I was asked to talk about recent security concerns regarding the videoconferencing application Zoom and prepared the following. – John Brandt
Take a Deep Breath
The new term, ZoomBombing, was coined just a few weeks ago and the concern and social media rant about the security of the world’s most popular videoconferencing application has since, pardon the expression, gone viral.
My reaction to the news has been to slowly and carefully tell everyone who has asked to take a deep breath and try not to overreact.
Here’s what happened.
Someone reported on social media that during one of their Zoom Meetings someone “uninvited” came in and “took” over the room. Within minutes numerous other reports were made on other social media platforms, and within hours the term ZoomBombing was born. The term is an adaptation from the term PhotoBombing in which someone intentionally or unintentionally appears in one of your photographs. While that term appears to have its origins in the late 2000s, someone correctly stated in one description that photobombing has probably been around as long as photography.
Within days, concerns were raised by writers of technology news, as well as journalists that resulted in folks digging deeper. These sources soon found other “security issues” and on March 30th the FBI was making announcements and sending out warnings. Apparently, things were getting out of hand; emphasis “apparently.” Within a few more days editorials and articles with headlines like “‘Zoombombing’ Becomes a Dangerous Organized Effort” appeared in the New York Times.
Zoom Technologies Reacts
I’m reminded of the scene in the film, It’s a Wonderful Life, when there’s are run on the bank and one of the characters asks, “How does something like this happen…?” Jimmy Stewart’s character, George Bailey, gravely concerned that his fragile “Building and Loan” will teether as well, wisely replies, “How does anything like this ever happen…?”
How this security nightmare happened is not important. What is important is the response.
Let us remember that in early February 2020, Zoom was a widely popular videoconference platform deftly designed to allow businesses and organizations to communicate with their staff and employees in an open and easy-to-use desktop application. It was the digital/virtual equivalent of the office meeting room allowing folks at distance locations to “sit around the table” take turns discussing the topic, share slides and demonstrations on the office “whiteboard,” and even allow for side discussions and breakout rooms. The pricing was reasonable (including a free trial version) and Zoom had made sure it was accessible to people with disabilities including adding the capacity to offer live captioning by anyone in the room or by a professional CART transcriptionist. Thus, in the relatively short history of the company, Zoom had managed to beat out the competition and by December 2019 was serving up online meetings to approximately 10 million users.
Then, when Coronavirus COVID-19 hit America hard, and businesses, schools and organizations were forced to close their doors and move operations to kitchen tables and living room couches, this perfect virtual tool suddenly became the answer to everyone prayers.
And then things got interesting real fast.
According to Zoom Founder and CEO Eric Yuan, in March 2020, Zoom was serving up online meetings to 200 million participants each day including to over 90,000 schools in 20 countries. Within hours of the first reported ZoomBombing incident (on or about March 17th) there were tech articles published describing what had happened and telling folks what easy steps they could take to “secure” their Zoom meeting. The most obvious recommendation was to NOT publish the link to your Zoom meeting on social media. BTW, the first case of ZoomBombing appears to have happened to some people who were holding an online WFH Happy Hour which had been advertised widely on social media. But the buzz saw of social media probably facilitated hundreds of copycat bombings.
On March 20th Zoom published their first blog post to users addressing the issue and again instructing users how “protect” their meetings.
But the idea for ZoomBombing spread much faster than the advice on how to prevent it. Lots of false information was spread and hysteria followed.
Soon there were reports that whole institutions had shut down Zoom and at least one state’s IT department chose to block all traffic to Zoom on state-own devices.
This will all shake out and we will no doubt forget about it in a few weeks. But if you are going to be using Zoom, or ANY video conferencing platform to operate your business, teach/train or facilitate meetings, you need to do your homework and make sure you know how the system works and what you need to do to “stay safe, stay healthy.”
Here are five recommended actions:
- Learn how to check and change your account settings. Non-enterprise accounts were all recently locked down by Zoom to require passwords for all meetings and add a “waiting room” before participants can enter. If you have an enterprise account, you need to check with your IT folks. Note that some additional security features were recently added but you need to have the latest version of the Zoom client. Check to make sure you have the latest version.
- Use Passwords for all meetings/webinars. The need for the waiting room is probably overkill for most meeting but might be appropriate for webinars.
- Have a staff person who serves as a Producer. This is a person in the meeting whose only job is to make sure everything is working correctly and can address any problems that arise. Whoever schedules the meeting is automatically the Host of the meeting and only the Host can change the settings for the meeting room. Understand that many of these setting need to be made before the meeting starts. The Host can also assign someone else as the Alternative Host. Note that in Zoom Webinar, the Host has some special privileges that are needed to run the meeting. The Host can also control microphones and who can access the Share Screen functions.
- Avoid using Personal Meeting ID (PMI). This a special feature in Zoom where you can use the same meeting credentials for all your meetings. Zoom suggests using your office phone number as the meeting ID this way everyone attending knows what the login information will be. Don’t do this.
- Don’t have “open” meetings. As described, the first case of ZoomBombing was for an online office Happy Hour for employees working from home. The link to the Zoom Meeting was shared widely, it was literally an invitation for “party crashers.” Also don’t use the same Meeting ID and let Zoom chose a random number as the password.
Remember – Take a Deep Breath.
UPDATE: I learned of an additional security feature after I posted this article. There is a setting in both Zoom Meeting and Zoom Webinar that prevents any HTML code written into the Zoom Chat from being executed from the Chat. This “locking” feature blocks all code including malicious, executable code or links to “bad” websites. The posted links will still appear in the Chat (as text) and can be copied and pasted into your browser, but they cannot be executed from within Zoom. For the time being, it is probably wise to keep this security feature turned on and to discourage participants from posting links in the Chat. Any important links/resources can be provided to participants from another source such as a digital “handout” or from your website after they have been vetted.
For more information
How to Keep Uninvited Guests Out of Your Zoom Event
A Message to Our Users from Zoom CEO Eric Yuan