NFL Draft 2020: Can the fully virtual draft be hacked? A network security expert weighs in

NFL teams will have to be on their toes come Thursday

By Jordan Dajani

Apr 21, 2020 at 8:57 am ET • 5 min read

The NFL is entering uncharted waters this week, as it will complete the first ever virtual NFL Draft. Some head coaches are more tech savvy than others, but a fully virtual draft brings different kinds of obstacles that front offices have never dealt with before.

For the past month, many teams, coaches and general managers have conducted virtual press conferences through the videoconferencing giant Zoom -- and many figure to use the service when teams virtually gather around the table to make their selections in the 2020 NFL Draft. Baltimore Ravens head coach John Harbaugh recently expressed concern over how the virtual NFL Draft will go.

"Yeah, big concern," Harbaugh said during a conference Zoom call, via Jonas Shaffer of the Baltimore Sun. "Every time I read something in, like, the Wall Street Journal or the New York Times that talks about how messed up Zoom is, or some of these other deals ... I immediately text it to our IT people, and [director of football administration] Nick Matteo's one of those guys, and they assure me that we are doing everything humanly possible."

So, is it possible the NFL Draft could be "hacked"? The answer is complicated, but it will be possible to capitalize off of the NFL Draft going virtual if your moral compass skews south. Recently, Chin-Tser Huang, a network security expert and professor at the University of South Carolina, spoke with CBS Sports about some concerns he has regarding Zoom as well as the virtual draft in general.

"Basically, we know that communication over Zoom -- both the video conferencing and also the chatting -- will be recorded," Huang said. "That's usually for later access. But when the videoconferencing is ongoing, we of course want to have it encrypted for the confidentiality, and the encryption for Zoom is based on the AES encryption. That means that every participant of this meeting, they all use the same key for encryption.

"Zoom has many servers that are used to generate this key, and some of their key generation servers are located in China. So because of this, the Chinese government, according to the law, they get a copy to the key, and according to the Chinese encryption law, any foreign company ... if they are conducting some kind of encryption they need to get permission and approval from the Chinese government. If they get a copy of the key, all communication theoretically could be accessed by Chinese agents."

Recently, Zoom announced in a blog post that paying customers will be able to choose which data center their calls are routed from and that all data will no longer be routed through China, but Huang has his doubts. He questioned if there was a "behind the curtain" agreement with the Chinese government concerning not just data routing, but also storage servers. Zoom CEO Eric Yuan recently said that the COVID-19 pandemic caused their number of users to balloon, which left the company rushing to add server capacity. Yuan admitted that they failed to implement their usual geo-fencing best practices and that routing calls to systems in China was not their intention.

"They could end up having playbooks and information about other players and trade discussions with other teams," Huang said. "This should be secret information of course. Additionally, if we choose to record our talk so we can go over it again, storage servers are located in China. That information could be sold by Chinese agents."

Zoom has already been accused of selling users' personal data, so could a team attempt to buy the full unedited zoom call from a rival's draft? You would certainly hope not.

Videos and chats being sold after the fact of course couldn't affect the live NFL Draft as it's occurring this week, but the threat of hackers is a real one.

"If an account of some legitimate participant who is invited to join a draft meeting and that account has been compromised, a hacker could watch or record what is going on in real time," Huang said.

We don't know who exactly will be on these draft calls later this week for each team, but Zoom has the capability to host hundreds of users. Forbes recently reported that half of a million hacked Zoom accounts are being given away for free on the dark web.

"This has already happened," Huang said. "It's not conjecture whether this is possible or not. Hackers have already hacked legitimate accounts from many big companies."

What do people do with these hacked accounts? They could watch the call without anyone knowing -- and then of course there is the new phenomenon of "Zoom-Bombing."

Recently, Donnell Williams -- who heads the National Association of Real Estate Brokers -- told CBS News that he was on a Zoom call with over 200 people when someone hacked in and drew inappropriate pictures and started making racist comments. Hackers have started to take over meetings by playing inappropriate videos on screen and also taking over the audio of a meeting.

So, how should companies and NFL teams up their game when it comes to security measures? Professor Huang said that putting extra effort into passwords and also making the decision to use another service would help.

"Every participant of the meeting will need to be aware of such risks so that they will be more careful," Huang said. "They have to choose sufficiently secured passwords instead of easy ones. Secondly, perhaps Zoom is not a trustworthy platform for conducting meetings that will involve commercial secrets. I think some American companies such as Google Meetings or Microsoft Teams would be better choices."

Earlier this month, the NFL told its 32 clubs that they should consider the Microsoft Teams service instead of Zoom -- but they did not require it. If virtually every NFL team has been using Zoom so far this offseason, there is a possibility not all 32 teams will move to another service.

IT teams will be on their toes and the league in general will be working overtime to make sure the draft goes off without a hitch. But even if you aren't concerned about foreign governments, the fact is that this is the Super Bowl for hackers. Last week, PFT Commenter of the "Pardon My Take" podcast offered $5,000 for access to the NFL Draft conference call number in order to make fake draft picks for the New York Giants. Being able to tap into a nationally televised event during this unprecedented time or take over the screen or audio of a team and cause mass confusion when they are on the clock could cause problems behind the scenes -- and teams have to be ready for that possibility.