Zoom-Bombs, Bad Passwords, and a Big Target: Why NFL Draft Season Is Ripe to Be Hacked

Depending on how you look at it, next week’s first-ever virtual NFL draft is either a much-needed distraction from the daily misery of pandemic news or a needless distraction at a time when we should be reassessing our priorities. Either way, regardless of gripes from GMs and those nerds in the media, it’s happening. On Thursday night, Roger Goodell, from a bunker in Westchester County, will officially put the Bengals on the clock.

To get to this point, the league and its teams have scrambled to build a virtual draft infrastructure, just as they’ve done all draft season to keep team personnel connected under stay-at-home guidelines. The scale and ambition of the operation is impressive. The league should be lauded for the fundraising aspect and for mandating that, throughout the draft, all team execs and coaches—regardless of their state and local ordinances—stay in their separate homes (unlike a certain quarterback in Dallas), emphasizing the importance of social distancing.

But as the pandemic has made videoconferencing and virtual connectivity an absolute necessity in all walks of life, hackers have taken advantage; schools and churches have been hacked. Now consider the combination of 1) a billion-dollar corporation 2) an unprecedented undertaking and 3) a cast of thousands of less-than-tech-savvy users. Altogether, it means the NFL will, almost undoubtedly, be targeted.

“Imagine my goal is to hack a team" says Patrick Wardle, a former NSA hacker and now principal security researcher at Jamf, an Apple device management solution. "There’s now a whole new remotely accessible system that was put together quite rapidly, which handles a lot of sensitive information. To me, that's an intriguing new attack surface."

As we approach the culmination of an unprecedented draft season, I spoke to security experts and hackers about this past month, packed with ill-conceived video conferences; about the potential for compromised email addresses; and about a handful of coaches and decision-makers who likely heard “virtual draft” and thought of a favorite scene from Tron.

So, pull on your Guy Fawkes mask—or whatever; your kid’s Iron Man mask from Halloween will do just fine—and open your mind to just the slightest bit of roguishness. This is how the NFL draft could be hacked. Or, maybe, how it already has been.

* * *

The league office is confident in the work it has done. “We are working closely with our tech partners to ensure a smooth operation” throughout the draft, says NFL spokesperson Brian McCarthy. “We are not disclosing our cybersecurity processes other than to say: They are comprehensive and thoughtful.” Regarding the 32 franchises, McCarthy says every team has been consulted on its setup and provided with best practices. Those clubs, though, “are ultimately responsible for their communication systems.”

Together, those teams and the league office will conduct a mock draft next week to test the virtual system. And the chances of the draft presentation itself getting hacked are minuscule (for reasons we’ll get into later). But equipping teams with the knowledge to build their own infrastructures is one thing. Making sure those teams follow through is another. And making sure individuals use that technology securely? Well ...

Which GIF best encapsulates the attitude toward technology held by a portion of the NFL’s old guard?

Option 1: Dave Gettleman air-keyboarding at the Saquon Barkley presser

Option 2: Bill Belichick working the tablet

Option 3: Gruden and Co. in the Raiders’ war room

(I kid! Gruden’s Raiders are far more forward-thinking than they get credit for.)

If you work a desk job, you’re likely glued to a screen for the majority of your waking hours. But that’s not the experience of the majority of the NFL’s decision makers—especially coaches, who do most of their work on the field, teaching face to face or on grease boards. Even putting aside the subset of coaches who outwardly resist technology (you know who you are), there is undoubtedly a large set who don’t interact with technology frequently. And while security has been a team-level concern throughout NFL history—how many guys have lost playbooks over the years?—an unprecedented, heavy reliance on tech has made teams deeply susceptible this draft season.

Consider the two most famous sports hacks of the past decade. First: Astros hacker Chris Correa, who as a scouting director with the Cardinals broke into Houston’s database, which contained proprietary notes on players, opponents and prospects. Second: Laremy Tunsil’s NFL draft-day experience in 2016. That afternoon, a video leaked to the world on his Twitter account, showing the prospect smoking through a gas mask bong, setting off a draft-night slide.

