As remote work surges amid the coronavirus pandemic, the FBI issued a public bulletin Monday warning Zoom and other video teleconferencing services may not be as private, or as secure, as users may assume.
Use of Zoom and similar services has exploded in recent weeks as companies, schools, governments, and individuals increasingly turn to its teleconferencing as ways to keep businesses and classrooms afloat while sheltering in pace or working from home. However the shift also represents an opportunity for attackers, as white supremacists, hackers and other trolls barge into digital meetings, a phenomenon known as “Zoombombing.”
In Massachusetts, there have been several incidents, including an unintended participant joining a high school’s virtual classroom only to yell profanities and reveal personal information about the teacher, according to the FBI. Another unwelcome participant with swastika tattoos joined a separate Massachusetts school’s Zoom meeting, the FBI reports.
“The FBI has received multiple reports of conferences being disrupted by pornographic and/or hate images and threatening language,” the FBI cautioned. “As individuals continue the transition to online lessons and meetings, the FBI recommends exercising due diligence and caution in your cybersecurity efforts.”
It’s not just private businesses and children whose meetings could be Zoombombed. Privacy and security issues in conferencing software may also pose risks to national security, as world leaders convene Zoom meetings. In some cases, world leaders such as U.K. Prime Minister Boris Johnson have shared screenshots of their teleconferencing publicly only to reveal Zoom meeting IDs, raising concerns that sensitive information could be compromised.
The FBI warning comes after a flurry of reports that Zoom is not securing user sessions and communications as much as the San Jose, California-based company has advertised. The company falsely claims to protect conversation with end-to-end encryption, according to The Intercept. In recent days Zoom has leaked people’s email addresses and photos to strangers, according to Vice’s Motherboard. Now, Zoom is facing a class-action lawsuit for allegedly illegally sharing user data with Facebook.
To prevent against unwanted participants joining Zoom or other video teleconferencing meetings, the FBI advises users to not make Zoom meetings or classrooms public. Instead, users should require a meeting password, or use the Zoom waiting room to control who has access to particular meetings. The bureau also recommends not sharing links on public social media posts, and instead providing links directly to intended participants.
Zoom hosts can limit screen sharing to “Host Only” to prevent people and unintended participants from taking over and sharing images or content that is inappropriate or alarming.
The FBI warned that users should also ensure they’re running the latest Zoom software. The most recent update forces meeting organizers to use passwords by default, and bars users from randomly scanning for meetings to join.
Victims of teleconference hijacking should report it to the FBI’s Internet Crime Complaint Center, the FBI said.