Many countries have introduced a number of movement restrictions due to the pandemic, and many companies have sent their employees home, obliged to continue working from home. This has led Zoom video conferencing software to become a popular way to connect with colleagues, friends and family, and even attend online fitness classes.
However, with the rise in popularity of Zoom, an attack called “Zoom Bombing” is also becoming more current. Zoom bombing is when someone gets unauthorized access to a Zoom meeting, after which they can harass the meeting participants in various ways, or joke about their account and post the footage later on social media.
The FBI has released a Zoom user guide to help protect against Zoom bombing.
“The FBI has received multiple reports that the conferences were obstructed by pornographic and / or hate images and threatening messages,” the FBI warns.
First of all, it is important to consider the privacy implications when deciding to attend Zoom meetings.
One of the most important things to keep in mind is that a host can save a recorded session on their computer, including video and audio. So keep an eye out for what you are saying or discovering if it is something you would not want anyone else to see or know. Meeting participants will know when the meeting is being recorded because the “Recording …” indicator will appear in the upper left corner.
It is also important to keep in mind that the user can download their conversations before leaving the meeting. These logs will only contain messages you could see, not private messages from other users.
As reported by the Intercept Zoom site, there is no real end-to-end encryption (E2E). This means that only communication between meeting attendees and Zoom servers is encrypted, while meeting information passing through the Zoom network is not. This theoretically means that someone employed by Zoom could monitor the traffic of the meeting and spy on it, but Zoom told Intercept there were safeguards preventing this.
“Zoom has layered security measures in place to protect the privacy of our users, which includes preventing anyone, including Zoom employees, from directly accessing any information shared by users during meetings, including – but not limited to video, audio and content meetings. Importantly, Zoom does not extract user data or sell any user data. ”
Now that you know the potential risks of using Zoom, before you make an appointment with friends or colleagues, you need to know what you can do to protect Zoom meetings.
When creating a new meeting, Zoom will automatically enable the “Require meeting password” setting and assign a six-digit password. This option should not be overridden as this will allow anyone to access your meeting without your permission.
Zoom allows the host to enable a waiting room feature that prevents users from entering the meeting before the host receives them. This feature can be enabled while creating an appointment by opening the advanced settings, activating the “Enable waiting room” setting, and then clicking the “Save” button. When this is enabled, anyone who joins the meeting will be placed in the waiting room with a message saying, “Please wait, the meeting host will release you soon.” The meeting host will be alerted when someone joins the meeting and can see those waiting by clicking on the “Manage participants” button in the toolbar. It can then position the mouse cursor over each waiting user and click on “Admit” if they need to be in a meeting.
If you are prompted to update Zoom, do so. The latest Zoom upgrades provide default meeting passwords and add protection against people looking for meeting IDs.
Because Zoom is so popular at the moment, cybercriminals will focus on it to find vulnerabilities. By installing the latest updates, you will be protected from detected vulnerabilities.
Each Zoom user is assigned a permanent “Personal Meeting ID” (PMI) associated with their account. If you give your PMI to someone else, he will always be able to check that the meeting is ongoing and potentially join him if the password is not configured. Instead of sharing your PMI, make new appointments to share with participants as needed.
To prevent a meeting attack, you should prevent non-host participants from sharing their screen. If you are a host, this can be done by clicking the up arrow next to “Share Screen” in the toolbar and then clicking “Advanced Sharing Options”. When the “Advanced Sharing Options” screen opens, change the “Who Can Share?” Setting. by setting it to “Only Host”.
If everyone has joined your meeting and you no longer invite anyone else, lock the meeting so that no one else can join. To do this, click on the “Manage Participants” button in the Zoom toolbar and select the “More” option. Then select the “Lock Meeting” option.
If you take a picture of your meeting, then anyone who sees this picture will be able to see the associated meeting ID. It can be an invitation for other people to try to approach the meeting.
For example, UK Prime Minister Boris Johnson posted on Twitter a picture of “the first digital cabinet ever” and included a meeting ID in the picture. This could have been used by attackers to gain unauthorized access to the meeting by manually joining the displayed ID. Fortunately, the virtual cabinet meeting was password protected, but this shows why all meetings should have a password or at least a waiting room.
When creating Zoom Meetings, you should never post a meeting link publicly. If you do this, search engines like Google will index the links and make them available to anyone who searches for them. As the default setting in Zoom is to embed passwords in call links, when a person has your Zoom link, they can perform a Zoom bombing of your meeting.