Zoom, the videoconferencing application that has grown from 10 million users in December to over 200 million today (an increase of 1,900%), is easily the most popular virtual meeting service for businesses, nonprofits, schools, and social groups from all walks of life. It’s also the most downloaded app in the Apple and Google app stores, according to Apptopia.
And with social distancing in place for the foreseeable future due to COVID-19, Zoom is one of the best options to remain connected with others. However, it’s also emerged as a favored way for nefarious characters to cause havoc and derail virtual meetings.
Zoom-bombing is when intruders gain access to normal video calls and inject hate speech and/or offensive images. Attackers have disrupted an Alcoholics Anonymous meeting in New York, a Sunday school in Texas, online classes at the University of Southern California, and a city meeting in Kalamazoo, Michigan. On March 30, Zoom-bombers crashed a meeting on cyberattacks, of all things. Right as the presenter began a discussion on disinformation on social media, the hacker scribbled on the screen, forcing an early end to the meeting.
Hackers Are on a Mission to Disrupt Zoom Meetings
An analysis by The New York Times found 153 Instagram accounts, dozens of Twitter accounts and private chats, and several active message boards where thousands of hackers gathered to organize Zoom harassment campaigns. Groups are actively sharing ideas for attacks, meeting passwords, and other plans for creating chaos. Some hackers are bragging about their Zoom-bombing successes, posting sessions on YouTube, TikTok, and live streaming attacks on Twitch.
Zoom-bombing has become so prevalent that the FBI recently issued a news release to warn people of the threat. The release offers steps users can take to mitigate videoconference hijacking threats, such as requiring a meeting password for all users, not sharing a link to a teleconference on social media, and making sure the host is the only one with screen-sharing options.
As of Monday, April 6, the Department of Education for the city of New York banned schools from using the Zoom platform, suggesting that educators switch to systems like Microsoft Teams or Google for Education. In addition, Elon Musk's SpaceX and NASA have reportedly banned workers from using Zoom.
Zoom Was Built for Enterprises, Not Hundreds of Millions of Consumers
Clearly, Zoom’s usage has skyrocketed in ways the company never could have predicted. And Zoom should be commended for the great things it is doing during the COVID-19 pandemic, such as providing businesses, schools, and families with a free tool to keep in touch. However, the application wasn’t designed with privacy and security being a major factor. It was built as an enterprise technology tool for large organizations with full IT support. Therefore, it can be understood why the company might not be prepared to moderate user behavior for hundreds of millions of users.
Zoom admitted as much. Zoom CEO Eric Yuan published a blog post last Wednesday to address users’ security and privacy concerns on the application. “We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways,” Yuan says in the post. “Presenting us with challenges we did not anticipate when the platform was conceived.” Yuan added, "We recognize that we have fallen short of the community's—and our own—privacy and security expectations. For that, I am deeply sorry, and I want to share what we are doing about it."
How Zoom and the FBI Are Taking Initiative Against Zoom-bombing
On April 2, the FBI’s Cybersecurity and Infrastructure Security Agency (CISA) released guidance on how to defend against video-teleconferencing (VTC) hijacking. CISA encourages users and organizations to review the FBI guidance and adhere to the following steps to improve VTC cybersecurity:
- Ensure meetings are private, either by requiring a password for entry or controlling guest access from a waiting room.
- Consider security requirements when selecting vendors. For example, if end-to-end encryption is necessary, does the vendor offer it?
- Ensure VTC software is up to date (see security tip on understanding patches and software updates).
For the next 90 days, Zoom announced they are freezing features of the platform to fix privacy issues. The company says it is “committed to dedicating the resources needed to better identify, address, and fix issues proactively.” It goes on to explain that it is “also committed to being transparent throughout this process.” Since April 1, Zoom has clarified the facts around encryption on its platform and says it plans to conduct security reviews with third-party experts and make many other enhancements.
Tips on Making Zoom Meetings More Secure
For now, users hosting Zoom meetings can follow some basic guidelines to ensure their meetings are private and secure. It starts by ensuring basic settings and protocols are configured correctly, including:
- Approve all attendees joining the conference by setting up a waiting room
- Require a password for all instant meetings
- Play a sound when participants join or leave, heard by the host only
- Enable screen sharing for the host only
- Identify all guest participants in meeting/webinar
In addition to the above, hosts should disable their Personal Meeting ID (PMI) when scheduling a meeting or when starting an instant meeting.
Like all of us, Zoom is fighting to stay on top of the constant barrage of change caused by COVID-19. At Contrast, we’re doing the same, helping organizations and workers to stay on top of the new status quo of working from home and supporting our customers and partners—whether by ensuring that we have a robust business continuity plan (BCP) in place, or by developing application security (AppSec) software that enables developers and security teams to maintain optimal efficiencies without sacrificing security while working from home.