ZoomRaiding / ZoomBooming
Via our security colleagues at JISC CSirt, we would like to bring to your attention some recent reports in relation to Online Video Conferencing Platforms we have seen. Due to the restrictions related to Covid-19, the use of online video conferencing has seen a significant increase and understandably, organisations are trying to facilitate as many of their previous services and interactions in an online format. However, as with many good intentioned endeavours to include as wide an audience as possible, the opportunity for exploitation exponentially increases with it. We are aware of “Zoom” meetings being specifically targeted by malicious ‘raiding’ groups and so this information should be considered when using such software.
Many conferencing platforms offer the opportunity to host meetings without the need for any other verification other than the link or meeting ID number. In efforts to appeal and incorporate as many individuals as possible, such Meeting ID and Links are publicly shared.
We have received reports over the last few days alerting us to Video Conferences which have been joined by individuals whose sole intent is to cause disruption and distress and upon joining a video conference have then proceeded to display indecent, potentially illegal imagery to the other participants which could constitute an offence under Section 1(1)(b)of the Protection of Children Act 1978.
Therefore we would suggest that you consider cascading the following points and sources of advice to any organisation individuals that may be responsible for hosting/arranging online conferencing in order that requisite safety precautions can be implemented to minimise the risk of such occurrences becoming more widespread.
- Ensure that Meeting Passwords are required to join and that they are not published in an uncontrolled manner.
- Don’t use social media to share conference links as malicious groups can search social media for these meeting ID/links.
- Use the “Waiting “Room” feature to have participants wait until the host arrives and vet participants prior to entering the meeting.
- Limit screen-sharing ability to the host. Using the host controls at the bottom.
- Turn off file transfer: In-meeting file transfer allows people to share files through the in-meeting chat. Toggle this off to keep the chat from getting bombarded with unsolicited pics, GIFs, memes and other content.
- Disable private chat: Zoom has in-meeting chat for everyone or participants can message each other privately. Restrict participants’ ability to chat amongst one another. This is really to prevent anyone from getting unwanted messages during the meeting
- Allow only signed-in/Registered users to join: If someone tries to join your meeting and isn’t logged into a Zoom account, they will receive the message ‘This meeting is for authorised attendees only’.
- Zoom meeting host logging does have IP logging that can record attendees and that IP data can be used to report abuse.
Below are some further sources which detail some of the points listed above:-
If anyone has any further information or would like some additional advice then please contact us at email@example.com