On March 30, 2020, the FBI announced that it has received multiple reports of video-teleconferencing (VTC) hijacking attacks in recent weeks. The attacks target the VTC platform Zoom and involve unidentified individuals joining online meetings and disrupting them with pornographic and/or hate images and speech. This type of attack is being referred to as “Zoom-bombing.” On April 5, 2020, Zoom rolled out updates that address some of the platform’s issues, but these updates do not completely eliminate the risk of VTC hijacking attacks.
The FBI shared recommendations for strengthening VTC cybersecurity efforts and mitigating threats from hijackers. When setting up a Zoom meeting, the following steps can help keep uninvited attendees from entering the meeting. In other VTC platforms, similar options are often available.
- Make the meeting
private. This can be done either by requiring a meeting
password, or by using the waiting room feature so the host can
control who enters the meeting. As of April 5, 2020 these features
have been automatically enabled.
- Share meeting links
privately. Send meeting links to attendees individually
and never in a public forum like an unrestricted social media post.
Even after the April 5 updates, users who enter a Zoom meeting by
following a link will not need to enter a password, so keeping the
meeting link private remains important.
- Limit screen-sharing
options. Zoom allows the host to change screen-sharing to
“host only” so that if an uninvited individual gains
access to the meeting, they will be unable to share hateful or
pornographic images.
- Ensure all users install
software updates. In addition to the April 5, 2020
updates, the January 2020 version of Zoom added meeting passwords
as the default and disabled the function that allowed users to
randomly scan for meetings to join. In order to take advantage of
these new features, all users should have the most up-to-date
version of Zoom installed.
- Address both physical security and information security in your organization’s telework policy.
The FBI tracks these types of attacks. If you are a victim of a VTC hijacking, Zoom-bombing, or other cyber crime, report it to the FBI’s Internet Crime Complaint Center at ic3.gov. Specific threats, including any threats received from a VTC hijacker, should be reported at tips.fbi.gov or by calling your regional FBI field office. Find your regional FBI field office’s contact information on the FBI website.
Zoom is a widely used platform for hosting meetings and conferences during the COVID-19 pandemic, and users should be aware that use of Zoom may present other privacy and security issues. The Intercept recently reported that video calls placed using Zoom are not end-to-end encrypted, despite the fact that Zoom claims that they are. Additionally, the Zoom “Company Directory” feature automatically pools users who sign up using emails hosted by the same domain together, as if they all work for the same company. While this feature excludes common public domains like Gmail and Yahoo, this means that there may be thousands of users that have been grouped together without their knowledge, and as a result, those users may have access to each other’s names, email addresses, and profile photos, and be able to place video calls to others in the group despite having no direct relationship.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