Buckle up for an in-depth breakdown of how those hacks went down. In the Astros’ case, Houston had hired analyst Sig Mejdal away from the Cardinals. When he left St. Louis, Mejdal handed over his laptop and its password to Correa, who later used a variation on that Cardinals password to log into Mejdal’s Astros account. He’d barely changed it. In Tunsil’s case, according to an SB Nation report, he’d given his iCloud password to someone who was tasked with setting up a new phone for the draftee. That person had access to Tunsil’s iCloud right up until the first night of the draft.

You don’t need to be Inspector Poirot to see the problem. In each case, the victim volunteered his password to the person who would subsequently hack him. The moral of the story: Don’t give out your password.

Tunsil, as a 21-year-old, was likely much more comfortable with technology than your average NFL coach. And Mejdal? He was a tech-savvy former NASA engineer. The point: Even those of us you wouldn’t expect to slip up do. Of the hundreds of draft-day decision makers across the league, it’s hard to believe that not a single one of them has in the recent past given a password to someone else—maybe to a team tech person, maybe to a lower-level staffer who changed teams ...

But let’s suspend disbelief and pretend that hasn’t happened. Not even once. If you think they’re all in the clear, then—well, you mustn’t have noticed how many more words are left in this thing.

* * *

Over weeks of quarantine, a large portion of the workforce—many NFL teams included—has become intimately familiar with Zoom. It has been the videoconferencing app of choice because of its user-friendliness, seemingly built so grandma and grandpa in Arizona can see the kids in New York. But that user-friendly interface came at the expense of security.

Zoom-bombing, the cruel trend of dropping in on strangers’ Zoom conferences uninvited to share offensive words and pictures, has become the modern-day equivalent of yelling Baba Booey. And sometimes hacking Zoom can be as simple as searching the internet for meeting links. For instance, many Alcoholics Anonymous organizers post Zoom links publicly, since they can’t send them privately, on account of the “anonymous” part. That’s led to low-brow “hackers” joining meetings and taunting participants in the name of a brand of comedy that lacks actual humor.

Along with crashing live meetings, hackers have been able to access listings for private Zoom meetings, as well as recordings of past Zoom meetings. Zoom has worked fast to patch up holes and make security more of a priority—better late than never—but any NFL team that has been using it is at risk. (Zoom has released a few statements addressing their security and privacy issues.)

“They’ve done an impressive job addressing the reported [security and privacy] issues, but Zoom was clearly a victim of its own success,” Wardle explains. “You have this application that, before this pandemic, was a somewhat of a niche product, and then its popularity skyrocketed. So hackers started to look at it. So did security researchers and, unfortunately, as security researchers started to poke at it, a lot of security and privacy issues fell out very easily. That's not a good look.”

Zoom, alone, is not the problem. Consider the last public leaguewide hack. That one was pulled off by OurMine, which (according to media reports that primarily reference the work of rival hacker groups) is a hacker collective of teenagers in Saudi Arabia. Corresponding through the encrypted messaging app Signal, a representative of OurMine, who declined to provide a name and will henceforth be known here as “OurMine Guy,” said that the outfit is actually based out of Dubai. (The presumably spoofed phone number from which OurMine Guy corresponded had a Kentucky area code.) Wherever the group is based, OurMine has pulled off some of the biggest hacks in the history, albeit brief, of social media. Among others, they’ve hacked Mark Zuckerberg, The New York Times and Real Madrid. In January, they returned from a two-year hiatus to unveil a hack of 15 NFL teams’ Twitter accounts.

According to OurMine Guy, they accessed those team accounts by exploiting a vulnerability on Khoros, a third-party provider of social media management and marketing services. (Khoros denied that its platform was compromised.)

