Why is the exclusive focus on Zoom, when the same “flaw” impacts almost all popular video conferencing apps? In this Coronavirus era, as if daily news briefings on the pandemic-related deaths weren't enough, a new wave of . In the U.S., , accusing the company of making hightenend claims about user privacy and security. As a then, I just had to look more into this! “zoombombing” stories has been dominating headlines politicians are even urging federal authorities (FTC for one) to take rigid action against Zoom Security Researcher Wikipedia defines or as “ The moniker gained notoriety during the COVID-19 crisis when many depend on Zoom for conferencing, remote schooling and working from home. Zoombombing Zoom raiding the unwanted intrusion into a video conference call by an individual, which causes disruption.” How is it done? The concept is simple. Video conferencing apps depend on numeric meeting IDs to let participants join — this is customary for almost all apps: , , , Joinme, Google Meet, and not something unique to Zoom. Some apps may allow for organisers to create meetings without requiring participants to enter additional security parameters (a PIN or a password, for example) when joining. How frustrating is it already for the participant to key in a meeting ID — especially when dialing in, let alone having to deal with a PIN on top. GoToMeeting Webex Skype A malicious actor who is able to either guess (enumerate) several meeting IDs consecutively, or has prior knowledge, simply joins an active Zoom meeting which is in progress, and posts lewd content in the meeting: pornography, obscene sounds, spam, etc. The idea is to the participants and invite ridicule into the meeting, while some other blackhat hackers might choose to do this to people about security flaws in their daily workflow, albeit unethically. troll educate — Image credit: Sky News Boris Johnson’s Twitter feed shows the prime minister taking part in a virtual cabinet Zoom meeting with the meeting ID ( 539–544–323 ) atop the window raising security and privacy concerns. British PM Johnson (which is still up) of virtual cabinet meeting taking place over Zoom, which drew further attention of some, calling the tweet a “ ,” since it exposed the meeting ID. tweeted a screenshot security risk Scapegoating Zoom In all this ‘noise’ and , however, Zoom got scapegoated because of its sheer popularity and widespread user across multiple domains: business, education, social groups — not because is in itself an exploitable security vulnerability or risk unique to Zoom. The custom of letting participants join video conferences via meeting IDs, often without imposing PIN requirements, is nothing novel and has been practiced for decades… security by press preference zoombombing Zoom even has security features to deter or prevent “zoombombing” altogether, such as screening participants prior to letting them join, or . It is then the or technologically inept meeting organisers who are not leveraging Zoom’s complete set of features, and not the product itself that's flawed. restrict a meeting only to certain logged in users lazy Recent headlines which steer people’s attention towards Zoom smell more like a smear campaign designed by Zoom’s competitors than a major cause of concern. My professional opinion is, “zoombombing” is not even an strictly speaking in cybersecurity terms. It’s being misunderstood as such by a layperson. exploitable security vulnerability, It’s analogous to using any digital product out of the box — such as your WiFi router, without properly configuring it, and then later complaining that you got hacked because you didn’t setup a password. Simply switching your WiFi router brand in that case, would do no good to protect you, should you continue to engage in the same complacency of not setting up a WiFi password! Protecting yourself Always make sure your meeting IDs and links are shared only with the participants who are authorised to join them. For extra precaution, consider using PINs or passwords, on top. That way even if a malicious party is able to guess the meeting ID, the PIN serves as an extra layer of deterrent. A video conferencing organiser should also consider screening participants before letting them join a meeting — this can also be done seamlessly by keeping a meeting restricted to only a few people ( ). logged in users In conclusion, a “flaw” that impacts almost all video conferencing apps, or has at some point, is now being uniquely attributed to Zoom, and this is misleading to users as it creates a false sense of security. Moving to a conferencing app won’t safeguard you against “zoombombing” unless commonsense security measures are enforced by meeting organisers. different © 2020. ( ). All Rights Reserved. Ax Sharma Twitter Previously published at https://medium.com/@_ax/zoombombing-an-overblown-phenomenon-not-a-vulnerability-9a3331536c54
