As the coronavirus continues to spread, so does the use of video-conferencing software Zoom. People across the country have used the app to connect "face to face" while adhering to social distancing guidelines. Company meetings, school lessons, exercise classes, church sermons, and even casual conversations have all been conducted via Zoom, making remote work easier and self-isolation more bearable.
But Zoom's surge in popularity hasn't been exactly smooth.
As more and more people began utilizing Zoom, the software's security issues became increasingly apparent. The term "Zoombombing" has made headlines over the past month as users have reported disruptions to their video conference calls by an uninvited user. A good portion of these intrusions has included pornographic or hateful content, prompting some to suspend their use altogether. But before you delete the app, here's a breakdown of the security risks plaguing Zoom as well as the way you and others can reduce their chances of being targeted.
What Is Zoombombing?
Zoombombing, aka "Zoomraiding," occurs when an unwanted individual joins a chat/conference session by simply clicking on a link to a public Zoom event. Most of these calls are not protected by passwords, which means anyone who comes across a public meeting ID has the ability to crash the call. Many intruders do a quick search on social media for "Zoom.us" and begin collecting the URL links. Once the troll has entered the session, he/she is able to harass the users with offensive messaging and imagery. This is particularly concerning when Zoombombing interrupts work meetings or online classes for children.
Who Is Doing It and Who Has Been Affected?
The motives behind the Zoombombs vary from case to case, but it seems most of the intruders are just trying to get a laugh by infiltrating random calls. There have been a number of instances, though, in which the perpetrator had much more malicious intentions.
The Anti-Defamation League points to a March 24 conference hosted by a Massachusetts Jewish students' group. The webinar, which was about antisemitism, was interrupted by an individual who exposed his swastika tattoo on his chest. A similar incident happened a day later during a call hosted by California's Jewish Community Center; during that call, the intruder went into a "minutes-long, profanity-laced, antisemitic rant" before exposing his tattoo. After reviewing screenshots, the Center on Extremism said they believe the perpetrator was Andrew Alan Escher Auernheimer—a man also known as "weev," who has used technology to express his racist views.
The New York Times has reported on Zoombombing incidents that targeted Muslims, Alcoholics Anonymous meetings, and online classes. The publication writes that some of the latter events were disrupted by students who were just trying to get out of work.
Per the Times:
Several teenagers who ran Zoom raid accounts spoke about their frustrations with online schooling and how, for them, Zoom raiding classes provided an outlet. It was the only way they felt they could escape their crushing academic workload. Most of the accounts run by teenagers are operating with the goal of derailing middle and high school classes with disruptive but largely inoffensive jokes.
What Are the FBI and the Government Doing to Prevent Zoombombing?
In response to the Zoombombing spike, U.S. officials have urged the public to take precautionary measures, while also warning perpetrators about the potential legal consequences. Federal authorities in Michigan announced that anyone who hacks into a teleconference will risk federal and state criminal charges, including disrupting a public meeting, computer intrusion, using a computer to commit a crime, hate crimes, fraud, or transmitting threatening communications. Each of these charges is punishable by fines and/or imprisonment.
"You think Zoombombing is funny? Let’s see how funny it is after you get arrested," Matthew Schneider, United States Attorney for Eastern Michigan, said in a written statement. "If you interfere with a teleconference or public meeting in Michigan, you could have federal, state, or local law enforcement knocking at your door."
There are some gray areas when it comes to prosecuting Zoombombers. Under the Computer Fraud and Abuse Act, it is illegal to intentionally access a computer "without authorization or in excess of authorization." But as some experts have noted, there are questions about what defines the phrase "without authorization."
If a perpetrator enters a public Zoom chat by simply clicking on a link, it's less clear whether they committed any cyber-trespassing crimes. As Reason points out, this all depends on individual state laws and the kind of disturbance that was committed. For example, if someone disrupts a Zoom call with hateful and/or violent messages, they may not be charged with cyber crimes; however, they could be charged with harassment or a hate crime.
On the other hand, if a Zoombomber hacks into a password-protected teleconference, the individual is much more likely to be charged under the CFAA.
What Is Zoom Doing to Address the Issue?
After facing mounting criticism and increasing calls for improved privacy measures, Zoom announced it had simplified the process of enabling security features. In a blog post earlier this month, the platform directed users to the new "Security" button displayed in the meeting controls; when the host or co-hosts of the Zoom meeting click on the icon, they will have immediate access to a number of features that will reduce the chances of a disturbance.
By clicking the Security icon, hosts and co-hosts have an all-in-one place to quickly:
Zoom founder and CEO Eric Yuan spoke about the issue of Zoombombing during an interview with CNN’s Brian Stelter.
"Our service was built to serve business and enterprise customers. However, due to this COVID-19 crisis, we moved too fast," he said. He went on to add, "We take actions quickly, and we had some missteps over the past weeks. ... Our intention [is] good, now we learned [a] lesson, and we'll double down, triple down on privacy and security before we do anything, we need to think about that."
How to Prevent Zoombombing
Users can make their Zoom chats more secure and less vulnerable to Zoombombings with some of the following tips:
Use a unique ID, rather than a personal meeting ID, for each call.
Require a password for any call that is not open to the public.
Create a waiting room so that a host can choose which users can enter the chat before it officially begins.
Turn off screen-sharing capabilities for everyone except the host(s).
Mute the audio and disable annotations, video, private chats, and custom backgrounds for attendees.
If your meeting is still disrupted by a Zoombomber, kick the troll out and disable the user's ability to rejoin the meeting once they're removed.
