The FBI has issued a warning about video messaging service Zoom, and New York Attorney General’s office has made an inquiry into its cybersecurity practices, after a string of disturbing incidents involving takeovers of teleconferences.
Per Agence France-Presse, malicious individuals have been taking advantage of lax security and the surge in teleconferencing during the coronavirus pandemic to pull off a trick called “Zoombombing,” in which they can join any public meeting and use the app’s screen-sharing mode to broadcast whatever they want. All Zoom meetings are public by default, and as the Verge noted, the settings to restrict screen sharing to the host of a meeting (or turn it off after a meeting starts) are hidden under menus. This means that anyone who forgets to tweak these settings, which appears to be an awful lot of people, is vulnerable to Zoombombing.
Trolls have eagerly taken the opportunity to hijack Zoom meetings and broadcast pornography, slurs, and Nazi imagery to everything from religious institutions and corporate meetings to classrooms at schools. In one incident, someone took over a Chipotle meeting on Zoom featuring musician Lauv and promptly flooded it with hardcore porn. Zoom, which has experienced an explosion in downloads during the ongoing period of social distancing, has seemed caught off guard.
[referenced url=” thumb=” title=” excerpt=”]
On Monday, the FBI’s Boston office issued a warning that it “has received multiple reports of conferences being disrupted by pornographic and/or hate images and threatening language. As individuals continue the transition to online lessons and meetings, the FBI recommends exercising due diligence and caution in your cybersecurity efforts.” In the warning, it noted one Massachusetts incident in which an individual joined an online high school classroom hosted on Zoom to yell profanities and reveal the teacher’s home address. Another school reported an incident to the FBI in which a man with “swastika tattoos” joined a meeting; the FBI told anyone who has had a Zoom call hijacked to contact its Internet Crime Complaint Centre.
A spokesperson for the NY Attorney General’s office told AFP that they had sent a letter to Zoom “with a number of questions to ensure the company is taking appropriate steps to ensure users’ privacy and security.” The spokesperson added that they were “trying to work with the company” to prevent future incidents.
This isn’t the first time Zoom has come under scrutiny. On Tuesday, a report in the Intercept found that the service guarantees of end-to-end encryption for video meetings without a mobile device, but it actually uses transport encryption, allowing Zoom developers to access unencrypted audio and video content of meetings. (The Intercept noted that unlike Google, Facebook, and Microsoft, Zoom does not publish transparency reports on how many law enforcement requests for data it receives or how many it complies with.)
Zoom also recently pushed an update to nix code that sent analytics data to Facebook’s Graph API (even when Zoom users didn’t have an account on the social network) under a privacy policy that didn’t make the extent of the sharing clear. That is current the subject of a class action lawsuit, though whether or not the suit is viable is another question. Zoom also eventually caved last year and patched a “click-to-join” feature that installed insecure local web servers on Mac machines that weren’t deleted when the app was removed, allowing remote access to the webcams of any Mac that had current or previous installations of Zoom. The company had initially defended it as a convenience feature.
“We work 24 hours a day to ensure that hospitals, universities, schools and other companies can be connected and operational,” a Zoom spokesperson told AFP. “We appreciate the interest of the New York prosecutor in these matters and are happy to deliver the requested information.”