It was just a matter of time once people began using Zoom more frequently to collaborate remotely, that their conversations would be hijacked in a phenomenon known as Zoom bombing.
Schools, churches, and local governments around the country have all reported getting Zoom bombed, some with racist taunts, profanities or porn. The Boston office of the Federal Bureau of Investigation “has received multiple reports of conferences being disrupted by pornographic and/or hate images, and threatening language,” the FBI said in a statement Monday. In one case, a Massachusetts high school teacher’s class was interrupted by someone who “yelled a profanity and then shouted the teacher’s home address in the middle of instruction,” according to the FBI.
SEE: Coronavirus: Critical IT policies and tools every business needs (TechRepublic Premium)
The LA Times reported that the University of Southern California and school districts have been getting Zoom-bombed with racist taunts and porn as they transition to online meetings.
In related news, a lawsuit was filed Monday in California Federal Court by Robert Cullen of Sacramento, asking a judge to declare Zoom’s practices of sharing information with Facebook illegal and seeks damages from the company, according to the New York Post. Neither Zoom nor Facebook immediately responded to its requests for comment on the suit, the Post said.
Also Monday, New York Attorney General Letitia James sent a letter to Zoom to ask what, if any new security measures have been put in place to handle the skyrocketing traffic on its platform, according to The New York Times. The AG’s letter reportedly said Zoom has been slow to address security vulnerabilities, the Times said.
Zoom bombing is an emerging trend where attackers find publicly posted Zoom invite links, then join them to screenshare pornography or other inappropriate content, said Paul Bischoff, a privacy advocate with Comparitech, a pro-consumer website that provides information on tech services.
“Zoom’s biggest advantage and its greatest weakness is in how its invite system works,” he said, because hosts can send invites as links or give out meeting IDs. “Although this makes it really easy for new users to jump in and start conferencing, it also creates opportunities for cybercriminals. An attacker could create a malicious invite link and trick Zoom users into clicking on it, leading to a phishing page or malware download.”
SEE: The tech pro’s guide to video conferencing (free PDF) (TechRepublic)
If legitimate invites or meeting IDs are leaked, attackers could find them and join video conferences to spy or just cause trouble, Bischoff said.
Rahul Telang, a professor of information systems at Carnegie Mellon University’s Heinz College, said he’s not sure there’s anything Zoom can do about the issue. “The onus is on the meeting organizer to ensure the link isn’t widely distributed,” he said, since they have jurisdiction over who can join. But in a public meeting, there isn’t a good way to control that.
“If someone invites a guest in, it’s hard to control that,” Telang said, adding that he is discussing Zoom bombing with students in his information security class right now. He hasn’t personally experienced any Zoom bombing, he said, and noted that students are authenticated by the university before they can click on the link to join his class.
That said, Telang said he has close to 40 students and “there’s no way for me to know if they are supposed to be there, [but] I think no one would join unless they’re interested in the content.”
He suggested that authentication be made tighter and that meeting organizers take advantage of Zoom’s smaller meeting spaces to split up large meetings. But he admits, “I don’t know how many people will do that.”
Bischoff recommends that hosts posting links to Zoom conferences in public places should rethink their strategy. “Participants should be verified with a password, or limit participants to a particular email domain–both features that come built into Zoom,” he said.
Aside from Zoom bombing issues, “Zoom is fairly secure and gives hosts pretty granular control over who can join conference calls,” Bischoff added. “All video data is encrypted end-to-end so it can’t be intercepted and viewed by third parties.”