How a Pandemic Started a Trend Called Zoombombing

April 22, 2020 Security and Compliance, MOVEit

Zoom has seen hyper-growth during what IT teams are calling the "new normal." But that fame comes with a cost--the attention of hackers and security pros.

The upside of a pandemic that forces millions of new users to introduce themselves to video conferencing tools like Zoom is pretty apparent—a massive surge in new users, in revenues, in brand recognition, and shareholder value.

The downside in millions of new users poking around a critically important tool they've probably never paid any attention to before is that many of those users are security nerds and bounty hunters. And in just a matter of weeks, the pandemic high that Zoom was basking in quickly turned into a nasty hangover stoked by allegations of multiple security vulnerabilities and questionable privacy decisions.

 

What is Zoombombing?

New vocabulary like Zoombombing soon sucked the wind out of Zoom's sails. Businesses were banning it, governments investigating, and shareholders suing. What should have been an endless series of victory laps turned instead into a PR crisis management tour of mea culpa that may forever tarnish the brand?

While the litany of security mistakes, privacy failures, and trust betrayals continues to grow, one of the most terrifying for new and would-be users is the detonation of a Zoom Bomb in the middle of an important online meeting.

Amongst the chorus of complaints about Zoom's poor and questionable Security and privacy decision was a surge in reports of online trolls disrupting Zoom video conferences with everything from offensive and threatening messages to online harassment. As the publicity around Zoom's security issues began to attract even more security experts and hackers curious to see how vulnerable the platform could really be, it soon became apparent why Zoombombing seemed such an easy stunt to pull off.

Related: How IT Can Enable A Remote Workforce

An Old Hacker Tool Called 'War Dialing'

Welcome to 'War Dialing,' one of the oldest tools in the hacker arsenal. Because Zoom meeting numbers are simply a collection of up to 11 digits, researchers realized it was quite easy to identify the call-in numbers of real meetings. And especially if you automated the process. Krebs on Security claimed to be able to identify (and if necessary join or bomb) around 100 legitimate Zoom meetings in just 60 minutes using a custom dialler.

He also claimed that if he simply ran a number of the war dialing tools at the same time, he could pretty much discover all of the public or open Zoom meetings occurring every day. In one demonstration, he was able to access more than 2,400 Zoom meetings in a single day and many being hosted by banks, Fortune 500 firms, and governments agencies.

So how could a near-ten-year-old enterprise communications business run by some of the most experienced executives in the industry have missed such a gap? According to the firm, they didn't expect so many personal users and employees beyond the enterprise to start using the tool suddenly. Users who created additional risks because they didn't know how to enable Zoom's Security and privacy settings. Or because Zoom never told them they should and how they could.

A terrible collision of novice users and poor communications, or just a business more focused on hyper-growth without the baggage of intrusive Security and privacy?

So how did user mistakes turn into a new global game of bombing and trolling? It's mainly about Zoom settings. Users simply weren't aware that all Zoom meetings were publicly viewable, searchable, and accessible by default. In many cases, like a virtual town hall or school meetings, they needed to be just that way.

What's Next for Zoom and Video Conferencing Security?

What now, what next for Zoom? As the company continues to put out multiple fires, it also promised to suspend all feature development for the next 90 days so its teams could focus instead on finding and fixing security gaps.

In the meantime, there are some necessary precautions all users should be taking now if they want to lock out the risk of a troll disruption:

  • As you plan your meeting and before you announce it, get familiar with all the Zoom settings. Most of the cures can be found there.
  • One of those settings allows you to instantly remove a participant that has previously been rejected and blacklisted.
  • If you run a corporate or enterprise Zoom account, practice the same rules and hygiene as any other sensitive account. An original and robust password and two-factor authentication are the very least you need to do.
  • Unless you're hosting an event that's supposed to be open to the public, don't share the Zoom meeting link publicly and especially on social media. That makes it too easy for trolls to find and bomb.
  • If you still need to provide open public access, send the meeting link directly to anyone who requests access. Not foolproof, because a troll could respectively request an invite. But still a powerfully simple option.
  • Only the host should have the option to share a screen. If everyone has that option, it's straightforward for a troll or intruder to harass.
  • Only allow users to use their work or corporate email address, and not their personal address. That will significantly help prevent random outside-the-loop attacks.
  • Send employees and participants a shortlist of security dos and don'ts before the meeting, like how and where to download the real Zoom app and not a fake one. It will help them feel better and make you look better.
  • Always enable the Waiting Room feature. This allows the host to approve each participant first personally.
  • Mind what you say. It was a famous warning in the intelligence community about the possibility of a phone being tapped and a conversation being eavesdropped. If something is sensitive or potentially embarrassing and you don't need to share in such a questionable setting, find a more secure channel instead.

Neal O'Farrell

As Executive Director of the non-profit Identity Theft Council, Neal has counseled thousands of victims of identity theft and taken on cases referred to him by the FBI and Secret Service. He has advised more than a dozen governments, as well as numerous security companies including ZoneAlarm, IdentityGuard, EZShield, SiteLock, SurfControl, Securify, NTRU Cryptosystems, Credit Sesame, and Civic. Neal is a former writer with SearchSecurity.com and Technical Editor for the Hack Proofing series of security guides (Elsevier).