As the U.S. COVID-19 health crisis continues, many businesses, organizations, and schools adapt to utilizing temporary telework arrangements. Better Business Bureau (BBB) warns video conference app users of recent “Zoom-Bombing” where hijackers infiltrate the Zoom session.
Zoom’s founder and CEO Eric Yuan said in a blog post Wednesday, April 1, that the company went from 10 million daily users in December to more than 200 million in March. He said the platform was meant for corporate users with their own IT departments.
“We did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home,” he wrote. The company is halting work on features for 90 days to focus on security fixes as hackers crash video chats and harass users, a trolling technique known as Zoombombing.
BBB offers the following information and tips to prevent video hijacking.
How Zoom-bombing works
Video hijacking attempts occur when conferences are hosted on public channels shared over the internet via URLs, making them accessible to anyone. Hijackers can sometimes guess the correct URL or meeting ID for a public Zoom session, giving them access to the feed.
According to the FBI, there have been two incidents in Massachusetts of Zoom hijackings. One event occurred during an online class using the teleconferencing software Zoom. Unknown individual(s) dialed into the classroom, shouting profanity and the teacher’s home address. The second video disturbance took place when a visible individual on the video camera began displaying swastika tattoos.
Trent Lo, a security professional and founder of SecKC, Kansas City’s longest-running monthly security meetup, tested and exposed Zoom’s security issues. He found that the only meetings that are protected from Zoom Meeting ID auto-dialers are the videoconferences that have set a password.
You can also enable the option:“Embed password in meeting link for one-click join.” This prevents an actor from accessing your meeting without losing the usability of sharing a link to join.
For users organizing public group meetings, BBB strongly encourages hosts to review their settings and confirm that only they can share their screen. This will prevent any outside disruption from the main video feed on a public session.
Users also need to be careful of cybercriminals impersonating video conferencing sites like Zoom, with their goal of stealing your personal information. Learn more of meeting settings and in-meeting actions you can use to prevent Zoom-bombing.
BBB offers the following tips to prevent video hijacking:
Use a unique ID for large or public Zoom calls
When you create a Zoom account, the app assigns users a Personal Meeting ID (PMI). When hosting a large Zoom call where members of the public are attending, it’s better to use a one-time code rather than a user’s PMI. If not, hijackers can use the PMI to try and jump in on your Zoom calls at any time.
Require a meeting password
For those private hosting meetings, password protections are on by default. Keep those protections on to prevent uninvited users from joining. It’s only an option when you generate a unique ID, not when you use your PMI.
Don’t share the unique ID publicly
Do not share a link to a teleconference or classroom on an unrestricted publicly available social media post. Provide the link directly to specific meeting attendees.
Allow only hosts to share their screen
Don’t let anyone hijack the screen during a Zoom call. To prevent it, make sure your settings indicate that the only people allowed to share their screens are hosts. Navigate to Personal > Settings > In Meeting (Basic) and look for Screen sharing. Check the option that only allows the host to share.
Create a waiting room
When participants log into the call, they see a Waiting Room screen that you can customize. They aren’t let into the call until you, the host, let them in. Hosts allow people in all at once or one at a time, This lets you screen the attendees and if you see names you don’t recognize in the Waiting Room, you don’t have to let them in at all. More instructions for enabling Waiting Room here.
Create an invite-only meeting
If you have Pro, Business, Education, or Enterprise Zoom accounts, enable “Authentication Profiles” settings, so anyone who tries to join your meeting without proper authorization will see a notification on their screen telling them that the video conference is for authorized attendees only.
Lock a meeting once it starts
If you start a meeting and all attendees have joined, hosts can lock the meeting from new participants. During the session, navigate to the bottom of the screen and click Manage Participants. The Participants panel will open. At the bottom, choose More > Lock Meeting.
Remove attendees or put them on hold
Hosts can kick unruly attendees out of a call or put them on hold. To remove an attendee, hover over the name of the person you want to remove on the Participants panel on the right. When options appear, choose Remove. By default, an ousted guest cannot rejoin.To put the guest on hold: During the call, find the video thumbnail of the person you want to put on hold. Click on their video image and select Start Attendee On Hold. Hosts can reverse this action by clicking Take Off Hold in the Participants panel.
Disable the participant’s camera
Hosts can turn off any participant’s camera by opening the Participants panel and clicking on the video camera icon next to the person’s name.
Keep Disable File Transfer settings active
Keep default settings on to Disable File Transfer to limit participants from sharing files, including images and animated GIFs within the chat. Open Settings in the Zoom web app (it’s not in the desktop app). On the left side, go to Personal > Settings. Then click In Meeting (Basic). Scroll down until you see File Transfer and slide the toggle to disable.
