The virtual nature of the draft provides hackers an opportunity to cheat without detection. And the popular Zoom videoconference platform that's used by NFL teams and other businesses has been a target of such attacks.
Vice recently reported that brokers are offering for sell "exploits" that take advantage of vulnerabilities in the Zoom platform. The attack allows hackers to leverage what's known as "Zoombombing" to infiltrate meetings and possibly access the target's entire computer system. According to the report, the exploit requires the hacker to be on a call with the victim.
Quentin Rhoads, director of professional services for the cybersecurity firm CRITICALSTART, cautions that so far there’s no proof that the Zoom exploit exists.
“But in security we are going on the perspective that it might be real, so we have to take it seriously,” Rhoads said. “If somebody were to (use the exploit) they could potentially gain access to all these Zoom meetings without being invited if the meeting I.D. were leaked and Zoom security best practices weren’t being followed. If victims are running Windows, (hackers) could gain local access to machines without the victim knowing it.”
Vice, citing an anonymous source, said the asking price for the Zoom window application exploit is $500,000. The market isn’t hackers looking to snoop on Zoom calls among friends and family. Hackers would be interested in intercepting sensitive conversations and information that businesses want to keep private.
NFL teams have a lot of that. For obvious reasons, the NFL isn’t offering specifics about what security measures it will use for the virtual draft. However, the league said the Microsoft Teams platform, not Zoom, will be used for its communication with teams and vice versa. CRITICALSTART said there have been fewer issues with Teams, but that it’s still possible to hack the platform.
Rhoads’ firm posted tips for NFL teams to safeguard their communication and information. One of them is requiring strong passwords and multifactor authentication to gain access to meeting platforms. An example of the latter is the platform sending users a text message with a code that’s required to gain entry.
“If an attacker decides they want to gain access to your password, they need to kidnap you or find your phone or steal it,” Rhoads quipped.
No NFL team would resort to kidnapping. But we’ve seen how far sports teams will take espionage to gain an advantage and how much it can pay off.
The NFL punished the Patriots for violating NFL rules by taping the Jets’ defensive signals from the sidelines during a 2007 game. ESPN reported that New England had a secure room at its facility that contained videotapes of opponents’ signals going back seven seasons. The Patriots won half of their six Super Bowl titles during that time period.
MLB punished the Astros for breaking the rules by using a video camera sign to steal signs during the 2017 and 2018 seasons. The Red Sox were punished Thursday for running a similar scam during the 2018 season. The Astros won the World Series in 2017, and the Red Sox won it in 2018.
The cheating conspiracies by the Patriots, Astros and Red Sox required team personnel to be physically present at games. That made those plots relatively easier to detect compared with remote hacking.
NFL teams, like all sports franchises, are paranoid about rivals stealing their information. With the draft now going fully virtual, they have to look out for hackers doing it digitally.