Current Situation: Due to the ongoing COVID-19 national emergency a large number of businesses, schools, and government entities are using video teleconferencing platforms to conduct meetings in order to provide continuity for business and learning. When these types of services are utilized with poor security practices, malicious actors are hijacking the meetings and performing what is now dubbed “Zoom bombing”. This involves the meeting being disrupted and supplanted with derogatory pictures containing objectionable content, including pornography along with some individuals disguising themselves and using profanity and hate-speech language. These hijackings occur due to meeting information being made available to anyone through postings on websites and social media platforms. In some instances, though a meeting identification number was not made public, enterprising malicious actors tried random number combinations and gained access to a meeting.
To clarify, hijacking a meeting by “Zoom bombing” is not a result of hacking.
Background: Zoom, a highly popular video teleconferencing service, is currently experiencing a dramatic increase in its usage by both entities collaborating for official purposes as well as individuals using the service to conduct video chats with friends and families to remain in contact while practicing social distancing. Because of its prevalence, along with the numerous news media reports of hijacking occurring, the action was dubbed “Zoom bombing”.
Best Practices: The following are some of the best practices for minimizing chances of a meeting hijack. Each service offers guidance for securing a session.
- Do not share meeting invitations in public forums found on social media or published on websites.
- If the service offers a waiting room feature, utilize this to vet who is allowed access to the meeting.
- Limit the number of attendees allowed in a meeting.
- Manage screen sharing through a host. This will prevent someone from randomly taking over what is shown on the screen.
- Password protect meeting access.
- Ensure users are using the current version of the software
NYSIC CAU Analyst Note: The news media is using the word hacker to describe perpetrators of these types of incidents. This is not accurate. By not utilizing the available ways to secure a video teleconference meeting, anyone can gain access. On March 30, 2020 a small town in Upstate New York experienced a “Zoom bombing” involving a high-tech racist rant and flashed screenshots of hate group websites and Facebook pages. Initially, the meeting did not require a password to participate. Officials terminated the meeting and upon resumption a password was required to access.
