Since the Coronavirus pandemic has much of the world sheltering in place, thousands of small businesses and companies are using popular videoconferencing services like Zoom. Unfortunately, as the popularity of Zoom has grown sharply, attacks called “Zoom-bombing” have grown at a commensurate rate.
Zoom-bombing involves unauthorized parties gaining access to your Zoom meetings to harass and create chaos. They may play porn or depictions of violence. They may record the entire incident for a prank they’ll show on social media.
How are these attacks executed? What can you do to keep your meetings safe?
How did they get your number?
Conference calls on Zoom are each assigned a Meeting ID made up of 9 to 11 numbers. For hackers to unearth meeting numbers in Zoom to find current or upcoming meetings isn’t a challenge.
Automated tools make harvesting these meeting numbers incredibly easy. Since a startingly number of organizations don’t password-protect their meetings, automated tools like zWarDial can find them. They’re used by hackers looking to Zoom-bomb the business dealings of anyone meeting on Zoom from small businesses to major corporations.
If it seems like such methods of infiltration emerged quickly, they really didn’t. Last summer, security specialists at Check Point Research found they could predict as much as four percent of randomly generated meeting IDs. The only thing that could prevent them from harvesting a meeting ID?
Password protection.
Incidents of Zoom-bombing have gone through the roof over the last few weeks. Does that mean a good number of Zoom users disabled passwords by default? Maybe. It could also mean that the security features offered by Zoom aren’t set to offer maximum protection.
Zoom says that it’s enabled passwords by default for its scheduled meetings. They also claim to blocks repetitive attempts to scan for meeting IDs. Zoom also says that it doesn’t automatically specify if a Meeting ID is valid or not.
The Zoom meetings of some of the world’s largest corporations revealed
zWarDial was developed by members of a monthly Kansas City security meetup, SecKC . The name comes from the old traditional phone dialing programs that took random or sequential numbers in identified telephone number prefixes to find computer modems. zWarDial goes around Zoom’s attempts to block automated scans for meetings by routing searches through different proxies. Tor, open-source software that allows anonymous web browsing, works perfectly for this.
Trent Lo, security expert and co-founder of SecKC, points out that while Zoom claimed it was blocking such practices, he was able to use a different URL passed along with a cookie on the back end to make it work. He explained that he was able to access the Zoom meeting room information without logging in.
Running a single instance of zWarDial can reveal around 100 meetings in a given hour. If multiple instances of the tool run, they could likely unearth most of the open meetings on Zoom on a given day. And for each random meeting number it tries, there’s a 14% chance it will find an open meeting. If there’s no password protecting it, the meeting can then be broken into.
The results of a single day of scanning with zWarDial turned up around 2,400 upcoming or recurring meetings on Zoom. The information harvested from the scans would often include the link for joining the meeting along with its date and time. Often the name of the meeting’s organizer and details about the meeting were also included.
The scary part? They were able to find details about the Zoom meetings set for major banks, investment firms, government contractors, tech companies, and more. While they didn’t reveal any of the companies or organizations they found, they were able to verify many of them by matching meeting organizer names with company profiles on LinkedIn.
The security risks posed by Zoom-bombing
On March 30, 2020, the FBI advised Zoom users to properly secure their browsers from Zoom-bomb attacks.
The alert stated that the FBI had received several reports of Zoom conferences being “disrupted by pornographic and/or hate images and threatening language.”
It’s important to understand the risk of holding Zoom meetings.
Zoom sessions can be recorded by a host, audio and video, to their computer. That means anything revealed in the meeting could potentially be seen by anyone. If the session is recorded, participants will be notified by a “Recording…” notification in the upper left of the meeting display.
Meeting users can also download chat logs to their device before exiting the meeting. The logs will only include the messages you can see. Private chats between others won’t be included.
There have also been reports that true end-to-end encryption (E2E) doesn’t exist between the endpoints of Zoom users. That means while communications between meeting participants and Zoom servers are encrypted, connected meeting data traveling over the network isn’t protected. What does that mean for you? It means that a Zoom employee could potentially monitor the traffic of a meeting.
