Zoombombs away! Security is new concern in social distancing age

From its privacy policy and data sharing with third parties, the Maltese are getting to terms with the fact that Zoom has already experienced a major security vulnerability

Nice to see you, to see you... nice: how people are meeting and working online. However, the prospect of ‘zoombombing’ has become a real thing for unexpected online video users
Nice to see you, to see you... nice: how people are meeting and working online. However, the prospect of ‘zoombombing’ has become a real thing for unexpected online video users

It comes as no surprise to anybody that being able to operate anonymously on the internet does not bring out the best in people.

The need to stay connected in this time of social distancing has led to the stratospheric rise in popularity of video conferencing tools such as Zoom in Malta. But, predictably, bad guys have already found ways to misuse communication tools to disrupt already stressed-out remote workers.

As the COVID-19 pandemic leads the world to do their work online in isolation, software that allows people to do so has started to come under close scrutiny, after cracks in security started to show.

While the tools – Zoom is just one of them – are reimagining how Maltese companies, schools and society operate, they also have their faults.

Some problems security researchers have found show that from the application’s privacy policy and some of its support documents, it is evident that Zoom allows your boss to track your attention during calls, and shares large amounts of data it collects with third parties. Now it has already experienced a major security vulnerability.

In addition to this, journalistic investigations have placed Zoom’s claim of end-to-end encryption on its video calls in doubt.

One new peculiar, and often upsetting, phenomenon is called “Zoombombing” in which online trolls take advantage of Zoom’s default settings to gate-crash conference calls and disrupt them, by flooding the calls with disturbing images.

It is just one of the many new vectors for abuse internet users are experiencing in the coronavirus age. Others include phishing attacks purporting to offer health screenings, scams claiming people’s electricity would be shut off during quarantine if they don’t pay and the sale of fake COVID-19 testing kits.

Zoombombing is possible because if a Zoom call is public (that is to say, not password protected), anyone with the URL to the call can join and participate. The bad actors don’t even need to know who it is they’re gatecrashing – there are reports of people Zoombombing random call IDs. Some of them have been Maltese school lessons with audiences of over 25 children being exposed to harmful content such as pornography.

Zoombombing is progressing from a student prank to more serious incidents of hate speech.

Luckily, there are ways of stopping and preventing a Zoombombing attack. First of all, if you’re hosting a meeting that’s getting Zoombombed, disable the “screen sharing” option as quickly as possible.

For added security use the “waiting room” function. This makes people wanting to join visible to the host, but keeps them out of the main meeting until they’re allowed in.

This option is turned off by default, but can be enabled by signing-in to your Zoom account and clicking on the settings.

Other tips include ensuring screen sharing is possible only for the host, turning off the function that allows file transfer, turning off the “allow removed participants to rejoin” setting (so attendees booted from the meeting can’t slip back in), turning off the “join before host” setting (so people can’t cause trouble before you arrive) and turning on the “require a password” setting for meetings. Hosts may also delegate others to help moderate the discussion through the “Co-Host” option.

In public announcements Zoom has reminded its users that when they share their meeting link on social media or other public forums, this makes the event public, and means that anyone with the link can join that meeting.

The company has also suggested that users avoid starting public events using their Personal Meeting ID (PMI) because “your PMI is basically one continuous meeting and you don’t want randoms crashing your personal virtual space after the party’s over.” It also suggests that users generate random meeting IDs.

There is only so much that can be done by platforms, however. Users must always remember to use common sense and make use of the security precautions on offer.

Most importantly, keep that “block” button handy.