Now, an NFL team’s draft board is not the nuclear launch codes, and the stakes are even lower when we’re talking about a team’s Twitter feed. But: Weeks of Zoom meetings (or virtual gatherings held on similar videoconferencing platforms) could get out there. Or maybe they already have. Relying on a third-party company has risks, especially when you’re a multibillion-dollar operation.

On draft night, teams will communicate with the league using Microsoft Teams—not coincidentally, Microsoft is an NFL sponsor. “You would have to imagine a product from Microsoft has been designed with more security and privacy in mind,” says Wardle. “Especially in terms of security, that’s an area where [recently] Microsoft has a solid track record.”

But some teams could continue to opt for Zoom, or a less secure third party, for their internal draft communications. Remember: it’s user-friendly and, now more than ever, familiar. Regardless, the biggest risk, even with third parties, lies in the users themselves.

Michael Bazzell, a former FBI cybercrime investigator who now works as a privacy and security consultant (and who helped depict the highly realistic hacks on Mr. Robot, the wonderful Rami Malek vehicle), says the source of most breaches is usually a careless user.

“The biggest threat is not that someone’s going to break Zoom or Microsoft’s security protocol,” Bazzell says. “Every time I’ve had some kind of breach to a conference call with my clients, they were just sloppy. They email the code, and someone’s calendar is shared with others, possibly even public, or an email gets copied to the wrong person, and you’ve basically invited the intruder to come in.”

* * *

It’s one thing to be sloppy. It’s another to be sloppy and be a target.

Remember the 2016 presidential election? I won’t spoil the outcome for anyone who DVRed CNN’s coverage from that night, but what you probably remember from the lead-up to that vote is the word “emails.” Writing about emails. Talking about emails. Tweeting EMAILS, in all caps, which means you’re shouting it. (In hindsight, one might argue that things like “health care” and “wealth gap” and “housing” would have been more appropriate points of focus, but emails it was. I know, I know; stick to whatever tangentially sports-related thing I was getting at here ...)

“Emails” referred to a few different things back then, and one involved a hack. WikiLeaks published thousands of digital correspondences, allegedly from the personal account of Hillary Clinton’s campaign chairman, John Podesta, some of them revealing unflattering aspects of the campaign. The perpetrators of the hack, according to the U.S. intelligence community, were likely Russian.

Podesta, of course, hadn’t handed over his password to a Russian hacking group, or to an old coworker who happened to relocate to Moscow and open up a mom-and-pop hacking outfit. Those hackers got the goods by phishing—spear-phishing, to be exact, the term for the targeting of a specific person (as opposed to blasting a “Dear customer” email to a bunch of people at once).

In short, Podesta received an email, seemingly from Google, that instructed him to, for security purposes, click on a link and log in. That page was fake; he handed over his information to hackers. (In another layer of security failure, Podesta’s chief of staff reportedly passed the email to IT before he followed its instructions, and he was told the email was “legitimate.” What that staffer meant to write was “not legitimate,” and, boy, to err is human.)

It doesn’t require much of a leap to see how this would play out in the NFL. If I were heading up any team’s IT department, it would be one of the things I feared most. Hypothetically, this is how it would play out:

In this (again, hypothetical) scenario, we’ll pick on Sean McVay, because McVay is young, smart, handsome and successful. And those things should leave him thick-skinned.

A hacker trawls some publicly accessible resource—LinkedIn, or perhaps a team media guide—and learns that the Rams’ head of IT is Ira McTechface. (McTechface, of course, left L.A. years ago; I hear he’s a fly-fishing guide out in Montana now. But again: hypothetical.) So the hacker buys a domain and creates an email address: IMctechface@rarns.com. Our hacker can’t get a “rams.com” address, so the “m” is replaced with an “r” and “n,” which often goes unnoticed.

The hacker sends an email from this new account to McVay, whose own address can be discerned with a simple program that tests possible combinations of first and last names and initials. “Hey, coach,” our hacker writes, “the tech guys at the NFL said everyone needs to download this program to access the league’s videoconference during the virtual draft. Download and install it as soon as you get a chance.” This program is actually malware that gives the hacker access to McVay’s laptop screen, or to its microphone, or maybe to everything on McVay’s laptop.

