Private companies, independent school districts, institutions of higher learning and governmental bodies are all using Zoom, one of the more popular videoconferencing software downloads since the beginning of the coronavirus outbreak, according to recent market analytics.
App market analytics company App Annie found Zoom in mid-March was downloaded 14 times more than its weekly average at this point last year.
But locally, a recent string of incidents where Zoom meetings have been “hacked” puts the future viability of teleconferencing security in doubt.
On April 2, a virtual town hall hosted by Workforce Solutions that featured officials from the Texas Workforce Commission was disrupted by a “hacking attack” within minutes of broadcasting, according to an email sent out by Workforce Solutions.
The meeting, which intended to provide an opportunity for local employers to get answers about business services and employment law, was inundated with racial slurs and loud music before the meeting was shut down by Workforce Solutions officials.
Workforce Solutions attempted to restart the meeting minutes later only to have it be attacked again, forcing it to be shut down and rescheduled.
Officials from the workforce development organization said in a followup email that some users who registered for the town hall may have received phishing emails, in whcih scammers try to trick users into revealing personal information.
“Thank you for all of your patience and support as we work to reschedule the Virtual Town Hall after the hacking attack on Zoom," said Brian Hernandez, communications director for Workforce Solutions Rural Capital Area, in an April 2 email. "If you registered to attend the session, we’ve been made aware that some attendees have received phishing emails as a result of a Zoom registration vulnerability.”
Workforce Solutions sent out an email April 3 outlining changes it has since made to its videoconferencing protocols. According to the email, Workforce Solutions will not be promoting the rescheduled town hall over social media, instead sending out invites to emails it has verified as legitimate. Further, the town hall will be set up in a way where only the hosts can be seen or heard with questions submitted via the chat function.
The Workforce Solutions town hall incident follows a similar attack on a Zoom meeting hosted by the Heman Sweatt Center for Black Males at The University of Texas at Austin.
On March 30, the Heman Sweatt Center, a faculty-led program that provides support and opportunities for black men at UT Austin, had a Zoom meeting interrupted by users with derogatory usernames who began calling attendees racial slurs.
The Heman Sweat Center for Black Males sends our deepest apologies to those who participated in our first Zoom meeting earlier this afternoon. We are still a space for black men to organize and uplift one another. We denounce the actions of the hackers in our call and are...(1/2) working to better our newly found space on Zoom. If you have any questions or concerns feel free to DM us. We will be sending links for virtual meetings through emails and GroupMe from now on. Thank you for your cooperation. (2/2)
— Heman Sweatt Center for Black Males (@SweattCenter) March 30, 2020
“We are investigating the racist Zoom bombing of a meeting of UT students, staff & faculty," UT President Greg Fenves wrote in a March 30 tweet. "It was reprehensible. If the perpetrators are members of the UT community, they will be disciplined. We will also increase online security for all UT staff to prevent similar incidents.”
According to officials from the university, organizers from that meeting shared the meeting on social media, which made it easier for unauthorized users to enter the meeting.
“We have protocols in place for our classes to help keep them secure, and those were not default,” said J.B. Bird, director of media delations for UT Austin. “We have good security measures that were not in place for that call.”
Bird said Zoom is one of several videoconferencing tools the university employs across its system. UT Austin is hosting its classes completely online now, and Bird said the university logged approximately 9,000 classes on the first day of online education alone. The majority of those classes, Bird told Community Impact Newspaper, are using the online education software Canvas to host classes.
UT Austin will not move away from Zoom following the attack on the Heman Sweatt Center meeting, though Bird said the university has since implemented stronger security measures for calls across the university, including switching-on default security settings for all staff Zoom meetings.
Officials from the city of Austin told Community Impact Newspaper in an email that the city does not use Zoom as its videoconferencing platform.
Austin City Council uses Webex, a Cisco tool, for its meetings. Emily Tuttle, a senior public information specialist for the city of Austin, said Webex was chosen because of its features and security settings.
Increasing Zoom security
On March 30, the same day the Heman Sweatt Center Zoom meeting was attacked, the Federal Bureau of Investigations published a document reporting multiple instances of videoconferencing hijacking—also called “Zoom-bombing,” according to the post.
According to the FBI post, a Massachusetts-based high school reported that a class being taught over Zoom was interrupted by an unidentified individual, who began yelling profanity before shouting out the teacher’s home address. In another incident at a school in Massachusetts, a Zoom meeting was accessed by an unidentified individual, who was seen displaying swastika tattoos over video.
In its March 30 post, the FBI shared recommendations and steps to strengthen videoconferencing security. According to the FBI, meeting hosts on Zoom should decline to make meetings or classrooms public and should not share meeting links in any publicly available social media posts.
Further, the FBI encouraged meeting hosts to make use of options to manage screen sharing and recommended that all users update their videoconferencing software to its most current version.
The FBI asked anyone who is a victim of teleconferencing or hijacking to report the incident to the FBI’s Internet Crime Complaint Center, which can be found here.
The University of California at Berkeley also posted recommendations on its website for Zoom users to strengthen security protocols. The university provided instructions to manage participants, including disabling video, disabling private chat, locking the meeting to outside participants and enabling Zoom’s “Waiting Room” feature, which stops guests from joining until the host is ready, among other tips.
You can find UC Berkeley’s Zoom security recommendations here.
Note from the editor: This article has been updated to include information from Workforce Solutions Rural Capital Area.
