FBI warns on Zoom conference security
- By Mark Rockwell
- Mar 31, 2020
The FBI is warning Zoom video-conferencing platform users to guard against "VTC hijacking" and "Zoom-bombing" by outsiders intent on making threats and offensive displays.
According to the FBI's Boston Division, two Massachusetts high schools reported separate instances of individuals breaking into online classes in late March being conducted via Zoom teleconferencing software. In one incident, said the FBI, an unidentified individual dialed into a videoconference class, yelled out a profanity and the teacher's home address. In the other, a school reported an unidentified individual with swastika tattoos dialing into a Zoom videoconference class.
FBI Special Agent Doug Domin told FCW that unauthorized participants are not just an issue on the Zoom platform. "Other providers have similar platforms," he said, that are just as vulnerable to such intrusion if they're misused.
As telework expands across the U.S., new users unfamiliar with security precautions can unintentionally expose their videoconferences to unauthorized participants.
"Organizations should have policies for VTC" and its associated software, as well as training on how to use it, said Domin. Individual session passwords should be used, even for audio bridges, he said. "The bigger the group, the bigger the possibilities" for unauthorized entry.
"We take the security of Zoom meetings seriously and we are deeply upset to hear about the incidents involving this type of attack," a Zoom spokesman told FCW in an email. "For those hosting large, public group meetings, we strongly encourage hosts to review their settings and confirm that only the host can share their screen. For those hosting private meetings, password protections are on by default and we recommend that users keep those protections on to prevent uninvited users from joining," they said.
The Zoom for Government platform is on the General Services Administration's buying schedule and also has that agency's Federal Risk and Authorization Management Program moderate level approval. Zoom was sponsored in the FedRAMP approval process by the Department of Homeland Security, according to the company. The authorization allows federal agencies and contractors to securely use Zoom for government video meetings and API integrations, according to the company.
Typically, government-approved versions of commercial off-the-shelf products to not allow for data collection for marketing purposes.
Zoom's standard product has many newer users in public school environments, since company CEO Eric Yuan removed time limits on the app for elementary and high schools as the COVID-19 pandemic closed down the facilities across the U.S.
Additionally, a company official told the Intercept in a March 31 report that Zoom does not offer end-to-end encryption as it is commonly understood – that is encrypting data between user end points. The content of a video conference hosted by Zoom is potentially visible to the company itself.
An IT manager FCW spoke with about Zoom said they were confident that with the FedRAMP moderate rating that conforms services to FISMA standards, a federal Authority to Operate, and familiarity with the platform, most federal users could be reasonably confident with the platform's integrity.
Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.
Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.
Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.
Click here for previous articles by Rockwell.
Contact him at [email protected] or follow him on Twitter at @MRockwell4.