Last week, a doctoral candidate was forced to defend his thesis over Zoom. He invited his friends and family to watch this momentous occasion. Partway through his thesis defense, an unknown individual interrupted the meeting to spew vulgar language and racial slurs. Although his thesis defense was successful, the whole experience was ruined for him and he left feeling embarrassed instead of happy.
This behavior, known as “Zoombombing”, is when a malicious individual joins a Zoom meeting and harasses other users or uses vulgar language.
Zoom, the online teleconferencing platform, has become incredibly popular recently. It is easy to use and provides free teleconferencing.
While it is easy to see why many people and companies are choosing Zoom to conduct meetings, there are some security concerns with the platform.
Without delving into the technical details, there are a few key settings that will help to secure your meetings and prevent “Zoombombing”.
1. Use a Random Meeting ID
When you first join Zoom, you are given a personal meeting ID. This ID allows you to set up meetings as the host and invite others to join.
This personal ID is unique to your account and should rarely, if ever, be used. Once someone has your personal ID, they can use it to join any future meetings using the same ID.
Many people simply use their personal ID when hosting meetings and wouldn’t consider this a security risk. The problem is that once your personal ID is shared, anyone who has it can potentially join your future meetings, whether you invite them or not.
Zoom provides you with the option to create a randomly generated unique ID for each meeting. This method is much more secure, as this ID can only be used once. Each meeting will be it’s own isolated instance.
To use a random meeting ID, simply select the “Generate ID” option under the “Meeting ID” setting when setting up the meeting.
2. Password Protect Each Meeting
Meetings can be protected with a password to for added security. Users will be prompted to enter the password upon entering the meeting.
If you are using a random meeting ID, you can have a randomly generated password.
When coupled with the random meeting ID, passwords greatly reduce the chance that an uninvited person will be able to join one of your meetings.
To add a password to your meeting check “Require meeting password” under the “Meeting Password” setting when setting up the meeting.
3. Enable the “Waiting Room”
The waiting room is a feature that places all potential meetings participants on hold until the host admits them to the meeting.
The Host, or designated co-host, can choose to admit people one at a time or in groups.
This lets the host identify participants before they are given the opportunity to contribute anything to the meeting. The host will be able to see the names of people in the waiting room before deciding whether to admit them.
Although this method can be tremendously helpful for small meetings where the participants are known, it is not as helpful for meetings where the host does not know each participant.
This setting can be found in Account Management – Account Settings – Meeting – Waiting Room.
4. Disable Sharing Permissions for Other Users
Unless you are expecting screen sharing to be an important part of the meeting, this feature should be disabled.
“Zoombombers” have been known to use the screen sharing feature to write offensive messages and broadcast them to the meeting.
Screen sharing can be re-enabled during the meeting if the need arises. So, it is simply safer to disable it at the start.
This setting can be found by clicking the arrow at the bottom of the screen next to “Share Screen”. Select Advanced Sharing Options – Who can share? – Only Host.
5. Disable Join Before Host
This option prevents anyone from joining the meeting before the host does. This can be very useful, particularity for meetings that are not using a meeting room.
By disabling this setting, the host has full control of the meeting right from the start. This helps the host set up proper security controls before the meeting begins.
It also prevents harassment of participants from unwanted guests during a time where no host is available to expel users.
6. Sign-up Using a Free Standing Account
Zoom has been under scrutiny recently for sharing information with Facebook without user consent.
Zoom was connecting to Facebook’s Graph Application Program Interface (API). This API is the main method that web applications, like Zoom, use to exchange information with Facebook.
This API was used to allow users to create and sign in to Zoom using their Facebook credentials.
When Zoom users signed in using their Facebook credentials, information was automatically shared with Facebook. This included info on the user’s device, the model, their time zone, and the city they were connecting from.
Although Zoom corrected the problem shortly after it was brought to their attention, this incident illustrates the potential for other security vulnerabilities within the platform.
A simple method to avoid information sharing like this is to sign up for Zoom using a free standing account. Zoom offers the option to sign up using existing Google and Facebook accounts. Instead, create a dedicated Zoom account with just an e-mail address. This will limit the amount of information that can be shared with third parties.
7. Disable Private Messaging
Disabling this feature prevents the abuse of Zoom’s private messaging feature.
“Zoombombers” have been observed joining meetings and using the private message feature to conduct harassment to avoid ejection from the meeting.
Only allow private messaging if it is absolutely necessary for the meeting
This setting can be found by clicking Chat – More – Allow attendees to chat with – No one.
8. Use the Zoom Web Interface and Avoid Downloading a Program
Hackers are taking advantage of Zoom’s popularity to spread malware.
A Trojan is a type of malware that attaches itself to a legitimate piece of software and installs itself on a host machine when the legitimate software is executed.
Hackers have been attaching Trojans to real copies of Zoom and spreading them throughout the internet.
So, a user might download one of these copies and run Zoom without realizing they also installed malware on their system as well.
An easy solution to this is to simply use Zoom’s web interface. This method allows users to fully access Zoom without installing an executable (.exe) on their system. This greatly reduces the chances of a Trojan being distributed to potential meeting participants.
Is Zoom the Only Option?
For larger audiences, where audience participation is not required or for web broadcasts, services like YouTube Live Stream, Livestream, or Facebook Live might be better alternatives. These services only allow the broadcaster to speak and prevents others from wresting control with vulgar language.
Zoom is still a very useful tool and, with the right knowledge, it can be used correctly. These settings will greatly reduce the chances of “Zoombombing” and should help keep your meetings secure.