Joseph Steinberg, a cybersecurity expert on emerging tech, has been using web and videoconferencing for about 20 years. He did it during the days of dialup to cut back on travel.
So he wasn’t surprised when he noticed people telling horror stories of their videoconferences being interrupted by hackers. He wasn’t surprised when people reported hackers sharing pornographic images within work teleconferences.
“There’s always mischievous people,” he said.
But he was surprised that technologically smart people haven’t been so savvy about how they use Zoom and other videoconferencing apps.
Zoom has become a new staple of American life in the age of the coronavirus pandemic. Work meetings, virtual classroom education for all ages, fitness workouts, telehealth and social gatherings all appear on the teleconference app competing with Google Hangouts and Skype for viewer attention.
But a nefarious side has emerged with Zoom: a concept called “Zoom-bombing,” where hackers will crash their way into videoconference calls. Some even flood the app with disturbing images. This is happening across America. It’s happened for virtual Alcoholics Anonymous meetings in New York. It’s happened in Boston. It’s happened in workplaces and schools in California and Texas. It’s happening everywhere.
Zoom has acknowledged the problem, issuing a statement about the hackers. Zoom updated its privacy policy, too, due to customer concerns, on Sunday, March 29. The company has faced criticisms before about how easy its app is to hack.
“Like most other public forums, it’s possible to have a person (who may or may not be invited) disrupt an event that’s meant to bring people together,” the company said in a statement.
Zoom has released a set up of tips to help keep its users safe. The company offered tips on how to properly share your screen and how to manage the people within your chat. Zoom is raising awareness about how to properly use the app, even as more nefarious users try to hack into it.
New data from Check Point Research, a cybersecurity firm, found that 4% of the 1,700 new domain names (where people register their accounts) registered on Zoom since the beginning of the year contain suspicious characteristics. Outside of Zoom, malicious activity and hackers “have been spotted for every leading communication application,” according to Check Point.
And with people videoconferencing more than ever before — numbers from Comcast show video calls and calls in general have jumped 212% — the potential opportunities to be hacked have increased.
“Some people will take it seriously. Some people will take it seriously after it happens to them,” Steinberg said. “And until it happens to them, they won’t take it seriously. “
What hackers do
Trolls have entered into Zoom meetings to drop “disturbing imagery,” like pornographic material and “horrifying sexual videos,” TechCrunch reported. And there’s almost no stopping them. Hackers who are banned from meetings can return with a new name and ID. They can still share the not-safe-for-work content.
“It’s very likely that the victims experienced a ‘Zoom bomb,’” said Theresa Payton, the founder and CEO of Fortalice Solutions. “‘Zoom-bombing’ — think photobombing meets your zoom conference — is a real problem.”
Zoom allows anyone to share their screen at any time during the meeting, according to TechCrunch. However, people can disable this in the admin controls for each call in the settings category. But few know about it.
Hackers aren’t just invading work calls. Consider a recent classroom session at the University of Southern California. Zoom-bombers logged into online classes and slammed students with racist language, according to The Washington Post.
“We are sorry to report we learned today that some of our online Zoom classes were disrupted by people who used racist and vile language that interrupted lectures and learning,” said USC President Carol L. Folt in an email, according to The Washington Post. “We are deeply saddened that our students and faculty have had to witness such despicable acts.”
“Zoom-bombing” hit places of worship, too. According to the Religion News Service, members of a Sunday school young adults group at St. David’s Episcopal Church in Austin, Texas, started sharing biblical passages with each other before they were hacked.
“It was generally chaotic and impossible to stop,” Alex Merritt, one of the participants, told RNS. “It was a huge wake-up call for me because I’m an elementary public school teacher, and I don’t want the children in my class exposed to any of the pornographic images that trolls sent us.”
Such Zoom-bombings have prompted agencies across the country to take steps to warn people that this can happen and for experts to share what they hope Zoom users will do.
What’s being done
Major agencies across the United States are looking into the consequences of Zoom. The FBI office in Boston released a statement about the matter on Monday, saying it “has received multiple reports of conferences being disrupted by pornographic and/or hate images and threatening language.”
The statement continued, “As individuals continue the transition to online lessons and meetings, the FBI office in Boston recommends exercising due diligence and caution in your cybersecurity efforts.”
The FBI office in Salt Lake City told the Deseret News in an email it has not seen “any incidents like that that we’re aware of in our area.” The office told the Deseret News that people should “practice cyber hygiene” by following the tips on the FBI website.
Meanwhile, New York’s Attorney General Letitia James has already started an investigation into Zoom over its data privacy and security practices, according to The New York Times.
James’ office sent a letter to Zoom asking if any new privacy and data policies have been put into place because of the increase in traffic.
According to The New York Times, the office says in its letter that it is “concerned that Zoom’s existing security practices might not be sufficient to adapt to the recent and sudden surge in both the volume and sensitivity of data being passed through its network,” the letter said. “While Zoom has remediated specific reported security vulnerabilities, we would like to understand whether Zoom has undertaken a broader review of its security practices.”
How to stay safe
Zoom recommends plenty of tips for how people can keep themselves safe from Zoom-bombing.
Some of those tips include not sharing your Zoom event anywhere public and to avoid using your personal meeting ID to host public events. You don’t want random people crashing your events that are meant to be personal.
And you can even set up a waiting room, where you can approve or deny people from entering your meeting.
“It’s almost like the velvet rope outside a nightclub, with you as the bouncer carefully monitoring who gets let in,” the company said.
You can also limit how many people can share their screen within your app. Head over to the settings before the meeting begins and enter the in-call admin settings. Hit share screen and advanced sharing settings to ban others from sharing their screen without permission.
But perhaps the easiest way to stay safe from hacking is adding a password to your Zoom meeting, said Steinberg, the cybersecurity expert.
“I never set up a meeting without a password or without some sort of code,” he said. “The reason people are having these problems is that they’re making these things publicly accessible.”
He added, “You’ve got to understand that it’s the equivalent of hosting an event in, you know, in a normal time, in a restaurant saying anybody who wants can come and posting it online. So if you want to avoid Zoom-bombing, you’ve got to password-protect the session. Period.”
There’s no need to panic about getting Zoom-bombed, Steinberg said. It’s still unlikely your meeting will be hacked.
“It’s just that when they go wrong, you’re not going to be happy about it,” he said. “It’s not hard to create a password. So you might as well do it.”