Skip to content

Videoconferencing Is Being Weaponized, Tips on Making Your Meetings More Secure

    
Videoconferencing Is Being Weaponized, Tips on Making Your Meetings More Secure

Zoom, the videoconferencing application that has grown from 10 million users in December to over 200 million today (an increase of 1,900%), is easily the most popular virtual meeting service for businesses, nonprofits, schools, and social groups from all walks of life. It’s also the most downloaded app in the Apple and Google app stores, according to Apptopia.

And with social distancing in place for the foreseeable future due to COVID-19, Zoom is one of the best options to remain connected with others. However, it’s also emerged as a favored way for nefarious characters to cause havoc and derail virtual meetings.

Zoom-bombing is when intruders gain access to normal video calls and inject hate speech and/or offensive images. Attackers have disrupted an Alcoholics Anonymous meeting in New York, a Sunday school in Texas, online classes at the University of Southern California, and a city meeting in Kalamazoo, Michigan. On March 30, Zoom-bombers crashed a meeting on cyberattacks, of all things. Right as the presenter began a discussion on disinformation on social media, the hacker scribbled on the screen, forcing an early end to the meeting.

Hackers Are on a Mission to Disrupt Zoom Meetings  

An analysis by The New York Times found 153 Instagram accounts, dozens of Twitter accounts and private chats, and several active message boards where thousands of hackers gathered to organize Zoom harassment campaigns. Groups are actively sharing ideas for attacks, meeting passwords, and other plans for creating chaos. Some hackers are bragging about their Zoom-bombing successes, posting sessions on YouTube, TikTok, and live streaming attacks on Twitch.

Zoom-bombing has become so prevalent that the FBI recently issued a news release to warn people of the threat. The release offers steps users can take to mitigate videoconference hijacking threats, such as requiring a meeting password for all users, not sharing a link to a teleconference on social media, and making sure the host is the only one with screen-sharing options.

As of Monday, April 6, the Department of Education for the city of New York banned schools from using the Zoom platform, suggesting that educators switch to systems like Microsoft Teams or Google for Education. In addition, Elon Musk's SpaceX and NASA have reportedly banned workers from using Zoom.

Zoom Was Built for Enterprises, Not Hundreds of Millions of Consumers   

Clearly, Zoom’s usage has skyrocketed in ways the company never could have predicted. And Zoom should be commended for the great things it is doing during the COVID-19 pandemic, such as providing businesses, schools, and families with a free tool to keep in touch. However, the application wasn’t designed with privacy and security being a major factor. It was built as an enterprise technology tool for large organizations with full IT support. Therefore, it can be understood why the company might not be prepared to moderate user behavior for hundreds of millions of users.

Zoom admitted as much. Zoom CEO Eric Yuan published a blog post last Wednesday to address users’ security and privacy concerns on the application. “We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways,” Yuan says in the post. “Presenting us with challenges we did not anticipate when the platform was conceived.” Yuan added, "We recognize that we have fallen short of the community's—and our own—privacy and security expectations. For that, I am deeply sorry, and I want to share what we are doing about it."

How Zoom and the FBI Are Taking Initiative Against Zoom-bombing

On April 2, the FBI’s Cybersecurity and Infrastructure Security Agency (CISA) released guidance on how to defend against video-teleconferencing (VTC) hijacking. CISA encourages users and organizations to review the FBI guidance and adhere to the following steps to improve VTC cybersecurity:

  • Ensure meetings are private, either by requiring a password for entry or controlling guest access from a waiting room.
  • Consider security requirements when selecting vendors. For example, if end-to-end encryption is necessary, does the vendor offer it?
  • Ensure VTC software is up to date (see security tip on understanding patches and software updates).

For the next 90 days, Zoom announced they are freezing features of the platform to fix privacy issues. The company says it is “committed to dedicating the resources needed to better identify, address, and fix issues proactively.” It goes on to explain that it is “also committed to being transparent throughout this process.” Since April 1, Zoom has clarified the facts around encryption on its platform and says it plans to conduct security reviews with third-party experts and make many other enhancements.

Tips on Making Zoom Meetings More Secure

For now, users hosting Zoom meetings can follow some basic guidelines to ensure their meetings are private and secure. It starts by ensuring basic settings and protocols are configured correctly, including:

In addition to the above, hosts should disable their Personal Meeting ID (PMI) when scheduling a meeting or when starting an instant meeting.

Like all of us, Zoom is fighting to stay on top of the constant barrage of change caused by COVID-19. At Contrast, we’re doing the same, helping organizations and workers to stay on top of the new status quo of working from home and supporting our customers and partners—whether by ensuring that we have a robust business continuity plan (BCP) in place, or by developing application security (AppSec) software that enables developers and security teams to maintain optimal efficiencies without sacrificing security while working from home. 

David Lindner, Chief Information Security Officer

David Lindner, Chief Information Security Officer

David is an experienced application security professional with over 20 years in cybersecurity. In addition to serving as the chief information security officer, David leads the Contrast Labs team that is focused on analyzing threat intelligence to help enterprise clients develop more proactive approaches to their application security programs. Throughout his career, David has worked within multiple disciplines in the security field—from application development, to network architecture design and support, to IT security and consulting, to security training, to application security. Over the past decade, David has specialized in all things related to mobile applications and securing them. He has worked with many clients across industry sectors, including financial, government, automobile, healthcare, and retail. David is an active participant in numerous bug bounty programs.