videoconference (MicroOne/Shutterstock.com)

‘Zoom-bombing’ highlights videoconference security vulnerabilities

Remote workers using Zoom for videoconferencing may be more vulnerable to hijackers "Zoom-bombing" their calls and making threats and offensive displays.

In late March, two Massachusetts high schools reported their Zoom-enabled online classes had been interrupted, according to the FBI's Boston Division.  In one case, someone dialed into a videoconference class, yelled out a profanity and the teacher's home address, the FBI said. In the other, a school reported an unidentified individual dialing into a Zoom videoconference class and displaying swastika tattoos.

FBI Special Agent Doug Domine said that unauthorized participants are not just an issue on the Zoom platform. "Other providers have similar platforms," he said, that are just as vulnerable to such intrusion if they're misused.

Zoom, however, is getting extra scrutiny. New York is now looking into the company’s security practices. On March 30, Attorney General Letitia James sent a letter to the company asking how it is ensuring security, given the massive increase in traffic and the growing amount of sensitive and private data – especially from students -- crossing its network. James also wants to know how it is addressing vulnerabilities “that could enable malicious third parties to, among other things, gain surreptitious access to consumer webcams.” the New York Times reported.

The company's video teleconferencing offering has raised the hackles of some privacy experts, including Consumer Reports, which said it collects and sells user data to online advertisers. It revised its privacy policy on March 29 to say it does not sell personal data. Earlier, Motherboard reported that Zoom’s privacy policy did not alert users that its iPhone app had been sending user data to Facebook.

Additionally, a company official told the Intercept in a March 31 report that Zoom does not offer end-to-end encryption as it is commonly understood – that is, encrypting data between user end points. The content of a video conference hosted by Zoom is potentially visible to the company itself.

Zoom's standard product has many new users in public school environments, especially since company CEO Eric Yuan removed videoconference time limits on the app for elementary and high schools as the COVID-19 pandemic closed down the facilities across the U.S.

As telework expands across the U.S., users unfamiliar with security precautions can unintentionally expose their videoconferences to unauthorized participants.

"Organizations should have policies” for video teleconferencing and its associated software, as well as training on how to use it, said Doine. Individual session passwords should be used, even for audio bridges, he said. "The bigger the group, the bigger the possibilities" for unauthorized entry.

"We take the security of Zoom meetings seriously and we are deeply upset to hear about the incidents involving this type of attack," a Zoom spokesman said in an email. "For those hosting large, public group meetings, we strongly encourage hosts to review their settings and confirm that only the host can share their screen. For those hosting private meetings, password protections are on by default and we recommend that users keep those protections on to prevent uninvited users from joining," the spokesman said.

The Zoom for Government platform is on the General Services Administration's buying schedule and also has that agency's Federal Risk and Authorization Management Program moderate level approval. Zoom was sponsored in the FedRAMP approval process by the Department of Homeland Security, according to the company. The authorization allows federal agencies and contractors to securely use Zoom for government video meetings and API integrations, according to the company.

Typically, government-approved versions of commercial off-the-shelf products to not allow for data collection for marketing purposes.

When asked about Zoom one federal IT manager said they were confident that with the FedRAMP moderate rating that conforms services to FISMA standards, a federal Authority to Operate, and familiarity with the platform, most federal users could be reasonably confident with the platform's integrity.

This article was first posted to FCW, a sibling site to GCN.

About the Author

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at [email protected] or follow him on Twitter at @MRockwell4.


Featured

  • Russia prying into state, local networks

    A Russian state-sponsored advanced persistent threat actor targeting state, local, territorial and tribal government networks exfiltrated data from at least two victims.

  • Marines on patrol (US Marines)

    Using AVs to tell friend from foe

    The Defense Advanced Research Projects Agency is looking for ways autonomous vehicles can make it easier for commanders to detect and track threats among civilians in complex urban environments without escalating tensions.

Stay Connected