Zoom maintains that there are safeguards in place to keep this from happening.
How to protect your Zoom meetings
What can you do to protect your meetings from Zoom-bombing? The following Zoom features can help you secure your Zoom meetings and help keep them free from attack.
Screen sharing
You need to manage your screen, particularly if your event is public. You can handle this before the meeting or while it’s in progress using the host control bar settings.
You can keep meeting participants from screen sharing during a meeting. This can be accomplished using the host controls at the bottom. You can click on the arrow beside “Share Screen” and select “Advanced Sharing Options”. Find “Who can share?” and select “Only Host.” You can also prevent screen sharing by default for all your meetings by setting this in your web settings.
Meeting participant management
There are multiple ways to manage users in your meetings.
- Signed-in users only: By allowing only logged in Zoom users, you keep a lot of unwanted users out of your meeting. Those who aren’t invited will be turned away.
- Lock your meeting: Once the meeting has begun, you can lock it so no new participants can come in. The lock works even if the user has a meeting ID and password if required. Locking the meeting is as easy as clicking on “Participants” at the bottom of the meeting window. On the pop-up menu, click on “Lock Meeting.”
- Remove problem participants or the uninvited: You can use the “Participant” menu at any time to remove someone not invited from your meeting. Hover over the participant in question and you’ll be given options including “Remove.”
- Let removed participants rejoin: Once a participant in your meeting is removed, they can’t return to the meeting without your intervention. This is especially helpful if you accidentally remove the wrong person which is an easy mistake to make.
- Two-factor authentification: You can generate a random Meeting ID to schedule your event and require a password for participation. Doing this as opposed to sharing the true meeting link adds a great layer of protection. The generated Meeting ID can be shared via public platforms while the password will only be sent to those you invited via direct message.
- Video disabling: The meeting host can turn off any participant’s video which is useful to block inappropriate and unwanted video messages or disruptions.
- Disable file transfer: There’s an in-meeting file transfer utility that lets participants share files via in-meeting chat. By turning this feature off, you can keep unwanted content off your meeting chat.
- Disable annotation: The annotation feature allows you and your meeting participants to draw and make notes on the content during the meeting with screen share. By disabling the annotation feature in your meeting, you can keep unwanted notes or doodles out of your meetings.
- Putting participants on hold: There’s a feature that allows you to place any participant temporarily on hold, including audio connections and attendee videos. This can be accomplished by clicking on a user’s thumbnail and selecting “Start Attendee On Hold.” They stay on hold until you remove it for great convenience.
- Muting participants: The mute feature lets the meeting host mute and unmute any participant or everyone simultaneously. The feature is handy in allowing you to block unwanted behavior or content from reaching other participants and disrupting your meeting. There’s also an option for “Mute Upon Entry” in settings so you can prevent disruption and noise from your meeting entirely.
- Turn off private chat: Zoom’s chat features allow not only in-meeting chat but also private chats between meeting participants. You can allow this in your meeting or you can restrict meeting participants’ ability to chat.
Waiting rooms
When it comes to public events on Zoom, the Waiting Room feature is highly useful. The waiting room offers a virtual gathering point for your guests until you’re ready to begin your meeting. It also provides you a way to screen who is allowed into your meeting and offers an additional line of defense.
The waiting room is also customizable for the host for even more control. The message people see upon arrival can be customized to say whatever you like.
Additional tips
- Use the latest version of Zoom client: When you are prompted to update your Zoom software, do it. The latest updates contain updated security measures and fixes for identified security risks.
- Don’t post images from your meetings: Screenshots from your Zoom meeting will show the meetings ID. If this happens during the meeting or if this is a recurring event, it could compromise your efforts.
- Beware of malware: Since the pandemic began, the rise in Zoom-themed malware, scams, and related attacks have increased substantially. To protect yourself, only download the Zoom client from the verified Zoom site.
Need help with remote meetings or managing a remote workforce? Applied Innovations can help. Our experienced team helps companies every day with comprehensive IT solutions. For more on how we can help you and your team work remotely, contact us today!