ZOOM Alert - Protect Yourself from ZOOM Bombing attacks

Note: This is a re-post of this article over at Bleeping Computer’s website.

ZOOM has been in the news recently for concerns over its lack of end-to-end encryption, privacy concerns regarding data its sharing with Facebook and most recently the increase in ZOOM Meeting Bombings or unwanted intrusions.

ZOOM-bombing is when someone gains unauthorized access to a Zoom meeting to harass the meeting participants in various ways to spread and hate and divisiveness, or to record pranks that will be later shown on social media.

Just yesterday, the FBI released an advisory warning Zoom users that they should properly secure their browsers from Zoom-bombing attacks.

“The FBI has received multiple reports of conferences being disrupted by pornographic and/or hate images and threatening language,” the alert published by the FBI warned.

Here are some simple steps you can take to avoid this from happening to you when using ZOOM.

Securing your Zoom meetings

Now that you know the potential privacy risks of using Zoom, before scheduling a meeting with friends or coworkers, you can familiarize yourself with the various ways you can secure Zoom meetings using the steps below.

Add a password to all meetings!

When creating a new Zoom meeting, Zoom will automatically enable the “Require meeting password” setting and assign a random 6 digit password.

Blog Photo

You should not uncheck this option as doing so will allow anyone to gain access to your meeting without your permission.

Use waiting rooms

Zoom allows the host (the one who created the meeting) to enable a waiting room feature that prevents users from entering the meeting without first being admitted by the host.

This feature can be enabled during the meeting creation by opening the advanced settings, checking the ‘Enable waiting room’ setting, and then clicking on the ‘Save’ button.

Blog Photo

Enable waiting room setting

When enabled, anyone who joins the meeting will be placed into a waiting room where they will be shown a message stating “Please wait, the meeting host will let you in soon.”

The meeting host will then be alerted when anyone joins the meeting and can see those waiting by clicking on the ‘Manage Participants’ button on the meeting toolbar.

Blog Photo

You can then hover your mouse over each waiting user and ‘Admit’ them if they belong in the meeting.

Blog Photo

Do not share your meeting ID

Each Zoom user is given a permanent ‘Personal Meeting ID’ (PMI) that is associated with their account.

If you give your PMI to someone else, they will always be able to check if there is a meeting in progress and potentially join it if a password is not configured.

Instead of sharing your PMI, create new meetings each time that you will share with participants as necessary.

Disable participant screen sharing

To prevent your meeting from being hijacked by others, you should prevent participants other than the Host from sharing their screen.

As a host, this can be done in a meeting by clicking on the up arrow next to ‘Share Screen’ in the Zoom toolbar and then clicking on ‘Advanced Sharing Options’ as shown below.

Blog Photo

When the Advanced Sharing Options screen opens, change the ‘Who Can Share?’ setting to ‘Only Host’.

Blog Photo

You can then close the settings screen by clicking on the X.

Lock meetings when everyone has joined

If everyone has joined your meeting and you are not inviting anyone else, you should Lock the meeting so that nobody else can join.

To do this, click on the ‘Manage Participants’ button on the Zoom toolbar and select ‘More’ at the bottom of the Participants pane. Then select the ‘Lock Meeting’ option as shown below.

Blog Photo

Do not post pictures of your Zoom meetings

If you take a picture of your Zoom meeting than anyone who sees this picture will be able to see its associated meeting ID. This can then be used uninvited people to try and access the meeting.

For example, the UK Prime Minister Boris Johnson tweeted a picture today of the “first even digital Cabinet” and included in the picture was the meet ID.

Blog Photo

This could have been used by attackers to try and gain unauthorized access to the meeting by manually joining via the displayed ID.

Blog Photo

Thankfully, the virtual cabinet meeting was password-protected but does illustrate why all meetings need to use a password or at least a waiting room.

Do not post public links to your meetings

When creating Zoom meetings, you should never publicly post a link to your meeting. 

Doing so will cause search engines such as Google to index the links and make them accessible to anyone who searches for them.

As the default setting in Zoom is to embed passwords in the invite links, once a person has your Zoom link they can Zoom-bomb your meeting.

Be on the lookout for Zoom-themed malware

Since the Coronavirus outbreak, there has been a rapid increase in the number of threat actors creating malwarephishing scams, and other attacks related to the pandemic.

This includes malware and adware installers being created that pretend to be Zoom client installers.

Blog Photo

To be safe, only download the Zoom client directly from the legitimate Zoom.us site and not from anywhere else.

Are You Getting Quality Mac Support From Your PC MSP?

We have assisted many businesses in implementing MDMs, developing custom security policies and procedures, and redesigning their networks.The list goes on and on. Contact us today and see how we can help you too.

Contact Sales

Drop us a line.

We are a remote and fully distributed, Nationwide Apple focused MSP serving Washington DC, Philadelphia, New York, Chicago, San Francisco, San Diego & more.

We focus on providing top notch Mac Support for small to mid-sized businesses. Contact us, and learn how we can help your company.

Full Name
Your email address
Phone Number
Company Name
How many Mac's & PC's do you have?
How many employees do you have?
Where are you located?
What challenges are you facing?

© Grove Technologies is a registered service mark trademark of Grove Technologies. Privacy Policy | Terms of Service. Cookie Preferences