As reports of “Zoom bombing” explode, the FBI is cracking down on the issue with a new warning that web conference hijackers could face jail time.
Authorities say that anyone who hacks into a teleconference meeting can be charged at the state and federal level. Charges can include the disruption of a public meeting, computer intrusion, using a computer to commit a crime, hate crimes, fraud, or transmitting threatening communications. These are punishable by fines and even imprisonment, according to the FBI.
“You think Zoom bombing is funny? Let’s see how funny it is after you get arrested,” stated Matthew Schneider, United States Attorney for Eastern Michigan in a Friday public statement. “If you interfere with a teleconference or public meeting… you could have federal, state, or local law enforcement knocking at your door.”
The coronavirus pandemic is driving more businesses and schools to “flatten the curve” by going remote, and thus using Zoom and other web conferencing platforms. Trolls are taking advantage of this by hijacking online meetings in order to spread hate speech such as racist messages, threats of sexual harassment, and pornographic images, which have reportedly driven meeting participants offline or forced meetings to be abruptly cancelled.
A recent report by ZDNet recently pointed to attackers gathering in online communities (such as Discord, Reddit and more) to share Zoom conference codes or make Zoom bombing requests against certain online classes, for instance. Many of these attackers are teenagers, according to a recent PCMag report, with some even live streaming their attacks on Twitch.
Our video call was just attacked by someone who kept sharing pornography + switching between different user accounts so we could not block them. Stay tuned for next steps. And I am sorry to everyone who experienced. We shut down as soon as we could.
— Jessica Lessin (@Jessicalessin) March 20, 2020
The FBI last week warned of multiple reports of conferences being disrupted by pornographic or hate images and threatening language, in so-called “Zoom-bombing” attacks. These include a Massachusetts high school online classroom using Zoom, where an unidentified individual dialed in, yelled a profanity and then shouted the teacher’s home address in the middle of instruction, said the FBI’s report. Also last week, the Bath City Council was forced to end its first online meeting after the video conference was bombarded with pornographic images and profane language.
Some have even prohibited use of the video-conferencing app — including, according to Reuters, Elon Musk’s SpaceX rocket company, which cited “significant privacy and security concerns,” as well as New York school districts
Many of the attacks occur because web conferences are hosted on public channels and shared over the internet via URLs, making them accessible to anyone. It’s easy for attackers to guess the correct URL or meeting ID for a public Zoom session – and even easier if Zoom hosts haven’t created passwords for their meetings.
Zoom users can protect themselves by making sure “Require meeting password” is checked in settings, to require password authentication when users enter the meeting. Hosts can also enable “Check Only authenticated users can join” to ensure that all participants are logged into Zoom accounts. The developers of Zoom for their part have cautioned users to avoid sharing Zoom meeting links publicly (on social media) and to always make sure passwords are implemented.
“As more people use our platform and host their virtual events using Zoom, we wanted to offer up tips to ensure everyone joining an event does so with good intentions,” according to a recent Zoom blog post. “Like most other public forums, it’s possible to have a person (who may or may not be invited) disrupt an event that’s meant to bring people together.”
Do you suffer from Password Fatigue? On Wednesday April 8 at 2 p.m. ET join Duo Security and Threatpost as we explore a passwordless future. This FREE webinar maps out a future where modern authentication standards like WebAuthn significantly reduce a dependency on passwords. We’ll also explore how teaming with Microsoft can reduced reliance on passwords. Please register here and dare to ask, “Are passwords overrated?” in this sponsored webinar.