When any technology sees its popularity increase quickly, the number of bad actors taking advantage of new and untrained users also grows. The world is seeing this now with videoconferencing services and applications, as reports about the popular Zoom app being hijacked — known as “Zoom-bombing” — have surfaced.
With multiple reports of conferences being disrupted by pornographic and/or hate images and threatening language, the FBI’s Boston office recently issued a warning for users of videoconferencing platforms about the incidents. Security expert and investigative journalist Brian Krebs provided details on Zoom’s password problems and how hackers were able to use “war dialing” methods to discover meeting IDs and passwords for Zoom meetings.
While hijacked meetings are disruptive and disturbing for participants, a more insidious threat is intruders who lurk in meetings without revealing their presence — a nightmare for corporate security and individual privacy alike.
Another nightmare: thousands of private recordings of Zoom meetings have been discovered on the open web, according to The Washington Post. Zoom told The Verge that its own servers had not been breached and that the videos had likely been uploaded by users to other cloud storage services. But they were easily found through search because they used the company’s default naming convention for recordings.
Locking down meetings
The good news is that many videoconferencing products include security settings that can prevent such incidents. The bad news is that it’s often left to users with no security training to configure these settings.
We’re here to help. As part of its advisory, the FBI offered safety tips for companies, schools and individuals using videoconferencing services. After speaking with other security experts, we’ve expanded on those ideas to create this list of web meeting security do’s and don’ts.
Don’t use consumer-grade software or plans for business meetings. Consumer tools most likely don’t have all the administrative tools you need to lock things down. While no videoconferencing service can guarantee 100% protection from threats, you’ll get a more complete set of security tools with products geared for enterprise use, many of which are being offered for free for the next several months.
Do use waiting room features in conferencing software. Such features put participants in a separate virtual room before the meeting and allow the host to admit only people who are supposed to be in the room.
Do make sure password protection is enabled. Zoom now auto-generates a password in addition to a meeting room ID. Make sure that your service uses both a meeting ID number and a string, but in addition, that it also has a separate password or PIN. If the service lets you create a password for the meeting, use password creation best practices — use a random string of numbers, letters, and symbols; don’t create an easily guessable password like “123456.”
Don’t share links to teleconferences or classrooms via social media posts. Invite attendees from within the conferencing software — and tell them to not share the links.
Don’t allow participants to screen share by default. Your software should offer settings that allow hosts to manage the screen sharing. Once a meeting has begun, the host can allow specific participants to share when appropriate.
Don’t use video on a call if you don’t need to. Turning off your webcam and listening in via audio prevents possible social engineering efforts to learn more about you through background objects. Audio-only also saves network bandwidth on an internet connection, improving the overall audio and visual quality of the meeting.
Do use the latest version of the software. Security vulnerabilities are likely to be exploited more often on older software versions. For instance, Zoom recently updated its software to require password-protected meetings, and it has paused work on new features to focus its developers on stamping out privacy and security vulnerabilities, indicating that more updates are to come. Double-check that participants are using the most up-to-date version available.
Do eject participants from meetings if an intruder is able to get in or becomes unruly. This prevents them from rejoining.
Do lock a meeting once all the participants have joined the call. However, if a valid participant drops out, be sure to unlock the meeting to let them back in and then re-lock it after they return.
Don’t record meetings unless you need to. If you do record a meeting, make sure all participants know they are being recorded (the software should indicate this, but it’s good practice to tell them too) and give the recording a unique name when you save it.
Do educate all employees who host meetings on the specific steps they should take in the software your company uses to ensure their conferences are secure.
For instance, Gabriel Friedlander, the CEO of security awareness training firm Wizer, posted a list on LinkedIn of recommended security settings for people who use Zoom, whether through their companies or for personal meetings. Here’s a summary of his recommendations:
- Turn off [Participants Video]. They can turn it back on once you allow them to join.
- Turn off [Join before host]
- Turn off [Use Personal Meeting ID (PMI) when scheduling a meeting]
- Turn off [Use Personal Meeting ID (PMI) when starting an instant meeting]
- Turn on [Require a password when scheduling new meetings]
- Turn on [Mute participants upon entry]
- Turn on [Play sound when participants join or leave] (this is heard by host only).
- Turn on [Screen Sharing] - host only
- Turn off [Annotation]
- Turn on [Breakout room] - allows host to assign participants to breakout room scheduling.
- In the advanced settings, hosts should Turn on [Waiting Room] feature.
While these settings are specific to Zoom, any videoconferencing software you use should offer similar settings. If yours doesn’t, it’s time to change to a more secure product.
Balancing security with ease of use
One of the reasons Zoom and other videoconferencing services have gained in popularity has been because of their ease of use for end users, many of whom generally don’t use technology on a regular basis.
“People crave simplicity when it comes to technology, especially during stressful times such as a global pandemic,” said Reza Zaheri, the founder of 1:M Cyber Security, which provides cybersecurity awareness training. “There is always a juggling act between security and ease of use when it comes to tech products.
“To completely generalize, the majority of laymen prefer not to think about the security and privacy aspects of a product. When these features are baked into a product, and even advertised as available to the user, most people still usually don’t configure these settings, and assume someone else is managing these things on their behalf on the back end.”
Zoom has issued guides to locking down meetings in a blog post and a video, but that still places the burden on users to protect themselves.
Zaheri said software products should have security settings on by default, with opt-out settings that display a warning message explaining to users why it would be a risk to turn them off.
“I think the majority of folks who work at home, and who may not be comfortable with technology, would like simple security and privacy settings already baked in and turned on for them,” he said. “They just want to start the program and use it — these settings should already have been configured for them by the vendor.”
Educating a new wave of technology users
Wizer’s Friedlander said that hacking efforts around videoconferencing services have grown as a direct result of the growth of work-at-home and school-at-home policies in the wake of the Covid-19 pandemic.
“Hackers and cyber-criminals think like marketers — they’re always looking for trends and how to market their scams,” he said. “Zoom is trending, work from home is trending, coronavirus is trending, so we’re seeing a lot of new types of threats because of that. It hits everyone because people are more dependent on technology today more than ever.”
What's different now compared to previous security threats is that a whole new set of technology users — students, teachers, family members and small organizations like karate, fitness, and dance studios — are utilizing videoconferencing to run classes, often without any IT or security support behind them. Traditional messaging efforts around security training, such as emails or Twitter messages, need to expand to where this new audience will see them, Friedlander said.
“If you want to reach those people, you have to go through the channels they are now on,” he advised. “I’m already seeing more IT and security people doing TikTok videos. Maybe the material is the same, but the way you deliver it has to adapt where people [can see it].”