Zoom Takes on Zoom-Bombers Following FTC Settlement

zoom security features

The videoconferencing giant has upped the ante on cybersecurity with three fresh disruption controls.

Zoom has once again upped its security controls to prevent “Zoom-bombing” and other cyberattacks on meetings. The news comes less than a week after Zoom settled with the Federal Trade Commission over false encryption claims.

Two of the new features allow moderators to act as “club bouncers,” giving them the ability to remove and report disruptive meeting participants. The “Suspend Participant Activities” feature is enabled by default for all free and paid Zoom users; and, meeting participants can also report a disruptive user directly from the Zoom client by clicking the top-left “Security” badge.

Separately, the videoconferencing giant also rolled out an internal tool that acts as a filter, preventing meeting disruptions (like Zoom-bombing) before they happen.

Removing Disruptive Participants

Under the Security icon, hosts and co-hosts now have the option to temporarily pause their meeting and remove a disruptive participant or Zoom-bomber, according to a Monday Zoom blog posting.

“By clicking ‘Suspend Participant Activities, all video, audio, in-meeting chat, annotation, screen-sharing and recording during that time will stop, and Breakout Rooms will end,” the company explained. “The hosts or co-host will be asked if they would like to report a user from their meeting, share any details and optionally include a screenshot.”

Once the reporter clicks “Submit,” the offending user will be removed from the meeting, and hosts can resume the meeting by individually re-enabling the features they’d like to use.

“Zoom’s Trust & Safety team will be notified,” according to the host. “Zoom will also send them an email after the meeting to gather more information.”

As for the second enhancement, account owners and admins can enable reporting capabilities for non-host participants, so that they can report disruptive users from the Security icon (hosts and co-hosts already have this capability).

Both of the new controls are available on the mobile app, and for Zoom desktop clients for Mac, PC and Linux.

Support for the web client and virtual desktop infrastructure (VDI) will be rolling out later this year, the company said. VDI is a server-based computing model used by applications like Citrix or VMware; Zoom’s app for this allows meetings to be delivered to a thin client.

At-Risk Meeting Notifier

The internal tool, dubbed the “At-Risk Meeting Notifier,” scans public social-media posts and other websites for publicly shared Zoom meeting links – an exposure that can lead to Zoom-bombing.

Zoom-bombing is a trend that began earlier in 2020 as coronavirus lockdowns led to massive spikes in the videoconferencing service’s usage. Zoom saw its user base rocket from 10 million in December 2019 to 300 million in April during the ramp-up of the COVID-19 pandemic and a shift to remote work. These attacks occur when a bad actor gains access to the dial-in information and “crashes” a Zoom session – often sharing adult or otherwise disturbing content.

To thwart these kinds of attacks, the new tool can detect meetings that appear to have a high risk of being disrupted, Zoom said – and it automatically alerts account owners by email of the situation, providing advice on what to do.

That advice includes deleting the vulnerable meeting and creating a new one with a new meeting ID, enabling security settings, or using another Zoom solution, like Zoom Video Webinars or OnZoom.

“As a reminder – one of the best ways to keep your Zoom meeting secure is to never share your meeting ID or passcode on any public forum, including social media,” according to the company’s post.

FTC Encryption Settlement

Last week, the Federal Trade Commission (FTC) announced a settlement with Zoom, requiring the company “to implement a robust information security program to settle allegations that the video conferencing provider engaged in a series of deceptive and unfair practices that undermined the security of its users.”

The FTC alleged that since at least 2016, Zoom falsely claimed that it offered “end-to-end, 256-bit encryption” to secure users’ communications, when in fact it maintained the cryptographic keys that could allow Zoom to access the content of its customers’ meetings, and secured its Zoom Meetings, in part, with a lower level of encryption than promised.

While “encryption” means that in-transit messages are encrypted, true end-to-end encryption (E2EE) occurs when the message is encrypted at the source user’s device, stays encrypted while its routed through servers, and then is decrypted only at the destination user’s device. No other person – not even the platform provider – can read the content.

Zoom has now agreed to an FTC requirement to establish and implement a comprehensive security program, a prohibition on privacy and security misrepresentations, and “other detailed and specific relief.”

“The fines imposed by the FTC are a prime example of the type of actions companies are going to face when they do not take security in their products seriously,” Tom DeSot, executive vice president and CIO of Digital Defense, said via email. “Zoom unfortunately ended up being the poster child for how not to handle things when vulnerabilities are found in commercial products.”

And indeed, Zoom has faced various controversies around its encryption policies over the past year, including several lawsuits alleging that the company falsely told users that it offers full encryption. Then, the platform came under fire in May when it announced that it would indeed offer E2EE — but to paid users only.  The company later backtracked after backlash from privacy advocates, who argued that security measures should be available to all. Zoom will now offer the feature to free/”Basic” users.

The first phase of its E2EE rollout began in mid-October, which aims to provide initial access to the feature with the hopes of soliciting feedback when it comes to its policies. Users will need to turn on the feature manually.

“We’re pleased to roll out Phase 1 of 4 of our E2EE offering, which provides robust protections to help prevent the interception of decryption keys that could be used to monitor meeting content,” said Max Krohn, head of security engineering with Zoom, in a post at the time.

2020 Healthcare Cybersecurity Priorities: Data Security, Ransomware and Patching

Hackers Put Bullseye on Healthcare: On Nov. 18 at 2 p.m. EDT find out why hospitals are getting hammered by ransomware attacks in 2020. Save your spot for this FREE webinar on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, limited-engagement webinar.

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.