Now, McVay is too young/smart/handsome/successful to find himself in some villain’s crosshair. More likely, a hacker would target someone older (ageism at work!), perhaps the Rams’ hypothetical 62-year-old assistant offensive line coach, who may lack McVay’s Q rating but who has access to much of the same sensitive information.

“Hackers are largely opportunistic,” Wardle says. “It’s like a thief coming into a neighborhood. You look at the first house. They have a dog, so skip that one. The second house has an alarm system, so skip that one as well. But the third one may have left the back door or a window ajar—that’s the one!”

Depending on the motive (we’ll get to that), perhaps our hacker is targeting one or two such employees across each of the 32 teams.

But, stop! Maybe we’re overthinking this. Phishing might not even be necessary.

Bazzell points out that pretty much everyone’s email address has been made public at some point, as part of some site’s security breach. Sometimes their personal information has been revealed too—even their password.

To prove his point, Bazzell tried to find the password for my email, which he had from my interview request. “I can see you’ve used the password [redacted],” he said moments later. “But that might be old.”

“Uuummm, yeah ... that one’s old,” I replied (while frantically changing my password).

But this is a former FBI guy, you say, with the awesome power of the federal government behind him.

Doesn’t matter. “This information is out there on sites anyone can access,” Bazzell said. “They’ll charge you maybe $2 for a trial period, and you can access practically anyone's online credentials.”

First, no, I did not seek out one of those sites. Second, there’s a simple solution to all of this. Everyone in the NFL should change their password!

Well, sort of. Another hypothetical: Let’s say Bill Belichick’s email and password have been leaked somewhere in a security breach. And let’s assume his password is Charizard1, after what is surely his favorite Pokémon, and because the bastards made him use letters and numbers in his password.

If the Patriots’ IT chief tells everyone to change their passwords this week, is Belichick just going to switch his to Charizard2? Or is he going to change the Z into a 2? (You know, like those dorky Derek Jeter RE2PECT shirts?) A hacker doesn’t have to sit there, hunched over a laptop, brow furrowed, guessing at every variation. Password-cracker programs will do that in an instant.

Maybe Belichick has another go-to password, as most people do. But if that one has been leaked in a breach, it and all of its variations are going to be available to a hacker too. It’s called a “brute-force attack”—it requires less effort than it sounds. And it could end in someone getting full access to Belichick’s email account.

Belichick, as evidenced by his six Super Bowl rings, might be smart enough to choose a wholly original, new password with no connection to any of his past ones. To paraphrase Knute Rockne, football games are won by effective password selection. But will every member of the Patriots’ front office and coaching staff do the same? And how about the other 31 franchises?

There are other ways to become more secure. Two-factor authentication helps. But again, is every member of your organization going to do it on both work and personal accounts? And, even if they do, two-factor isn’t unhackable.

* * *

Hacking groups are loosely split into two types: black hat and white hat. Black-hat hackers are just what they sound like, hacking to steal money or to cause disruption or chaos. They’re the guys who, for example, hold hospitals and schools ransom. White-hat hackers assist companies with security, alerting them to vulnerabilities (while often getting compensated for their work).

In between, though, is the gray hat. OurMine, the group that in January hacked team Twitter accounts, consider themselves white hat. OurMine Guy says it has a “goal to improve internet security by proving to the world that everything is hackable;” he claims it reported to Khoros the vulnerability it exploited. Others, though, consider OurMine black hat since it (lightly) vandalizes social media accounts to advertise its security services.

As for that NFL team Twitter hack, OurMine Guy claims his outfit is not familiar with the league and its teams; the NFL’s massive Twitter following simply presented a chance to promote their services.

Everyone might be vulnerable. But, as Bazzell says, “It’s more about, Are you being targeted? And [the NFL], I think, will be targeted, simply because of the financial aspect and the potential to glean very valuable data if you can hear what’s going on.”

