The News: What to do about Zoombombing is becoming a key security concern for users the world over as instances of Zoombombing have become a thing. Zoombombing is an emerging trend where unwitting Zoom users are finding themselves surprised by attackers who pop into their meetings and screen share porn, profanity, hate messages, gender threats, and/or unsettling images or video. Zoombombing instances have happened to companies, government organizations, schools, universities, churches, random folks hosting meetings they share information about publicly — even brands have fallen victim to hackers hijacking their Zoom events. In a statement issued this past Monday, the FBI warned of teleconferencing and online classroom hijacking during the COVID-19 Pandemic as reports of Zoombombing instances are proliferating across the country. More at TechRepublic.
What to do About Zoombombing as Hackers and Security Issues Plague Zoom
Analyst Take: What to do about Zoombombing as hackers and security issues plague Zoom? First, a quick back story. The growth in downloads of videoconference apps has been nothing short of astronomical over the course of the last few weeks, as people the world over embrace a new normal — working from home and learning from home. These apps have seen some 62 million plus downloads during the week of March 14th to 21st alone, the biggest week ever according to data collected by AppAnnie, and up 90 percent from the weekly average of business app downloads in all of 2019.
While Zoom is the darling of videoconferencing platforms of the moment, having made its platform free for K-12 schools early on in the COVID-19 outbreak, Google has also opened premium features for Hangouts Meet through July 1, 2020, Microsoft has offered a free six-month subscription to its Microsoft Teams product, and Cisco has offered expanded Webex capabilities to existing customers and free 90-day licenses to businesses who are not Webex customers. To get a visual on just how many millions of users the world over are relying on videoconferencing apps, here’s an overview of downloads during the week of March 15-21 compared to the weekly average for Q4 2019. Image credit: AppAnnie
Zoombombing is Real — And It’s Unsettling When It Happens
I’ve heard a lot about Zombombing over the course of the last week, and some stories are more horrifying than others. Can you imagine giving a presentation or a lecture and having someone Zoombomb your presentation by blasting pornographic images or sharing your personal information, like your street address? I can’t either. Here’s just one look at what transpired in a Zoombombing session, where a school district made a link to their meeting available online and the meeting was subsequently Zoombombed.
How to Protect Your Videoconferences from Zoombombing
So, how to protect your videoconferences from Zoombombing? There are some simple steps Zoom users can take to protect their meetings, events, and teaching sessions. These include the following:
- Don’t make your Zoom meetings, classrooms or events public. When you set up a meeting, either require a meeting password or use the Zoom waiting room to control who has access to your meeting or class and let people in as they show up.
- Don’t share your Zoom meeting invitation links on an unrestricted social media channels – send those links privately. If you have a private message channel for your team, or a private social media group, it’s fine to share your Zoom invitation link there, or also share by way of calendar invites or email messages to only the invited participants. Personally, I’m a fan of integrating Zoom with my calendar option — so I can schedule a meeting, opt for “making it a Zoom meeting,” add my guests to the meeting, and then opt for the “send invites to guests” option in my Google calendar. Whichever system you opt for, just don’t share your meeting invitation links publicly.
- Make sure you are running the most up-to-date Zoom software. This is important because of new security updates that were made by Zoom in January, which added passwords by default for meetings and disabled the ability to randomly scan for meetings to join.
- Perhaps most importantly, when you host a meeting, change the screensharing option to “Host Only,” which will preclude someone else who manages to hack their way into your meeting or event from taking over the screen.
Security Issues are Not New Concerns for Zoom
We’ve covered Zoom extensively here at Futurum Research, and admittedly are both fans of the company’s videoconferencing platform — and regular users. To be fair, we also use Cisco Webex and Microsoft Teams and Google Hangouts products as well — we are in the business of researching and analyzing collaboration platforms, capabilities, features, etc., and often act as advisors to the companies who make them. It is our job to be collaboration platform experts.
In early February, I wrote about Zoom, commenting on what we saw happening with the company’s stock as a result of the massive shift to WFH and online learning — Zoom Stock Finds a Bright Spot in Coronavirus Fears. But again, to be fair, we have also been concerned about and critical of Zoom’s approach to security at times over the course of the past year.
Zoombombing is Not the Only Data and Security Related Problem Zoom is Facing Right Now
Zoombombing isn’t the only problem Zoom is wrestling with right now. On Monday, a California man filed a class action lawsuit alleging the company is violating the California Consumer Privacy Act, which requires companies to give consumers notice when their personal information is collected and shared. As an aside, this is likely only the beginning of the suits we’ll see of this nature as the CCPA just went into effect in January 2020.
The lawsuit alleges that Zoom has “failed to properly safeguard the personal information of the increasingly millions of users” who use the app. The lawsuit cites a report from Vice News that found that the Zoom iOS app has been sending Facebook details on users devices, phone carriers, the city they are in, the time zone they are in, AND perhaps the most troubling of all, a unique advertiser identifier created by the user’s device which then allows companies to target a user with ads by way of a Facebook login feature on the Zoom iOS app.
Zoom’s got problems in the state of New York as well, as NY Attorney General Letitia James is reportedly looking into Zoom’s data privacy and security practices. The AG’s letter to Zoom noted that while the platform is an “essential and valuable communications platform” there is concern about the company’s slowness to address security flaws and vulnerabilities that “could enable malicious third parties to, among other things, gain surreptitious access to consumer webcams.” Most importantly, pressure by the NY Attorney General will hopefully result in Zoom taking a proactive approach to security practices rather than a reactive one.
What’s Next for Zoom? A Proactive Approach to Security is Key
Zoom needs to get serious, and quickly, about adopting a security-first approach that its competitors in the collaboration space are leading with. Zoom has been great about apologizing, and fixing things, but what we — organizations relying on the Zoom platform, teachers and school districts using Zoom, children learning online by way of Zoom, and families using Zoom to stay connected to one another as we shelter in place as a result of COVID-19 — should be able to count on is that our data is and will remain private, that protections will be put into place so that our meetings and classrooms won’t be accessible to hackers, and that our data and our identities remain secure, from hackers or from Facebook or any other advertiser who want access to users and their data.
Zoom shares have skyrocketed since the beginning of the year and I am thrilled by their success. The path forward, however, relies on security. If the company is going to retain a customer base, especially that oh-so-valuable paid customer base that is what really allows companies to deliver shareholder value, then a proactive security first mindset is going to have to be the mantra they embrace and lead with. We’ll all be watching, and hoping they get this right.
Futurum Research provides industry research and analysis. These columns are for educational purposes only and should not be considered in any way investment advice.