Virtual Draft Makes NFL Teams Potential Targets for Hackers

A hacker could provide entertainment value by disrupting the virtual NFL draft that begins Thursday. Desperation for any sports entertainment shouldn’t make us forget that these things are boring. The few moments of suspense as picks and trades are announced are drowned out by incessant chatter by talking heads and nonstop loops of player highlights.

This draft broadcast with commissioner Roger Goodell announcing picks from his home would be more fun if a hacker interrupted it to make mischief. Just please don’t shut it down completely. It already takes too long.

Such an infiltration would embarrass the NFL but wouldn’t compromise the integrity of the draft itself. There are other potential hacks outside the broadcast that wouldn’t be so harmless for the league.

What if teams, or third parties working for them, remotely hack into the videoconference platforms used by rival teams or even the computers of their personnel? Team officials aren’t allowed to congregate in one room, like usual, so they are scattered about and communicating virtually.

A team that digitally eavesdrops on what’s being said in the virtual draft rooms of other teams obviously would gain an illicit advantage this week. Gaining access to the computers of rival teams would be an edge that keeps paying off. The history of espionage in sports shows that teams are willing to cheat if they think they can get away with it.

The virtual nature of the draft provides hackers an opportunity to cheat without detection. And the popular Zoom videoconference platform that’s used by NFL teams and other businesses has been a target of such attacks.

Vice recently reported that brokers are offering for sell “exploits” that take advantage of vulnerabilities in the Zoom platform. The attack allows hackers to leverage what’s known as “Zoombombing” to infiltrate meetings and possibly access the target’s entire computer system. According to the report, the exploit requires the hacker to be on a call with the victim.

Quentin Rhoads, director of professional services for the cybersecurity firm CRITICALSTART, cautions that so far there’s no proof that the Zoom exploit exists.

“But in security, we are going on the perspective that it might be real, so we have to take it seriously,” Rhoads said. “If somebody were to (use the exploit) they could potentially gain access to all these Zoom meetings without being invited if the meeting I.D. were leaked and Zoom security best practices weren’t being followed. If victims are running Windows, (hackers) could gain local access to machines without the victim knowing it.”

Vice, citing an anonymous source, said the asking price for the Zoom window application exploit is $500,000. The market isn’t hackers looking to snoop on Zoom calls among friends and family. Hackers would be interested in intercepting sensitive conversations and information that businesses want to keep private.

NFL teams have a lot of that. For obvious reasons, the NFL isn’t offering specifics about what security measures it will use for the virtual draft. However, the league said the Microsoft Teams platform, not Zoom, will be used for its communication with teams and vice versa. CRITICALSTART said there have been fewer issues with Teams, but that it’s still possible to hack the platform.

Rhoads’ firm posted tips for NFL teams to safeguard their communication and information. One of them is requiring strong passwords and multifactor authentication to gain access to meeting platforms. An example of the latter is the platform sending users a text message with a code that’s required to gain entry.

“If an attacker decides they want to gain access to your password, they need to kidnap you or find your phone or steal it,” Rhoads quipped.

No NFL team would resort to kidnapping. But we’ve seen how far sports teams will take espionage to gain an advantage.

The NFL punished the Patriots in 2007 for violating NFL rules by taping the Jets’ defensive signals from the sidelines during a game. ESPN reported that New England had a secure room at its facility that contained videotapes of opponents’ signals going back seven seasons. Goodell ordered that evidence be destroyed.

MLB found that the Astros broke the rules by using a video camera sign to steal signs during the 2017 and 2018 seasons. The Astros used the scheme during the 2017 postseason when they won the World Series. MLB fined the Astros $5 million, took away draft picks and suspended general manager Jeff Luhnow and field manager A.J. Hinch.

The schemes executed by the Patriots and Astros required team personnel to be physically present at games. That made those cheating plots relatively easier to detect compared with remote hacking.

NFL teams, like all sports franchises, are paranoid about rivals stealing their information. With the draft now going fully virtual, they have to look out for hackers.

Featured in  Atlanta Journal-Constitution | April 22, 2020

Newsletter Signup

Stay up-to-date on the latest resources and news from CRITICALSTART.
Benchmark your cybersecurity against peers with our Free Quick Start Risk Assessments tool!
This is default text for notification bar