ZoomBombing: What is it and how to keep your Zoom calls safe

***UPDATED 6th APRIL to reflect Zoom’s response****

I’ve learnt 2 new phrases in the last 2 weeks – social distancing and ZoomBombing.

Here are all the tips you need to prevent trolls from attacking your stream https://t.co/zhmanphYW3

— joshconstine (@JoshConstine) March 20, 2020

More and more people are stuck at home now and they’re finding different ways to communicate. Video calling tools like Zoom are becoming really popular because they’re pretty easy to use, and it doesn’t matter if you’re on a laptop, tablet or your mobile phone.

What is Zoom and what is ZoomBombing?

Zoom is a bit like Skype or Facetime. It’s been around for quite a few years and has lots of fans in lots of different businesses. But sadly now it’s being abused on a large scale. And that abuse is being called “ZoomBombing”.

Criminals, scammers, time wasters, bullies and other unwanted ‘guests’ are gatecrashing video calls, sharing offensive content, spreading malicious information and digital viruses and making people feel even more anxious and victimised.

If you’re sharing Zoom links publicly, please make sure you change the screen sharing options. Risk of uninvited trolls aka digital gatecrashers, sharing offensive content with your audience. Instructions below https://t.co/3sZsNn0nUm

— Jonathan Fox (@JonnyFoxability) March 26, 2020

How can this happen?

Every Zoom call has a unique ID made up of 9-11 digits. And this forms part of a URL – web link, that can be shared with guests.  These links are then shared by email, or via social media, or websites etc etc. And the ‘gatecrashers’ search for these links online or trade them and then wreak havoc.

“Anyone who has a link to a public meeting can join a Zoom call. Links to public Zooms are traded in Facebook Groups, online forums and Discord chats, and are easily discoverable on Twitter and public event pages.” https://t.co/FqZfGRopeI

— Taylor Lorenz (@TaylorLorenz) March 25, 2020

The good news is, that this can be avoided. You can make sure your attendees are the only people you invite, by changing some of the settings and using some of the tips below.

1st rule of Zoom Club*: Don’t give up control of your screen

 

Gatecrashers to your Zoom meetings could share offensive content, they could also be just listening in and monitoring for opportunities to scam people.

Some simple tips to help:

• Be really careful who you share your meeting links with.

  • Sharing your meeting link on social media or other public forums, makes your event … extremely public. ANYONE with the link can join your meeting. Unless you’ve changed the default settings

• Familiarise yourself with the settings options

  • Have a look at your settings and think about turning on the Waiting Room feature

• Enable “Require a password” for all meeting types

  • If you don’t set a password for your meetings, then potential ‘gatecrashers’ can see details of your upcoming or recurring meetings.
  • As meeting IDs are only 9-11 digits long – they can be guessed by programs and tested to see if they have open or scheduled meetings linked to them.
  • Information that can be gleaned from the ‘open’ IDs can include; the link needed to join each meeting; the date and time of the meeting; the name of the meeting host; and any information supplied by the host about the meeting topic.
  • You can set a password for instant meetings, your personal meeting ID, scheduled new meetings and all previously scheduled meetings
  • see Zoom help article here
  • “Zoom strongly encourages users to implement passwords for all of their meetings to ensure uninvited users are not able to join,” the company said in a written statement recently shared with security consultant Brian Krebs
  • ****UPDATE 5th April 2020**** “We’re always striving to deliver our users a secure virtual meeting environment,” Zoom said in a statement to The Verge. “Effective April 5, we are enabling passwords and ​virtual waiting rooms by default ​for our Free Basic and Single Pro users. We strongly encourage all users to implement passwords for all of their meetings.”

• Disable “Join Before Host”

• Prevent guests from sharing their screen during a call

  • using the host controls at the bottom, click the arrow next to Share Screen and then Advanced Sharing Options. Under “Who can share?” choose “Only Host” and close the window. You can also lock the Screen Share by default for all your meetings in your web settings.

• Turn off file transfer

  • In-meeting file transfer allows people to share files through the in-meeting chat. Toggle this off to keep the chat from getting bombarded with unsolicited pics, GIFs, memes, and other content.

• Disable “Allow Removed Participants to Rejoin”

• Disable “Anyone Can Share Screen”

 

Your data is worth something to someone

We are living in ever changing times. Now more than ever, your data is worth something to someone. Criminals and scumbags do not care who they hurt.

 

Be careful what #WFH photos you share on social media. Especially if it’s Zoom calls. This is another opportunity to learn what not to do. Zoom meeting IDs have a value to someone. Easy to overlook these things until it’s too late https://t.co/H8Qyjk4TrE

— Jonathan Fox (@JonnyFoxability) March 31, 2020

We’re all in this together

We are not working from home, we are working at home during a crisis. If you know how to secure the software tools you’re using, please show others. If not please ask those of us that can help. We’re all in this together 🙂

 

If you want to book a call with me, get in touch here

Useful links

• Official video from Zoom showing you how to change settings to stop digital gatecrashers ‘ zoom bombing ‘ your calls:
  
• Zoom’s CEO writes ‘A Message to Our Users‘ – commendable and positive response from Zoom detailing what they have done and what they are going to do to improve their service

 

• Useful investigative write up  of University of Toronto research into how Zoom is not ‘suited for secrets’ and its links with China

***UPDATE*** Zoom’s response to the above research Response to Research From University of Toronto’s Citizen Lab

• Zoom blog post with useful instructions: How to Keep the Party Crashers from Crashing Your Zoom Event

***UPDATE**** Zoom has now renamed this blog post to “How to Keep Uninvited Guests Out of Your Zoom Event” because:
“We’ve also changed the name and content of that blog post, which originally referred to uninvited participants as “party crashers.” Given the more serious and hateful types of attacks that have since emerged, that terminology clearly doesn’t suffice. We absolutely condemn these types of attacks and deeply feel for anyone whose meeting has been interrupted in this way.”

• Very good “… conversation about Zoom, security, and privacy in these times of social isolation.” Published April 5th “Zooming to Conclusions”

Echoes a lot of my thoughts about Zoom, and technology and privacy in general at this moment in time

• Useful link from the University of California – San Diego:  Zoom Meeting Safeguards

 

• Krebs on Security Article: ‘War Dialing’ Tool Exposes Zoom’s Password Problems

 

*Thanks to the EdTech team at UC San Diego for the quote about 1st rule of Zoom Club 🙂