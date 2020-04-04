While the world grapples with COVID-19, businesses, schools and religious groups that have shifted to video conferencing face another threat — “zoombombing.”
Simply put, zoombombing is video-teleconferencing hijacking or cyber harassment. Internet trolls use different techniques to gain access and disrupt meetings, often with hateful language or graphic images. Such breaches have been reported nationwide as more groups use online programs for remote gatherings, according to the FBI.
Even though zoombombing got its name from the online platform Zoom Video Communications, other services are not immune.
“It can happen on any video conferencing site,” said Cameron Shilling, chairman of the privacy and data security practice group at law firm McLane Middleton, in Manchester.
In Massachusetts, one teacher reported an unidentified person dialed in during class, yelled profanity and disclosed the teacher’s home address. Another school reported a Zoom meeting being accessed by someone displaying swastika tattoos, according to the FBI.
“The FBI has received multiple reports of conferences being disrupted by pornographic and/or hate images and threatening language,” the FBI’s Boston office said in a statement.
Use of Zoom alone jumped from about 10 million daily participants in December to 200 million daily participants by March, the company reported. It serves 90,000 schools across 20 countries.
“We are deeply upset to hear about the incidents involving this type of attack and we strongly condemn such behavior,” a company spokesman wrote in an emailed statement. “Starting on March 20, we have been actively educating users on how they can protect their meetings and help prevent incidents of harassment through features like waiting rooms, passwords, muting controls and limiting screen sharing.”
Other disruptions have been made to exercise sessions, celebrity chat sessions or municipal public meetings that are being conducted remotely to combat the spread of the coronavirus. One troll reportedly taunted an Alcoholic Anonymous meeting online saying “alcohol is soooo good.”
Sometimes links to private meetings are hacked or sessions intended to be public are interrupted with malicious content, Shilling said. “The content is designed to disrupt the meeting, so this typically is pornography or hateful image or speech,” he said.
The Rev. Jason Wells, executive director of New Hampshire Council of Churches, experienced zoombombing while signing in to a webinar from Concord hosted by People’s Forum, a movement for the working class and marginalized communities. Racist scrawl appeared in a chat function preventing other from commenting.
“I was shocked and then saddened because there were lots of really great organizers and justice workers who were a part of that event,” he said. “It just makes me sad for what I imagine that might have made them feel.”
Besides malicious disruption of meetings, zoombombing can have other negative consequences, said Shilling, of McLane Middleton.
“Zoombombers are looking to gather up personal information so that they can sell it and use it for nefarious purposes,” he said. That includes names, addresses, telephone numbers and email addresses.
Hackers also might download malware and gain access to cameras and microphones on computers.
As small and mid-size businesses and schools have rushed to get videoconferencing systems in place, they have left themselves vulnerable to attacks.
But there are defenses.
Shilling, whose firm works with businesses and schools on technology risk management, advised using only video conferencing that is encrypted.
Further safeguards include using passwords and other authentication measures to join meetings and restrictions on who can share their screens or publish content. Some meetings can be set up as webinars for further protection.
“The combination of passwords plus content-sharing restrictions will virtually eliminate zoombombing,” Shilling said.
Other protections should be put in place when recording meetings, such as ensuring compliance with wiretap and other privacy laws and storing them on secure clouds, networks and devices, according to the firm.
Eric S. Yuan, founder and CEO of Zoom, apologized to users last week in a blog post for not meeting privacy and security expectations.
“We have been working around the clock to ensure that all of our users – new and old, large and small – can stay in touch and operational,” he wrote.
The company initially referred to the uninvited participants as “party crashers.”
“Given the more serious and hateful types of attacks that have since emerged, that terminology clearly doesn’t suffice,” Yuan wrote. “We absolutely condemn these types of attacks and deeply feel for anyone whose meeting has been interrupted in this way.”