How to Protect Yourself from Zoom-Hijacking

April 09, 2020 On March 30, 2020, the FBI announced that it has received multiple reports of video-teleconferencing (VTC) hijacking attacks in recent weeks. The attacks target the VTC platform Zoom and involve unidentified individuals joining online meetings and disrupting them with pornographic and/or hate images and speech. This type of attack is being referred to as “Zoom-bombing.”

By: Lindsay B. Nickle & Abby Swanson Garney

On March 30, 2020, the FBI announced that it has received multiple reports of video-teleconferencing (VTC) hijacking attacks in recent weeks. The attacks target the VTC platform Zoom and involve unidentified individuals joining online meetings and disrupting them with pornographic and/or hate images and speech. This type of attack is being referred to as “Zoom-bombing.” On April 5, 2020, Zoom rolled out updates that address some of the platform’s issues, but these updates do not completely eliminate the risk of VTC hijacking attacks. 

The FBI shared recommendations for strengthening VTC cybersecurity efforts and mitigating threats from hijackers. When setting up a Zoom meeting, the following steps can help keep uninvited attendees from entering the meeting. In other VTC platforms, similar options are often available.

  • Make the meeting private. This can be done either by requiring a meeting password, or by using the waiting room feature so the host can control who enters the meeting. As of April 5, 2020 these features have been automatically enabled.
     
  • Share meeting links privately. Send meeting links to attendees individually and never in a public forum like an unrestricted social media post. Even after the April 5 updates, users who enter a Zoom meeting by following a link will not need to enter a password, so keeping the meeting link private remains important. 
     
  • Limit screen-sharing options. Zoom allows the host to change screen-sharing to “host only” so that if an uninvited individual gains access to the meeting, they will be unable to share hateful or pornographic images. 
     
  • Ensure all users install software updates. In addition to the April 5, 2020 updates, the January 2020 version of Zoom added meeting passwords as the default and disabled the function that allowed users to randomly scan for meetings to join. In order to take advantage of these new features, all users should have the most up-to-date version of Zoom installed. 
     
  • Address both physical security and information security in your organization’s telework policy. 

The FBI tracks these types of attacks. If you are a victim of a VTC hijacking, Zoom-bombing, or other cyber crime, report it to the FBI’s Internet Crime Complaint Center at ic3.gov. Specific threats, including any threats received from a VTC hijacker, should be reported at tips.fbi.gov or by calling your regional FBI field office. Find your regional FBI field office’s contact information on the FBI website

Zoom is a widely used platform for hosting meetings and conferences during the COVID-19 pandemic, and users should be aware that use of Zoom may present other privacy and security issues. The Intercept recently reported that video calls placed using Zoom are not end-to-end encrypted, despite the fact that Zoom claims that they are. Additionally, the Zoom “Company Directory” feature automatically pools users who sign up using emails hosted by the same domain together, as if they all work for the same company. While this feature excludes common public domains like Gmail and Yahoo, this means that there may be thousands of users that have been grouped together without their knowledge, and as a result, those users may have access to each other’s names, email addresses, and profile photos, and be able to place video calls to others in the group despite having no direct relationship. 

For more information, visit our Data Privacy & Cybersecurity Practice page to find an experienced attorney in your area.

Lewis Brisbois has been nominated for two Advisen Cyber Awards! Vote for Lewis Brisbois as “Cyber Risk Event Team of the Year” and “Cyber Law Firm of the Year” here.