“As telework expands across the U.S., new users unfamiliar with security precautions can unintentionally expose their videoconferences to unauthorized participants.“
“The FBI is warning Zoom video-conferencing platform users to guard against “VTC hijacking” and “Zoom-bombing” by outsiders intent on making threats and offensive displays.
According to the FBI’s Boston Division, two Massachusetts high schools reported separate instances of individuals breaking into online classes in late March being conducted via Zoom teleconferencing software. In one incident, said the FBI, an unidentified individual dialed into a videoconference class, yelled out a profanity and the teacher’s home address. In the other, a school reported an unidentified individual with swastika tattoos dialing into a Zoom videoconference class.
FBI Special Agent Doug Domin told FCW that unauthorized participants are not just an issue on the Zoom platform. “Other providers have similar platforms,” he said, that are just as vulnerable to such intrusion if they’re misused.
“Organizations should have policies for VTC” and its associated software, as well as training on how to use it, said Domin. Individual session passwords should be used, even for audio bridges, he said. “The bigger the group, the bigger the possibilities” for unauthorized entry.
“We take the security of Zoom meetings seriously and we are deeply upset to hear about the incidents involving this type of attack,” a Zoom spokesman told FCW in an email. “For those hosting large, public group meetings, we strongly encourage hosts to review their settings and confirm that only the host can share their screen. For those hosting private meetings, password protections are on by default and we recommend that users keep those protections on to prevent uninvited users from joining,” they said.
The Zoom for Government platform is on the General Services Administration’s buying schedule and also has that agency’s Federal Risk and Authorization Management Program moderate level approval. Zoom was sponsored in the FedRAMP approval process by the Department of Homeland Security, according to the company. The authorization allows federal agencies and contractors to securely use Zoom for government video meetings and API integrations, according to the company.
Typically, government-approved versions of commercial off-the-shelf products to not allow for data collection for marketing purposes.
Zoom’s standard product has many newer users in public school environments, since company CEO Eric Yuan removed time limits on the app for elementary and high schools as the COVID-19 pandemic closed down the facilities across the U.S.
Additionally, a company official told the Intercept in a March 31 report that Zoom does not offer end-to-end encryption as it is commonly understood – that is encrypting data between user end points. The content of a video conference hosted by Zoom is potentially visible to the company itself.
An IT manager FCW spoke with about Zoom said they were confident that with the FedRAMP moderate rating that conforms services to FISMA standards, a federal Authority to Operate, and familiarity with the platform, most federal users could be reasonably confident with the platform’s integrity.”