Security awareness

Zoombombing: How it works and how to prevent it from happening to you

Susan Morrow
May 11, 2020 by
Susan Morrow

Introduction

COVID-19 is likely to be the Oxford English Dictionary’s word of the year for 2020. But as well as entering our lexicon across the world, it has also changed us at a cultural level. One aspect of this is in how we communicate at work.

Online collaboration platforms were already seeing a hiatus before the coronavirus swept the planet. Now, platforms that handle video conferencing are experiencing a renaissance. 

Two year's worth of NIST-aligned training

Two year's worth of NIST-aligned training

Deliver a comprehensive security awareness program using this series' 1- or 2-year program plans.

One such platform is Zoom. This video conferencing platform is less than 10 years old but is seeing record numbers of users since the advent of the COVID-19 pandemic. The daily active users (DAU) of Zoom had increased from 10 million to 200 million in the three months leading up to March 2020. In a letter to users, Zoom’s founder Eric Yuan said: “… as of the end of December last year, the maximum number of daily meeting participants, both free and paid, conducted on Zoom was approximately 10 million. In March this year, we reached more than 200 million daily meeting participants …

Zoom is used by many of those 200 million participants for business purposes. In doing so, sensitive and proprietary information is shared. But a phenomenon known as Zoombombing is threatening the safe use of Zoom for work.

With this in mind, I’ll take a look at the security aspects of using Zoom in a business context and the current options available on the platform to improve safety.

Zoombombing: Why it’s more than just annoying

In late March, the FBI put out a warning that video conferencing platforms were being hijacked, saying: “FBI has received multiple reports of conferences being disrupted by pornographic and/or hate images and threatening language.”

A recent Zoom meeting by digital identity industry group Women in Identity (WiD) experienced the sexist side of Zoombombing. The group, who have been meeting regularly on Zoom to discuss industry issues and for general support during the coronavirus pandemic, had a session Zoombombed. The group was subjected to insulting and degrading commentary to the point that the meeting had to be shut down.

Zoombombing is a fairly recent one but the sentiment behind it is not. Zoombombing is just a fancy word to describe eavesdropping or trolling, depending on why it is being used. A Zoom meeting is Zoombombed when an uninvited party or parties enters the Zoom meeting room. 

This has been happening increasingly as the platform has increased in popularity. Sometimes Zoombombs are annoying, but often they are nasty or sexist or racist or all of the above. In a business context, they could also be a point of exposure of sensitive information.

Zoom harassment campaigns have been subsequently identified by researchers. Social platforms including Twitter and Instagram have been used to coordinate Zoombombing activities.

To Zoombomb a meeting, often all that is needed is the Zoom MeetingID: When you set up a Zoom meeting a Zoom URL is automatically generated. It takes the format, https://us04web.zoom.us/x/xxxxx. If you go into a social platform like Twitter and put https://us04web.zoom.us into the search, you will come up with many Zoom meeting posts and tweets. Some may even contain the password if the meeting has one — see example below:

 

Source: Twitter

Zoombombing, however, is more than an annoyance. In a business context, it could end with exposure of data and other company information. 

If a Zoombomber enters a meeting with a number of people on the call you may not even notice. If you are discussing company business, perhaps sharing screens to discuss data, software code, ideas and intellectual property, a Zoombomber could be taking screenshots and notes. You can imagine how Zoom, or a similar video conferencing tool, could end up as the ideal candidate for cyber espionage.

To prevent your Zoom conferences from becoming yet another way that cybercriminals can steal information, follow our 10 tips to safe Zooming below.

10 tips to prevent Zoombombing

Use a password

Passwords are not the most robust of authentication options, but it is better to have a password than not. Set a password for entry to a Zoom meeting when you set one up. You are limited to 10 characters only, so make the most of them.

Use 2FA (if possible)

If you have a paid or education account, you can set up two-factor authentication (2FA) for logging into your Zoom account. The Zoom 2FA option is currently the Google Authenticator App.

Do not overshare

Never put your meeting URL on a social platform unless you intend it to be fully public and can manage Zoombombers. If you are using a password to protect entry to a meeting, definitely don’t put the password on social media.

Do not overshare (again)

Screenshots of your meeting on social media could reveal information about yourself, your home and potentially, business information. Avoid sharing them on social media.

Keep Zoom updated

Two zero-day flaws (which have now been patched) in the Zoom app allowed hackers to access the microphone and camera of a device. Zoom has listened to the criticism of earlier versions of the platform and started to push security updates out. If you get a prompt to update the app, do so.

Keep guests waiting

Use the waiting room option. This gives you a chance to double-check the person waiting to join is a legitimate guest.

Auto-generate MeetingID

Don’t use the Personal Meeting ID option. If this leaks out, it can be used by Zoombombers at will.

Mute on entry

Use the option “Mute on entry” to set guests to muted until you unmute. This gives you a chance to again double-check that everyone in the meeting is legitimate.

Share screen control

Set Zoom screen control to “Only Host.” Zoombombers are known to take control of the screen to post insulting and illicit images.

Be Zoom security-aware

Be aware of security, what you are saying, what is being shown on screen and who you are talking to. Unconsented screenshot capture of diagrams and other images as you present could be taken.

If you are using Zoom for regular company meetings that could include private or sensitive information being discussed, it is a good idea to use the paid version. This allows you to choose additional security, including Single Sign-On (SSO) using Active Directory and the SAML 2.0 protocol. Of course, use of these options is more complicated when you are using a home working environment.

Could there be a zero-trust Zoom?

If Zoom wants to deliver the level of security required to protect corporate communications, they could turn to modern identity and access management capabilities. A “zero-trust Zoom” could add a dimension of security lacking in the current version. 

The idea behind zero-trust security is one of “Never trust, always verify.” This mantra seems fitting, as Zoombombing does have the potential to become a serious security threat. 

For Zoom to incorporate this level of security, the platform would need to encompass the principle of context-based user identity to control access to meetings. An extended Identity and Access Management (IAM) component of the platform could offer this capability. Coupled with more robust multi-factor authentication options, Zoom could create more secure meetings that would give enterprises the comfort of a protected workspace to discuss even sensitive business. 

Zoom is popular because it is very easy to set up and join meetings. However, security layers must be added if Zoom is to be used in a safer and enterprise-friendly manner. How security is implemented is important, as a friction-free experience is what makes Zoom so popular.

Get six free posters

Get six free posters

Reinforce cybersecurity best practices with six eye-catching posters found in our free poster kit from our award-winning series, Work Bytes.

 

Sources

  1. A Message to Our Users, Zoom Blog
  2. FBI Warns of Teleconferencing and Online Classroom Hijacking During COVID-19 Pandemic, FBI.gov
  3. Setting up and using two-factor authentication, Zoom Help Center
  4. Two Zoom Zero-Day Flaws Uncovered, Threatpost
Susan Morrow
Susan Morrow

Susan Morrow is a cybersecurity and digital identity expert with over 20 years of experience. Before moving into the tech sector, she was an analytical chemist working in environmental and pharmaceutical analysis. Currently, Susan is Head of R&D at UK-based Avoco Secure.

Susan’s expertise includes usability, accessibility and data privacy within a consumer digital transaction context. She was named a 2020 Most Influential Women in UK Tech by Computer Weekly and shortlisted by WeAreTechWomen as a Top 100 Women in Tech. Susan is on the advisory board of Surfshark and Think Digital Partners, and regularly writes on identity and security for CSO Online and Infosec Resources. Her mantra is to ensure human beings control technology, not the other way around.