Zoombombing: How it works and how to prevent it from happening to you
Introduction
COVID-19 is likely to be the Oxford English Dictionary’s word of the year for 2020. But as well as entering our lexicon across the world, it has also changed us at a cultural level. One aspect of this is in how we communicate at work.
Online collaboration platforms were already seeing a hiatus before the coronavirus swept the planet. Now, platforms that handle video conferencing are experiencing a renaissance.
See Infosec IQ in action
One such platform is Zoom. This video conferencing platform is less than 10 years old but is seeing record numbers of users since the advent of the COVID-19 pandemic. The daily active users (DAU) of Zoom had increased from 10 million to 200 million in the three months leading up to March 2020. In a letter to users, Zoom’s founder Eric Yuan said: “… as of the end of December last year, the maximum number of daily meeting participants, both free and paid, conducted on Zoom was approximately 10 million. In March this year, we reached more than 200 million daily meeting participants …”
Zoom is used by many of those 200 million participants for business purposes. In doing so, sensitive and proprietary information is shared. But a phenomenon known as Zoombombing is threatening the safe use of Zoom for work.
With this in mind, I’ll take a look at the security aspects of using Zoom in a business context and the current options available on the platform to improve safety.
Zoombombing: Why it’s more than just annoying
In late March, the FBI put out a warning that video conferencing platforms were being hijacked, saying: “FBI has received multiple reports of conferences being disrupted by pornographic and/or hate images and threatening language.”
A recent Zoom meeting by digital identity industry group Women in Identity (WiD) experienced the sexist side of Zoombombing. The group, who have been meeting regularly on Zoom to discuss industry issues and for general support during the coronavirus pandemic, had a session Zoombombed. The group was subjected to insulting and degrading commentary to the point that the meeting had to be shut down.
Zoombombing is a fairly recent one but the sentiment behind it is not. Zoombombing is just a fancy word to describe eavesdropping or trolling, depending on why it is being used. A Zoom meeting is Zoombombed when an uninvited party or parties enters the Zoom meeting room.
This has been happening increasingly as the platform has increased in popularity. Sometimes Zoombombs are annoying, but often they are nasty or sexist or racist or all of the above. In a business context, they could also be a point of exposure of sensitive information.
Zoom harassment campaigns have been subsequently identified by researchers. Social platforms including Twitter and Instagram have been used to coordinate Zoombombing activities.
To Zoombomb a meeting, often all that is needed is the Zoom MeetingID: When you set up a Zoom meeting a Zoom URL is automatically generated. It takes the format, https://us04web.zoom.us/x/xxxxx. If you go into a social platform like Twitter and put https://us04web.zoom.us into the search, you will come up with many Zoom meeting posts and tweets. Some may even contain the password if the meeting has one — see example below:
Source: Twitter
Zoombombing, however, is more than an annoyance. In a business context, it could end with exposure of data and other company information.
If a Zoombomber enters a meeting with a number of people on the call you may not even notice. If you are discussing company business, perhaps sharing screens to discuss data, software code, ideas and intellectual property, a Zoombomber could be taking screenshots and notes. You can imagine how Zoom, or a similar video conferencing tool, could end up as the ideal candidate for cyber espionage.
To prevent your Zoom conferences from becoming yet another way that cybercriminals can steal information, follow our 10 tips to safe Zooming below.
10 tips to prevent Zoombombing
Use a password
Passwords are not the most robust of authentication options, but it is better to have a password than not. Set a password for entry to a Zoom meeting when you set one up. You are limited to 10 characters only, so make the most of them.
Use 2FA (if possible)
If you have a paid or education account, you can set up two-factor authentication (2FA) for logging into your Zoom account. The Zoom 2FA option is currently the Google Authenticator App.
Do not overshare
Never put your meeting URL on a social platform unless you intend it to be fully public and can manage Zoombombers. If you are using a password to protect entry to a meeting, definitely don’t put the password on social media.
Do not overshare (again)
Screenshots of your meeting on social media could reveal information about yourself, your home and potentially, business information. Avoid sharing them on social media.
Keep Zoom updated
Two zero-day flaws (which have now been patched) in the Zoom app allowed hackers to access the microphone and camera of a device. Zoom has listened to the criticism of earlier versions of the platform and started to push security updates out. If you get a prompt to update the app, do so.
Keep guests waiting
Use the waiting room option. This gives you a chance to double-check the person waiting to join is a legitimate guest.
Auto-generate MeetingID
Don’t use the Personal Meeting ID option. If this leaks out, it can be used by Zoombombers at will.
Mute on entry
Use the option “Mute on entry” to set guests to muted until you unmute. This gives you a chance to again double-check that everyone in the meeting is legitimate.
Share screen control
Set Zoom screen control to “Only Host.” Zoombombers are known to take control of the screen to post insulting and illicit images.
Be Zoom security-aware
Be aware of security, what you are saying, what is being shown on screen and who you are talking to. Unconsented screenshot capture of diagrams and other images as you present could be taken.