It’s an unlikely scenario, but any hacker targeting the NFL will likely be on the black-hat end of the spectrum. The league runs a multibillion-dollar business. A hacker with access to a team’s sensitive information could, theoretically, sell that info or ask for a ransom under the threat of releasing it. And if it’s not money, it can be the challenge, or the reward that is the notoriety that comes with hacking such a huge organization.

There’s a more likely culprit, though—one that would value such information more than any black hat, and one that coaches and front office execs seem to fear more. Another team.

The upside is obvious. So is the downside. The NFL is draconian in punishing teams deemed to have cheated. Tom Brady was suspended four games for maybe thinking about possibly requesting that a staffer release a small amount of air from a game ball. If a team were to be caught hacking an opponent, Goodell would strip it of every draft pick from now until a time when the league consists of 89 teams across three planets, with a 37-week regular season.

There are potential law enforcement consequences as well. Correa was sentenced to 46 months in prison for hacking into the Astros’ database. Surely, this reinforces lessons learned from McGruff the Crime Dog—or, really, any trench-coated cartoon animal who ever gave you advice. Crime doesn’t pay. But what if you were almost certain you wouldn’t get caught?

“The thing is, nobody is really physically anywhere when snooping online,” says Bazzell. “There’s usually no forensic evidence left behind. [Hacking can be] listening in on a conference call. If you just sit there quietly, there’s often no way of knowing you are there unless someone is constantly monitoring the call log.

“Honestly, I’d be surprised if 10%-20% of the league hasn’t tried something. You see it all the time—a low-level staffer. ... And if you do get caught, as long as it’s not a higher-up ...”

How hard is it to get away with? Correa went to prison because, according to the FBI’s conclusion, he leaked his findings, believing the Astros were stealing from his Cardinals. (As the judge pointed out at sentencing, it’s like he broke into his neighbor’s house because he suspected they were stealing his stuff.) The Tunsil hacker has never been charged.

* * *

If you’re expecting to tune in Thursday night and see some very inappropriate images dropped over Roger Goodell’s visage, I’ve got some sour news for you: The broadcast itself will likely be exceedingly secure. While there are some additional stresses on ESPN—fewer engineers available at the network’s Bristol headquarters; the difficulty of setting up home shots for 58 prospects with minimal on-site presence—the network doesn’t rely on consumer commercial means for its video feeds, making them far less susceptible to an attack. But most of all: While Bristol has its charms, broadcasting video of people, places and things outside of Bristol is what ESPN does 365 days a year. There’s already a robust security apparatus in place. This draft isn’t a huge departure from what the network normally does.

Conversely, this is anything but business as usual for the teams. Two months ago, no one thought they’d be preparing for a virtual draft. If teams had more lead time, they might have done things differently, perhaps rented servers so they could self-host.

“In a dream world, it would be better to have an NFL-sponsored server host all of the communications securely. Instead, you’re going to have this patchwork system where one team does it really well, really private, really secure. And then you’re going to have teams that say, ‘I have this app on my computer already, so let’s just use that.’ There are going to be people in senior positions who don’t want the fuss, and they’re going to dictate, ‘Let’s just use this thing my granddaughter uses, because that will be easiest.’ ”

We know that teams have been scrambling to get their execs set up in their homes, a challenge for many who were trying to quarantine. Falcons general manager Thomas Dimitroff told NBC’s Peter King that on draft night an IT staffer will enter through his side door and spend the night waiting in the basement, in the event he’s needed. There will be tech failures. (Remember, Belichick and the tablets?) Calls will be dropped, laptops will freeze, Wi-Fi will slow and cut out.

IT staffers will be on the front line, and after all this tech talk, we really should end on a football metaphor, so: Think of them as offensive linemen. Because, as OurMine Guy put it, “Hackers will always find new ways to get into [systems]. The IT team should be creative and think how the hacker will get into their system, so they [can] block it before it comes to them.”

There’s a good chance it’s been coming to them for weeks now, whether or not they realize it.