, this was the very definition of an "own goal.") The hack itself was not particularly sophisticated, and Thompson does not seem to have even obscured his IP address when conducting it. He also left traces of his actions all over the log files of Jacksonville's network. His CSAM was stored on many different machines at his home and does not seem to have been well concealed. And then there was his flight to the Philippines, which even Wikipedia knows has an extradition treaty with the US. It's all a reminder that technical competence in one specific field—say, video screen design and operation—does not always translate into other fields, such as hacking, self-lawyering, or criminal masterminding.
Worst, of course, was the abuse of children. Their continuing exploitation may have only been stopped by dumb luck—thanks to an FBI investigation into a glitching video screen at a Florida football stadium.
){kind=link}