Zoom-Bombing, VTC Hijacking and Privacy
Social Distancing guidelines brought about as a result of the Coronavirus (COVID-19) has led to a boom in Video Teleconferencing (VTC) usage. Faced with the isolation from family, friends, classmates and teachers, millions are turning their webcams on and logging in.
There are many platforms available to keep in touch. Currently, Zoom has come out as one to the top VTC solutions. The tool boasts over 200 million daily users currently. For the average person using Zoom to chat with friends or have a quick call with a co-worker, privacy might not be top-of-mind. If the topic of a Zoom conversation is more sensitive, then the host and participants should consider the privacy and other elements of the meeting. Some tips provided by Zoom include setting a meeting password, controlling who can share their screen, and others.
The FBI and many other media outlets have pointed to areas that can be exploited in Zoom. Like the early days of chatrooms, Zoom sessions can bring about people looking to troll, shock and spread hateful messages. These attempts are not technically hacks, as they result from improper settings. The term for crashing in un-invited to a Zoom meeting is “Zoom Bombing.”
Examples of Zoom Bombing incidents abound. The FBI Field Office in Boston has detailed several incidents of classes being held online are disrupted. Religious services have been interrupted by slurs.
Another tool in the Zoom-disrupter playbook could be automated tools to access meetings. Researchers created the ominously named War Dialer that runs though meeting parameters to give access.
The question of the encryption of the meetings has come up as a talking point. While it is true Zoom does not offer 100% encryption at all levels of the end-to-end communication process, they do have a number of encryption techniques in use. Each organization that decides to use Zoom has their own risk tolerances based on what information must be confidential and what does not necessarily need to be kept confidential. Cipher recommends that you review Zoom’s post on what is and isn’t encrypted in order to make an informed decision in this regard.
Past Privacy Issues Fixed
Zoom has been active in responding to new privacy issues that arise. The company is undergoing the ultimate stress-test, with millions flocking to the tool as a lifeline to social and professional connection. Zoom has stated they are dedicating the next 90 days to focus on privacy and security.
In the past, data from the iOS app sent analytics data to Facebook. This privacy issue was identified and fixed. Another past issue involved a feature-turned-vulnerability. Companies with the same email domain are linked. For companies, this might make Zoom invites more convenient. This results in those being able to see each other’s pictures and start video chats. Zoom blocked the popular free email providers from this feature, but some personal domains were not excluded. People with a personal email address are then exposed to their fellow email providers.
Privacy vs. Ease of Use
Zoom is being used in the heights of government. British Prime Minister tweeted a photo of his cabinet meeting using Zoom. This came days after the Ministry of Defense banned usage of the tool over security concerns. The situation exemplifies the trade-off between security and ease-of-use.
Recommendations to Keep Secure
Hackers are going to exploit what is popular in society. Zoom is currently in the spotlight and has led to a boom in criminals using anything themed as “Zoom” for phishing or scams. Thousands of domain names with Zoom in them have been registered to be used as a launching point for attacks (e.g. yourcomany-zoom.com). This is similar to traditional typo-squatting techniques.
The FBI and other have recommended some ways to stay secure:
- Ensure meetings are private, either by requiring a password for entry or controlling guest access from a waiting room. This stops people from re-entering meetings after being kicked out.
- Make sure your meeting software sure is patched. This is critical. Zoom and others will release patches as vulnerabilities are mitigated.
- Do not post your Zoom links on social media or online, unless you are OK with possibility of Zoom Bombing.