If you are using Zoom for regular company meetings that could include private or sensitive information being discussed, it is a good idea to use the paid version. This allows you to choose additional security, including Single Sign-On (SSO) using Active Directory and the SAML 2.0 protocol. Of course, use of these options is more complicated when you are using a home working environment.
Could there be a zero-trust Zoom?
If Zoom wants to deliver the level of security required to protect corporate communications, they could turn to modern identity and access management capabilities. A “zero-trust Zoom” could add a dimension of security lacking in the current version.
The idea behind zero-trust security is one of “Never trust, always verify.” This mantra seems fitting, as Zoombombing does have the potential to become a serious security threat.
For Zoom to incorporate this level of security, the platform would need to encompass the principle of context-based user identity to control access to meetings. An extended Identity and Access Management (IAM) component of the platform could offer this capability. Coupled with more robust multi-factor authentication options, Zoom could create more secure meetings that would give enterprises the comfort of a protected workspace to discuss even sensitive business.
Zoom is popular because it is very easy to set up and join meetings. However, security layers must be added if Zoom is to be used in a safer and enterprise-friendly manner. How security is implemented is important, as a friction-free experience is what makes Zoom so popular.
Get six free posters
Reinforce cybersecurity best practices with six eye-catching posters found in our free poster kit from our award-winning series, Work Bytes.
Sources
- A Message to Our Users, Zoom Blog
- FBI Warns of Teleconferencing and Online Classroom Hijacking During COVID-19 Pandemic, FBI.gov
- Setting up and using two-factor authentication, Zoom Help Center
- Two Zoom Zero-Day Flaws Uncovered, Threatpost
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
In this Series
- Zoombombing: How it works and how to prevent it from happening to you
- Tax scam season: How to protect your data from common scams in 2024
- Security awareness for kids: Tips for safe internet use
- Celebrate Data Privacy Week: Free privacy and security awareness resources
- Consumer data, who owns it and who protects it?
- Human error is responsible for 74% of data breaches
- What is a social engineering attack?
- Biggest cybersecurity mistakes by large organizations
- 4 common social media scams (and how to avoid them)
- From theory to practice: Designing a successful security awareness training program
- Understanding cyberattacks: Types, risks and prevention strategies
- Securing digital frontiers: The importance of information and IT security awareness training
- Optimizing your corporate security awareness training: Strategies and techniques
- What is security awareness: Definition, history and types
- Top 10 security awareness training topics for your employees in 2023 and beyond
- AI best practices: How to securely use tools like ChatGPT
- Connecting a malicious thumb drive: An undetectable cyberattack
- 5 ways to prevent APT ransomware attacks
- 4 mistakes every higher ed IT leader should avoid when building a cybersecurity awareness program
- ISO 27001 security awareness training: How to achieve compliance
- Run your security awareness program like a marketer with these campaign kits
- Deepfake phishing: Can you trust that call from the CEO?
- Fake shopping stores: A real and dangerous threat
- 10 best security awareness training vendors in 2022
- How to hack two-factor authentication: Which type is most secure?
- Malicious push notifications: Is that a real or fake Windows Defender update?
- Free Cybersecurity and Infrastructure Security Agency (CISA) ransomware resources to help reduce your risk
- How IIE moved mountains to build a culture of cybersecurity
- At Johnson County Government, success starts with engaging employees
- How to transform compliance training into a catalyst for behavior change
- Specialty Steel Works turns cyber skills into life skills
- The other sextortion: Data breach extortion and how to spot it
- Texas HB 3834: Security awareness training requirements for state employees
- SOCs spend nearly a quarter of their time on email security
- Security awareness manager: Is it the career for you?
- Risks of preinstalled smartphone malware in a BYOD environment
- The ROI of security awareness training
- 5 reasons to implement a self-doxxing program at your organization
- What is a security champion? Definition, necessity and employee empowerment [Updated 2021]
- Excel 4.0 malicious macro exploits: What you need to know
- Worst passwords of the decade: A historical analysis
- ID for Facebook, Twitter and other sites? Not so fast, says security expert
- 3 surprising ways your password could be hacked
- Fake online shopping websites: 6 ways to identify a fraudulent shopping website
- All about carding (for noobs only) [updated 2021]
- Password security: Complexity vs. length [updated 2021]
- What senior citizens need to know about security awareness
- 55 federal and state regulations that require employee security awareness and training
- Brand impersonation attacks targeting SMB organizations
- How to avoid getting locked out of your own account with multi-factor authentication
- Breached passwords: The most frequently used and compromised passwords of the year
We’ll customize our demo to your
- Security awareness goals
- Existing security and employee training tools
- Industry and compliance requirements
Security awareness
Tax scam season: How to protect your data from common scams in 2024
Security awareness
Security awareness
Celebrate Data Privacy Week: Free privacy and security awareness resources
Security awareness