FBI Warns Zoombombing on the Rise, but Use These Simple Changes to Make Zoom Meetings Safer
April 3, 2020
Imagine you’ve joined a Zoom meeting for a class or just to hang out with friends. Then a random person joins and starts yelling obscenities including antisemitic and racist slurs. This is known as “zoombombing.”
The FBI has issued a warning after multiple incidents were reported of individuals hijacking the video teleconferencing app Zoom. The FBI and Zoom have offered a list of tips to avoid having your meetings zoombombed.
Zoom has struggled in recent weeks with accusations of security flaws and sharing users personal data with third parties including Facebook without users permission or knowledge. This occurred as their user base skyrocketed from 10 million to over 200 million worldwide daily.
New York Attorney General Letitia James sent a letter to Zoom questioning its privacy and security practices after experts identified several loopholes according to the New York Times.
The FBI’s Boston Division released a warning on March 30, 2020, that included details about a pair of incidents in Massachusetts in recent weeks. The first occurred during a high school class using Zoom. An unidentified individual joined the session, “yelled a profanity and then shouted the teacher’s home address in the middle of instruction,” according to the FBI.
The second incident involved a swastika tattooed individual getting access to a Zoom meeting hosted by a Massachusetts school.
Included in the FBI warning were several tips to avoid zoombombing:
- Do not make meetings or classrooms public. In Zoom, there are two options to make a meeting private: require a meeting password or use the waiting room feature and control the admittance of guests.
- Do not share a link to a teleconference or classroom on an unrestricted publicly available social media post. Provide the link directly to specific people.
- Manage screen sharing options. In Zoom, change screen sharing to “Host Only.”
- Ensure users are using the updated version of remote access/meeting applications. In January 2020, Zoom updated their software. In their security update, the teleconference software provider added passwords by default for meetings and disabled the ability to randomly scan for meetings to join.
- Lastly, ensure that your organization’s telework policy or guide addresses requirements for physical and information security.
Derry Township School District’s Director of Instructional Technology Traci Landry informed staff in an email on March 28, 2020, that several domain-level changes were made to the district’s Zoom account. These included two that increased the security of the meetings held by district staff. Screen Sharing is set to host only which prevents visitors–invited and uninvited–to not take over the screen. Second, those who join a session have their video and audio turned off upon entry.
Zoom also offered tips for meeting security in a March 20, 2020 blog post. The first is to not use your PMI, or Personal Meeting ID, to host public events. “Your PMI is basically one continuous meeting and you don’t want randos crashing your personal virtual space after the party’s over,” Zoom said. A better option is to have the Zoom app create a random meeting number for each meeting you wish to host.
Including a password with the meeting ID number also increases security. Also not posting the meeting number on social media is a smart first step, but there’s nothing stopping a student from sharing the meeting number.
Additionally, users who wish to host a Zoom session were advised by Zoom to institute a waiting room. This allows the host to act as a bouncer and limit who has access to the meeting.
Another tool at the meeting host’s fingertips is the option to remove a participant from a meeting after he/she has joined. This is also an option for disruptive students.
A final tool at the host’s disposal is the lock meeting option. This allows the host to not allow anyone else to join the meeting even if they have the meeting ID.