I recently wrote about the importance of security while working from home during COVID-19, noting at the time that we were already seeing “dramatic increases in security threats as bad actors try to capitalize on the chaos.” A new type of attack, called “Zoombombing” or “Zoomraiding” specifically targets the over 200 million daily Zoom meeting participants that now rely on the video conferencing solution for remote work, remote education and social connection.
What is Zoombombing?
Zoombombing is a new type of cyberattack and, according to the U.S. Department of Justice, a federal crime (not a prank). Zoombombers are hacking Zoom meetings, causing disruption and emotional distress to attendees by projecting offensive images, using hate speech and/or threatening language and “doxxing” meeting attendees by sharing personal information about them.
Why is Zoombombing a Thing?
In response to COVID-19, millions of organizations, schools and individuals turned to Zoom to stay operational and connected. One reason for the massive increase in use is that Zoom’s platform is as easy to use as possible. If there’s one common moral in cybersecurity, it’s that security often sacrifices for ease of use.
The Problems with Zoom
There are 3 separate issues with Zoom that made this type of attack possible:
1. How People use Zoom
The Zoom issue isn’t unlike what we saw in 2019 with the Ring camera, where part of the problem was how easy and accessible the technology was. In fact, this isn’t the first time Zoom has been accused of having lax security practices.
If you leave Zoom’s default settings (as of March 2020) enabled, anyone who knows or guesses your Meeting ID can join your meeting. It’s not hard to discover these IDs. There are bots that call the Zoom number and enter all possible combinations of numbers to see what‘s accepted. Zoom Meeting IDs are posted on Instagram, Twitter, Reddit and other sites. Thousands of people access these sites (Social media platforms are working to disable this content).
2. How Zoom is Built
Let’s be fair to Zoom – every piece of software has vulnerabilities; even if not yet known. There’s no such thing as invulnerable software. Significant growth in the user base of an application or platform will always attract cybercriminals trying to exploit it. As a result of COVID-19, Zoom is under a Hubble-sized telescope, drawing increased attention from security and privacy experts, government organizations, and cybercriminals. Technical flaws were found and exploited.
There are flaws in how Zoom installs and uninstalls on the Mac. There are flaws in how Zoom accesses cameras and microphones. On Windows, there are flaws in how Zoom shares links and potentially exposes passwords.
To their credit, Zoom has acknowledged the issues and they’re working on the problem. Zoom CEO Eric Yuan recently announced a 90-day freeze on new features so the company can fully focus on addressing security and privacy issues.
3. Zoom’s Approach to Privacy
Even before COVID-19, security experts had concerns about the information Zoom collected and what they were doing with it. There were concerns about Zoom sending information to Facebook without people’s full knowledge. Zoom updated their terms and conditions multiple times within the past two months.
The terms utilized in the education space very clearly state what information they are gathering, and some of it is downright alarming. This “usage information” may include “actions taken, information related to logins, clicks, messages, contacts, content viewed and shared, calls, use of video and screen sharing, meetings, cloud recording,” and more. New York City felt so strongly about the security and privacy concerns around Zoom that the Department of Education encouraged schools to stop using Zoom and switch to Microsoft Teams instead.
It’s easy to see how this happened. Nothing in life is free. So, when Zoom or any other company gives away use of their platform for free, you need to question how they are making money. In general, if you’re not paying for it, YOU are the product. The company is making money off of the information you’re consenting to provide to them when you quickly click “agree” to make the terms and conditions box go away.
While there hasn’t been as much transparency historically as we would like, Zoom’s CEO has been increasingly candid about the issues and the company appears to be focused on addressing its security gaps.
To Zoom or Not to Zoom
Since the Zoombombing stories hit the press, I have been asked about how I feel as a security expert about people continuing to use Zoom. The answer, as it often is, is “it depends.” Here are some considerations:
- Does your organization fall under compliance regulations or deal with highly confidential information? I would be reluctant to use Zoom in these kinds of situations. For my confidence in Zoom to increase, I would need to see some significant improvements to Zoom’s privacy practices. This includes greater transparency, clearly identified data sets and an ability to opt out of sharing information I didn’t want to share.
- Is Zoom the only tool you have available? If you initially said yes, are you sure? For Microsoft Office 365 users, you have Teams, and I’d recommend Teams over Zoom right now for security features.
If You Must Zoom, Protect Yourself from Zoombombing
If Zoom is your only option for teleconferencing, here are some things you can do to make it safer:
Make sure you have the latest updates. Zoom is actively working on addressing security concerns. It’s important to make sure you’re on the latest version of the app.
Require a password for personal meetings, including generating and requiring passwords for people joining by phone. As of April 4, 2020, Zoom updated its default password settings, but please take the time to review your own settings.
Enable lobbies, or waiting rooms so people can’t automatically join your meeting. As of April 4, 2020, Zoom has also enabled this feature “for all Basic users on free accounts”, among others.
Avoid sharing the link to your meeting on public websites, including social media. Send the link directly to your meeting guests or share it on a secure site that requires a login.
Review your screensharing settings in Zoom and ensure that the “Host Only” option is enabled. This is a protective measure so that if someone does hijack your meeting, they can’t present.
Don’t post images that show your Meeting ID. Many people are sharing screen captures of their Zoom meetings in well-intentioned attempts to increase connection. However, make sure these images don’t contain your meeting ID.
Visit Zoom’s security page and read about the information they collect, how they use it, their security practices and the changes they are implementing.
If you are the victim of Zoombombing or any teleconference hacking, or teleconference hijacking, report it to the FBI’s Internet Crime Complaint Center. Per the U.S. Department of Justice, if you receive a specific threat during a teleconference, please report it to the FBI or call the FBI Detroit Division at (313) 965-2323.
We’re Here to Help
As we all get used to this “new normal” for working from home, we may end up having to rely on new applications or technologies to be able to get our jobs done. It’s imperative that we look at the security associated with each of these as we roll them out and become dependent on them (even addicted?). Cyberattacks don’t ever take a break, so we need to make sure we’re constantly evaluating our security posture. The last thing anyone wants – amongst everything else we’re dealing with – is to have to deal with a cyberattack.
As always, feel free to reach out to us with any questions. We’d be happy to discuss your options and how to keep your business safe. We’re here to help.