More than 200 million people participated in Zoom virtual meetings in March 2020 — and some of them were unwitting witnesses to Zoom-bombing. Find out what Zoom-bombing is and how to prevent it from happening to your meetings.
Zoom-bombing — it happened to high school teachers in Massachusetts, city commissioners in Michigan, a CEO in California, and many other people who were using Zoom to hold virtual meetings for work. And it could happen to you if you do not take some steps to prevent it.
Trolling for Trouble
In Zoom-bombing, intruders crash Zoom virtual meetings, after which they display hate or pornographic images and use threatening language. It is considered a form of trolling because they are deliberately trying to cause trouble by disrupting the meeting and offending its participants. Because the trollers often get into the Zoom meetings using meeting IDs that are publicly available either intentionally or inadvertently, Zoom-bombing is typically not considered hacking. Nevertheless, it still caught the attention of the US Federal Bureau of Investigation (FBI). Due to its prevalence, the FBI issued a news release warning the public about Zoom-bombing.
The US Attorney’s Office for the Eastern District of Michigan also issued a news release with a warning. But this warning was for the trollers rather than the public. “If you interfere with a teleconference or public meeting in Michigan, you could have federal, state, or local law enforcement knocking at your door,” stated Matthew Schneider, the US Attorney for Eastern Michigan.
Why Zoom Meetings Are Being Targeted
So why are Zoom meetings being targeted but not the meetings run on other virtual meeting platforms? Zoom became the trollers’ platform of choice for several reasons. For starters, Zoom saw a dramatic increase in usage, largely due to the lockdowns prompted by the Coronavirus Disease 2019 (COVID-19) pandemic. In December 2019, Zoom had a daily average of 10 million meeting participants. In March 2020, that number jumped to 200 million, according to Eric Yuan, Zoom’s founder and CEO.
As the number of Zoom users increased so did the likelihood that trollers would find their personal meeting IDs, especially the ones that were inadvertently exposed through posted screenshots of virtual meetings. Up until mid-April 2020, when someone signed up for a Zoom account, they were assigned a personal meeting ID. Anytime the person scheduled a Zoom meeting, the app automatically used that meeting ID by default. People invited to the meeting would then enter the ID to join the meeting — and during the meeting, the ID was displayed in the app’s title bar. As a result, Zoom users sometimes ended up exposing their meeting IDs without realizing it when they posted screenshots of their virtual meetings on social media sites.
Perhaps the most famous case of this occurred when UK Prime Minister Boris Johnson inadvertently revealed the meeting ID for a virtual UK Cabinet meeting when he tweeted a screenshot of the event. While there was concern that people would use the meeting ID to join the next UK Cabinet meeting, all attempts failed because the meeting ID had been password protected.
While the UK Cabinet meeting ID had been password protected, many meeting IDs exposed on the Internet are not. That’s why trollers have been able to Zoom-bomb so many virtual meetings.
One reason why many meeting IDs were not protected with passwords in the past is because the password option was disabled by default, like many of the other Zoom security features. And the various security features were hard to find because they were hidden in different locations. “We recognize that various security settings in the Zoom client, while extremely useful, were also extremely scattered,” admitted Zoom rep Deepthi Jayarajan.
Fortunately, Zoom made numerous security-related changes to its app through a series of updates in April 2020. For example, the app now automatically generates a unique ID and a unique password for each meeting by default. This is more secure than using the same meeting ID with no password for every meeting. Although not recommended, users have the option of going back to using their personal meeting IDs for all meetings (with or without a password) if desired.
Other notable changes in the Zoom app include the removal of meeting IDs from title bar and the addition of the new “Security” button in the task bar. The latter lets users quickly access many in-meeting security features. Plus, the Zoom app now supports 256-bit AES encryption. On May 30, 2020, Zoom will start using this encryption standard systemwide.
How to Protect Your Meetings
If you use Zoom, you can take several precautions to make sure your meetings are not Zoom-bombed:
- Upgrade to Zoom 5.0 so your meetings will be more secure. It is best to upgrade before May 30, 2020, because only people using Zoom 5.0 or later will be able to join Zoom meetings once 256-bit AES encryption is in use.
- Keep the default option of having Zoom 5.0 randomly generate a unique meeting ID and a unique password for each meeting. That way, people will need both the meeting ID and password to enter, which is essentially two-step verification.
- Take the time to become familiar with Zoom 5.0’s security features, which are accessible through the “Security” button and your profile settings. For example, you will find that you can prevent new participants from joining a meeting by enabling the “Lock Meeting” option.
Do not share links to meetings in publicly available social media posts.
Caution flickr photo by Tak H. shared under a Creative Commons (BY) license
