As the COVID-19 pandemic forced colleges across the nation, including the University of Indianapolis, to transition to remote learning for their spring semesters, video conferencing platforms like Zoom have become one of their primary methods of communication.
Zoom, however, has received several criticisms following a number of privacy and security issues being exposed, according to The New York Times. This includes a new online trolling tactic called “Zoom-bombing.”
Zoom-bombing is when somebody discovers the information of a meeting in progress joins the meeting for no other purpose other than to disrupt it, according to Senior Director of Network Systems and Security Matthew Wilson.
“All of a sudden, it was a word that became part of our vocabulary maybe two weeks ago,” Wilson said.
At UIndy, there have been at least two Zoom-bombing incidents that Wilson and UIndyIT have been made aware of, according to Wilson. In both incidents, it appears that the meeting details were possibly shared on social media. The uninvited guests then joined the meeting and shared their screens and audio with the participants in order to disrupt the meeting, he said.
Nationwide, the FBI has received multiple reports of video conferences being Zoom-bombed and disrupted by pornographic and/or hate images, along with threatening language, according to a March 30 press release from the FBI’s Boston Division.
Wilson said that while it is probably impossible to prevent Zoom-bombing entirely, UIndyIT is trying to provide faculty and staff with the tools they need to prevent it. Along with not posting the details of meetings on social media, there are several different settings within Zoom that users can use to secure their meetings. These features include using passwords for meetings and enabling the waiting room feature.
“The [waiting room] feature is probably the single most important feature that people should enable if you want to prevent Zoom-bombing,” Wilson said.
Zoom has also launched a feature that requires all new meetings to have a password, according to an email Wilson sent out to faculty and staff on April 14. The feature is designed to ensure that meeting IDs cannot be discovered using common hacking tools.
UIndyIT and the Faculty Academy enabled the feature on April 14 as the result of a FBI recommendation and in order to comply with the university’s regulatory obligations, according to Wilson’s email. The password will be included in the meeting’s URL and all invitees will have to do is click the link to access the meeting, according to Wilson’s email. Those who join via phone audio are not affected by this change.
Zoom has also come under fire for a number of issues that do not have to do with Zoom-bombing, according to Wilson. There have been privacy concerns related to Zoom’s cloud storage of videos and there was a vulnerability that was released with their Windows client that allowed someone to retrieve their password hash, a one-way encryption of a password.
Wilson said that these concerns have been brought up to him and that he shares them as well. While no platform is 100% secure, some of these concerns have already been addressed by Zoom, he said.
However, what is really important with Zoom is how the platform is responding to the security vulnerabilities, Wilson said. Zoom has been open and transparent and has stopped development on new features, instead focusing on the security vulnerabilities.
“They’ve released a new version of their application to address all of these vulnerabilities,” Wilson said. “In my opinion, they’re responding appropriately. They are simply the victim of becoming the most widely used and popular web conferencing platform of this epidemic.”
Wilson said that those who have concerns about Zoom’s privacy should contact him directly or submit an IT Help Desk ticket so he can try to address those concerns privately. If someone is the victim of Zoom-bombing, they should report it to UIndyIT so that they can understand what happened and to ensure that they are doing everything they can to prevent it.
In addition, UIndy IT and the Faculty Academy recommend that users enable waiting rooms, disable virtual backgrounds, and enable a setting that allows users to prevent participants from sharing their screens, according to an email Wilson sent to faculty and staff on April 2.
The FBI recommends that individuals use due diligence and caution in their cybersecurity efforts. In order to mitigate hijacking threats, users and organizations can use the following steps, according to the FBI.
- Do not make meetings or classrooms public. There are two options in Zoom to make a meeting private: require a meeting password or use the waiting room feature to control the admittance of guests.
- Do not share a link to a video conference or classroom on an unrestricted, publicly available social media post. Instead, provide the link directly to specific people.
- Manage screen-sharing options. In Zoom, change screen-sharing to “Host Only.”
- Ensure that users are using the most recently updated versions of remote access/meeting applications.
- Ensure that your organization or company’s telework policy or guide addresses requirements for physical and information security.
If anyone is the victim of Zoom-bombing, teleconference hijacking or other cyber-crimes, they should report it to the FBI’s Internet Crime Complaint Center, according to an FBI press release. If anyone receives a specific threat during a teleconference, they should report it to the FBI at tips.fbi.gov.