With schools closed and boards of education meeting remotely, the use of videoconferencing platforms such as Zoom has soared. Educators in particular have used such platforms to continue instruction to students.
On April 4, the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC), which is part of the state Office of Homeland Security and Preparedness, issued a warning that some popular videoconferencing platforms, including Zoom, are vulnerable to hacking.
“Zoom, in particular, has been a target as of late, taking advantage of weaknesses in the platform’s default security and privacy settings,” noted the NJCCIC, “There have been recent incidents of VTC-hijacking, also known as Zoom-bombing, in which unauthorized persons gain access to a teleconference and display lewd, threatening, or otherwise inappropriate images and language.”
Media reports have indicated that some school districts in the country, including the New York City schools, are prohibiting educators from using Zoom.
The NJCCIC has published recommendations to create a more secure videoconferencing environment with Zoom. Recommendations include:
- Require a password for all meetings and securely share that password only with your invited guests. Once set, guests must enter the passcode in order to enter the meeting. This will prevent unauthorized individuals from joining a meeting.
- Use waiting rooms. This allows the meeting host to verify those attempting to gain access to the meeting.
- Do not share your meeting IDs. These are unique to individual users and could be used to determine when a meeting is currently in progress.
- Send links to meetings directly to individuals and do not publicly post meeting links. This could allow unauthorized individuals access to your meeting, particularly when other security settings are not in place.
- Disable participant screen sharing or file sharing. This will prevent your meeting from being hijacked by others and allowing the sharing of inappropriate content.
- Lock meetings once everyone has joined. This will prevent unauthorized users from gaining entry while the call is in session.
- Avoid posting photos of your Zoom meetings. This could provide threat actors with the associated meeting ID and information on who is attending your meetings.
- Disable the “Allow Removed Participants to Rejoin” option. If an unauthorized participant is identified and removed, this will prevent them from regaining access to the meeting using the same account.
- Do not use your Facebook or Google account to sign into Zoom. This will help protect your privacy by limiting the amount of information Zoom, Facebook, and Google can collect about you.
- Beware of Zoom-themed phishing emails. These may purport to be from Zoom and direct the recipient to open a malicious link or attachment in order to deliver malware or steal user credentials.
- Keep Zoom updated. Enhanced security and privacy features may be applied. A recent update enabled meeting passwords by default, for example.
The NJCCIC is encouraging users who discover signs of malicious cyberactivity to contact the NJCCIC via the cyberincident report form by clicking here.