Virtual draft makes NFL teams potential targets for hackers

The NFL logo on the main stage during the second round of the NFL football draft, Friday, April 26, 2019, in Nashville.

Credit: Steve Luciano

Credit: Steve Luciano

The NFL logo on the main stage during the second round of the NFL football draft, Friday, April 26, 2019, in Nashville.

A hacker could provide entertainment value by disrupting the virtual NFL draft that begins Thursday. Desperation for any sports entertainment shouldn’t make us forget that these things are boring. The few moments of suspense as picks and trades are announced are drowned out by incessant chatter by talking heads and nonstop loops of player highlights.

This draft broadcast with commissioner Roger Goodell announcing picks from his home would be more fun if a hacker interrupted it to make mischief. Just please don’t shut it down completely. It already takes too long.

Such an infiltration would embarrass the NFL but wouldn’t compromise the integrity of the draft itself. There are other potential hacks outside the broadcast that wouldn’t be so harmless for the league.

What if teams, or third parties working for them, remotely hack into the videoconference platforms used by rival teams or even the computers of their personnel? Team officials aren’t allowed to congregate in one room, like usual, so they are scattered about and communicating virtually.

A team that digitally eavesdrops on what’s being said in the virtual draft rooms of other teams obviously would gain an illicit advantage this week. Gaining access to the computers of rival teams would be an edge that keeps paying off. The history of espionage in sports shows that teams are willing to cheat if they think they can get away with it.

The virtual nature of the draft provides hackers an opportunity to cheat without detection. And the popular Zoom videoconference platform that's used by NFL teams and other businesses has been a target of such attacks.

Vice recently reported that brokers are offering for sell "exploits" that take advantage of vulnerabilities in the Zoom platform. The attack allows hackers to leverage what's known as "Zoombombing" to infiltrate meetings and possibly access the target's entire computer system. According to the report, the exploit requires the hacker to be on a call with the victim.

Quentin Rhoads, director of professional services for the cybersecurity firm CRITICALSTART, cautions that so far there’s no proof that the Zoom exploit exists.

“But in security we are going on the perspective that it might be real, so we have to take it seriously,” Rhoads said. “If somebody were to (use the exploit) they could potentially gain access to all these Zoom meetings without being invited if the meeting I.D. were leaked and Zoom security best practices weren’t being followed. If victims are running Windows, (hackers) could gain local access to machines without the victim knowing it.”

Vice, citing an anonymous source, said the asking price for the Zoom window application exploit is $500,000. The market isn’t hackers looking to snoop on Zoom calls among friends and family. Hackers would be interested in intercepting sensitive conversations and information that businesses want to keep private.

NFL teams have a lot of that. For obvious reasons, the NFL isn’t offering specifics about what security measures it will use for the virtual draft. However, the league said the Microsoft Teams platform, not Zoom, will be used for its communication with teams and vice versa. CRITICALSTART said there have been fewer issues with Teams, but that it’s still possible to hack the platform.

Rhoads’ firm posted tips for NFL teams to safeguard their communication and information. One of them is requiring strong passwords and multifactor authentication to gain access to meeting platforms. An example of the latter is the platform sending users a text message with a code that’s required to gain entry.

“If an attacker decides they want to gain access to your password, they need to kidnap you or find your phone or steal it,” Rhoads quipped.

No NFL team would resort to kidnapping. But we’ve seen how far sports teams will take espionage to gain an advantage and how much it can pay off.

The NFL punished the Patriots for violating NFL rules by taping the Jets’ defensive signals from the sidelines during a 2007 game. ESPN reported that New England had a secure room at its facility that contained videotapes of opponents’ signals going back seven seasons. The Patriots won half of their six Super Bowl titles during that time period.

MLB punished the Astros for breaking the rules by using a video camera sign to steal signs during the 2017 and 2018 seasons. The Red Sox were punished Thursday for running a similar scam during the 2018 season. The Astros won the World Series in 2017, and the Red Sox won it in 2018.

The cheating conspiracies by the Patriots, Astros and Red Sox required team personnel to be physically present at games. That made those plots relatively easier to detect compared with remote hacking.

NFL teams, like all sports franchises, are paranoid about rivals stealing their information. With the draft now going fully virtual, they have to look out for hackers doing it digitally.